socelars | 47d35b344cc8c6ef8e8ae82899655f0f1010d2af4f3c0413e124b9ae94378362

Analysis

max time kernel
137s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9192eed4f3433a1fe590754041c0a0cf.exe
Size

1.4MB
MD5

9192eed4f3433a1fe590754041c0a0cf
SHA1

418b2ced928bda145299323e2e162ccbe2fb4454
SHA256

47d35b344cc8c6ef8e8ae82899655f0f1010d2af4f3c0413e124b9ae94378362
SHA512

6ecf205a5be761f17ed5f32cb820f42752bcab89b8a7916696ef5546e29f9492556e870b1ff8107de0f63447603a0c69535a9fdd6ed7edbf2231dacb21bd61d6
SSDEEP

24576:M8TJtpd95n1HCEei6gFT/L+V3F+kyRejskFL/whBZhnHo4Sad5RKr00z4drPC6ew:jJtpx1iErFrLK3F7QojUnHo4Sa0r00i7

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	iplogger.org
17	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
376	taskkill.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeAssignPrimaryTokenPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeLockMemoryPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeIncreaseQuotaPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeMachineAccountPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeTcbPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeSecurityPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeTakeOwnershipPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeLoadDriverPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeSystemProfilePrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeSystemtimePrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeProfSingleProcessPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeIncBasePriorityPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeCreatePagefilePrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeCreatePermanentPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeBackupPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeRestorePrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeShutdownPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeDebugPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeAuditPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeSystemEnvironmentPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeChangeNotifyPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeRemoteShutdownPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeUndockPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeSyncAgentPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeEnableDelegationPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeManageVolumePrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeImpersonatePrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeCreateGlobalPrivilege	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: 31	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: 32	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: 33	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: 34	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: 35	4736	9192eed4f3433a1fe590754041c0a0cf.exe
Token: SeDebugPrivilege	376	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 1212	4736	9192eed4f3433a1fe590754041c0a0cf.exe	83
PID 4736 wrote to memory of 1212	4736	9192eed4f3433a1fe590754041c0a0cf.exe	83
PID 4736 wrote to memory of 1212	4736	9192eed4f3433a1fe590754041c0a0cf.exe	83
PID 1212 wrote to memory of 376	1212	cmd.exe	85
PID 1212 wrote to memory of 376	1212	cmd.exe	85
PID 1212 wrote to memory of 376	1212	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\9192eed4f3433a1fe590754041c0a0cf.exe
"C:\Users\Admin\AppData\Local\Temp\9192eed4f3433a1fe590754041c0a0cf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads