socelars | 37303654589c7f3bb4bab82c801c81581da9b7e23050e9cc7f9bf39595268c50

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

904139e1b11ef1f02a0facebca951e37.exe
Size

1.4MB
MD5

904139e1b11ef1f02a0facebca951e37
SHA1

c2281342cc35e9ef603e675badb56be6a5a7b46b
SHA256

37303654589c7f3bb4bab82c801c81581da9b7e23050e9cc7f9bf39595268c50
SHA512

0887affdfd72fa16e3bfeec6cc5e85d5364ce42c6c02f45158c12f8d85c430a4a28dbcd3ae67e5b17e9f3b810ed71776fdbe3f70478277697624ad5a51f898fd
SSDEEP

24576:pIVFA1pqtg/TnMbX0lwyh0FVmEByA1swFYyOsdwsuQOSIt21QZYftzygdEtG:cFA1pvTMbOwa0TmUqMYEOFQOSIsQZYVF

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	iplogger.org
18	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2296	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	904139e1b11ef1f02a0facebca951e37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	904139e1b11ef1f02a0facebca951e37.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	904139e1b11ef1f02a0facebca951e37.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	904139e1b11ef1f02a0facebca951e37.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeAssignPrimaryTokenPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeLockMemoryPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeIncreaseQuotaPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeMachineAccountPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeTcbPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeSecurityPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeTakeOwnershipPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeLoadDriverPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeSystemProfilePrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeSystemtimePrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeProfSingleProcessPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeIncBasePriorityPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeCreatePagefilePrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeCreatePermanentPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeBackupPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeRestorePrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeShutdownPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeDebugPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeAuditPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeSystemEnvironmentPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeChangeNotifyPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeRemoteShutdownPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeUndockPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeSyncAgentPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeEnableDelegationPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeManageVolumePrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeImpersonatePrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeCreateGlobalPrivilege	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: 31	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: 32	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: 33	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: 34	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: 35	2380	904139e1b11ef1f02a0facebca951e37.exe
Token: SeDebugPrivilege	2296	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1776	2380	904139e1b11ef1f02a0facebca951e37.exe	29
PID 2380 wrote to memory of 1776	2380	904139e1b11ef1f02a0facebca951e37.exe	29
PID 2380 wrote to memory of 1776	2380	904139e1b11ef1f02a0facebca951e37.exe	29
PID 2380 wrote to memory of 1776	2380	904139e1b11ef1f02a0facebca951e37.exe	29
PID 1776 wrote to memory of 2296	1776	cmd.exe	31
PID 1776 wrote to memory of 2296	1776	cmd.exe	31
PID 1776 wrote to memory of 2296	1776	cmd.exe	31
PID 1776 wrote to memory of 2296	1776	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\904139e1b11ef1f02a0facebca951e37.exe
"C:\Users\Admin\AppData\Local\Temp\904139e1b11ef1f02a0facebca951e37.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a73d4b3648bbf6a51e570097ae92e834

SHA1
dbc7ac0582edcf8995583ef6a66f1018489814be

SHA256
616d317d49b50b8afea22223573ea805fade2713fdeee184d2acfc2eb5de529d

SHA512
80ee7630a9396f3efdc21396a3ac5c197626511676ddd2de46efa57f63d2bd18971b07835b90c451760cdae844e37be044a038255924b5c1d0a7c36ebfb7d21a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e20ad0bd5b647ef222aaddd9e75ac59b

SHA1
2a28d59b2d677a0185cb2a1c3458b72595e88141

SHA256
30dbc0d56bd6d36da4f9cd276fc7506bd3e9c60759a6fa3cbc05d7b2bce1e330

SHA512
df85c7ec8cd8bdffb4a1d2feb2f3324a1871a0afc48242c2f14e80a8eee7fd2bde7b3033163951b2667259a579dddd9bcb1a755eb4b778cb8e3ed76cd705e412

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9C6.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit