socelars | 86040ddf448fb04e7efec05ad0e07bb2ff3d75d65520a4aedc32120cb018e2ce

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df5c5f0768e8d2f554467b930afda09c.exe
Size

930KB
MD5

df5c5f0768e8d2f554467b930afda09c
SHA1

6b00445635ef04d12b0bb8992c8cc1ae384383f4
SHA256

86040ddf448fb04e7efec05ad0e07bb2ff3d75d65520a4aedc32120cb018e2ce
SHA512

f23c63f52dd7728526c7c461335ea355d0746947a53ce7c6bf6226a7f78c530158851e3d269ba658404a8f4e52cebe8feb7ca441526ef73f752a9e5717ba7a27
SSDEEP

24576:7W5d/Zo0AI0kkHBIYRj4wUrFGtwl9Cs5ySq:716aJj4drFGw9bs5

Score

10^/10

socelars spyware stealer

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-2-0x0000000004BC0000-0x0000000004D23000-memory.dmp	family_socelars
behavioral2/memory/2620-3-0x0000000000400000-0x0000000002D1F000-memory.dmp	family_socelars
behavioral2/memory/2620-4-0x0000000000400000-0x0000000002D1F000-memory.dmp	family_socelars
behavioral2/memory/2620-13-0x0000000000400000-0x0000000002D1F000-memory.dmp	family_socelars
behavioral2/memory/2620-14-0x0000000004BC0000-0x0000000004D23000-memory.dmp	family_socelars
behavioral2/memory/2620-18-0x0000000000400000-0x0000000002D1F000-memory.dmp	family_socelars

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
58	iplogger.org
59	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2164	2620	WerFault.exe	94
3564	2620	WerFault.exe	94
3180	2620	WerFault.exe	94
4048	2620	WerFault.exe	94
3548	2620	WerFault.exe	94
116	2620	WerFault.exe	94
5044	2620	WerFault.exe	94
4600	2620	WerFault.exe	94
3136	2620	WerFault.exe	94
1092	2620	WerFault.exe	94
2980	2620	WerFault.exe	94
1104	2620	WerFault.exe	94
1520	2620	WerFault.exe	94
3564	2620	WerFault.exe	94
3468	2620	WerFault.exe	94

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
748	taskkill.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

df5c5f0768e8d2f554467b930afda09c.exetaskkill.exe

description	pid	Process
Token: SeCreateTokenPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeAssignPrimaryTokenPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeLockMemoryPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeIncreaseQuotaPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeMachineAccountPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeTcbPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSecurityPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeTakeOwnershipPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeLoadDriverPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSystemProfilePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSystemtimePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeProfSingleProcessPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeIncBasePriorityPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeCreatePagefilePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeCreatePermanentPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeBackupPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeRestorePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeShutdownPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeDebugPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeAuditPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSystemEnvironmentPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeChangeNotifyPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeRemoteShutdownPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeUndockPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSyncAgentPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeEnableDelegationPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeManageVolumePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeImpersonatePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeCreateGlobalPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 31	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 32	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 33	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 34	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 35	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeDebugPrivilege	748	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

df5c5f0768e8d2f554467b930afda09c.execmd.exe

description	pid	Process	procid_target
PID 2620 wrote to memory of 652	2620	df5c5f0768e8d2f554467b930afda09c.exe	136
PID 2620 wrote to memory of 652	2620	df5c5f0768e8d2f554467b930afda09c.exe	136
PID 2620 wrote to memory of 652	2620	df5c5f0768e8d2f554467b930afda09c.exe	136
PID 652 wrote to memory of 748	652	cmd.exe	138
PID 652 wrote to memory of 748	652	cmd.exe	138
PID 652 wrote to memory of 748	652	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\df5c5f0768e8d2f554467b930afda09c.exe
"C:\Users\Admin\AppData\Local\Temp\df5c5f0768e8d2f554467b930afda09c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 780
  2⤵
  - Program crash
  PID:2164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 820
  2⤵
  - Program crash
  PID:3564
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 820
  2⤵
  - Program crash
  PID:3180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 808
  2⤵
  - Program crash
  PID:4048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 944
  2⤵
  - Program crash
  PID:3548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 956
  2⤵
  - Program crash
  PID:116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1128
  2⤵
  - Program crash
  PID:5044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1488
  2⤵
  - Program crash
  PID:4600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1536
  2⤵
  - Program crash
  PID:3136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1560
  2⤵
  - Program crash
  PID:1092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1800
  2⤵
  - Program crash
  PID:2980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1788
  2⤵
  - Program crash
  PID:1104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1732
  2⤵
  - Program crash
  PID:1520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1848
  2⤵
  - Program crash
  PID:3564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1864
  2⤵
  - Program crash
  PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2620 -ip 2620
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2620 -ip 2620
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2620 -ip 2620
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2620 -ip 2620
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2620 -ip 2620
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2620 -ip 2620
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2620 -ip 2620
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2620 -ip 2620
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2620 -ip 2620
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2620 -ip 2620
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2620 -ip 2620
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2620 -ip 2620
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2620 -ip 2620
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2620 -ip 2620
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2620 -ip 2620
1⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3276 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2620-1-0x0000000004AC0000-0x0000000004B90000-memory.dmp

Filesize
832KB

Download
memory/2620-2-0x0000000004BC0000-0x0000000004D23000-memory.dmp

Filesize
1.4MB

Download
memory/2620-3-0x0000000000400000-0x0000000002D1F000-memory.dmp

Filesize
41.1MB

Download
memory/2620-4-0x0000000000400000-0x0000000002D1F000-memory.dmp

Filesize
41.1MB

Download
memory/2620-12-0x0000000004AC0000-0x0000000004B90000-memory.dmp

Filesize
832KB

Download
memory/2620-13-0x0000000000400000-0x0000000002D1F000-memory.dmp

Filesize
41.1MB

Download
memory/2620-14-0x0000000004BC0000-0x0000000004D23000-memory.dmp

Filesize
1.4MB

Download
memory/2620-18-0x0000000000400000-0x0000000002D1F000-memory.dmp

Filesize
41.1MB

Download