socelars | 75751e39c518f2cf4ce2986e7c2649e4b586738392f677a53bf652a7d4811cc1

Analysis

max time kernel
37s
max time network
38s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Size

1.4MB
MD5

81b05c43c1d16f7af57ea6bc9ded5729
SHA1

50e54265eeb9b3c9350b6c6cb17c0fc24f5064e1
SHA256

c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7
SHA512

993a73a26086b37a2038520068b37e4ff9db6806c7489a389818ac1612ec0ae18629bb53d356e4774d25ec23b7ce0e5d15dda4be17e77d66447e6c12d4d7f136
SSDEEP

24576:PxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX43Z1oIe:5py+VDi8rgHfX43Z2Ie

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	iplogger.org
11	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2000	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeAssignPrimaryTokenPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeLockMemoryPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeIncreaseQuotaPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeMachineAccountPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeTcbPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSecurityPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeTakeOwnershipPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeLoadDriverPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSystemProfilePrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSystemtimePrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeProfSingleProcessPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeIncBasePriorityPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeCreatePagefilePrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeCreatePermanentPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeBackupPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeRestorePrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeShutdownPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeDebugPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeAuditPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSystemEnvironmentPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeChangeNotifyPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeRemoteShutdownPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeUndockPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeSyncAgentPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeEnableDelegationPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeManageVolumePrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeImpersonatePrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeCreateGlobalPrivilege	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 31	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 32	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 33	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 34	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: 35	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
Token: SeDebugPrivilege	2000	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1348	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	30
PID 1596 wrote to memory of 1348	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	30
PID 1596 wrote to memory of 1348	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	30
PID 1596 wrote to memory of 1348	1596	c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe	30
PID 1348 wrote to memory of 2000	1348	cmd.exe	32
PID 1348 wrote to memory of 2000	1348	cmd.exe	32
PID 1348 wrote to memory of 2000	1348	cmd.exe	32
PID 1348 wrote to memory of 2000	1348	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe
"C:\Users\Admin\AppData\Local\Temp\c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2000