socelars | 9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a

Analysis

max time kernel
138s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Size

1.4MB
MD5

9da6fd3b6129076a2a7ffaa481ca5cf9
SHA1

379bb58bee6bafad8169c47223e946e4bb9cfa0c
SHA256

9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a
SHA512

18a00a964f7b4e925eb97cd2235ec14cb88f8450a718237fd602bf7c23a5f29ddfa70b285503191fbd5af88a0c15bf37b98fde5b3aef29d75c413548f7e7875a
SSDEEP

24576:+xpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4vZ1fMKeC0:Opy+VDi8rgHfX4vZ9MKeZ

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1876	taskkill.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeAssignPrimaryTokenPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeLockMemoryPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeIncreaseQuotaPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeMachineAccountPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeTcbPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeSecurityPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeTakeOwnershipPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeLoadDriverPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeSystemProfilePrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeSystemtimePrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeProfSingleProcessPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeIncBasePriorityPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeCreatePagefilePrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeCreatePermanentPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeBackupPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeRestorePrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeShutdownPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeDebugPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeAuditPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeSystemEnvironmentPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeChangeNotifyPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeRemoteShutdownPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeUndockPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeSyncAgentPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeEnableDelegationPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeManageVolumePrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeImpersonatePrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeCreateGlobalPrivilege	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: 31	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: 32	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: 33	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: 34	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: 35	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
Token: SeDebugPrivilege	1876	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 3116	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe	94
PID 1728 wrote to memory of 3116	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe	94
PID 1728 wrote to memory of 3116	1728	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe	94
PID 3116 wrote to memory of 1876	3116	cmd.exe	96
PID 3116 wrote to memory of 1876	3116	cmd.exe	96
PID 3116 wrote to memory of 1876	3116	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe
"C:\Users\Admin\AppData\Local\Temp\9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71aexe.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads