socelars | f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/11/2024, 01:40 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

askinstall50.exe
Size

1.4MB
MD5

68bc0c244bb2d261a9a7d007bb6e06d7
SHA1

4226d51ebf9d925de953e0a5a6b3784eabfc47b6
SHA256

fd53ca7be25f932d930f68ab7818359762dde5d3608271e7a27e815f5b30e9e4
SHA512

f52a04cd2a5d0f9f30be1b6827e95f5afe5f34d0453a78b000dd71d7d8e20467ef6f541a91858833704df6b1560cb5701eab08e5df0a86870b946b052cd6d9da
SSDEEP

24576:8IVFA1pqtg/TnMbX0lwyh0FVmEByA1EwFYyOsFTceoCSPZVjQtYfeXPPSTy:NFA1pvTMbOwa0TmUyMYEh1oCSPnQtY2/

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	iplogger.org
8	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	askinstall50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2820	taskkill.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	340	askinstall50.exe
Token: SeAssignPrimaryTokenPrivilege	340	askinstall50.exe
Token: SeLockMemoryPrivilege	340	askinstall50.exe
Token: SeIncreaseQuotaPrivilege	340	askinstall50.exe
Token: SeMachineAccountPrivilege	340	askinstall50.exe
Token: SeTcbPrivilege	340	askinstall50.exe
Token: SeSecurityPrivilege	340	askinstall50.exe
Token: SeTakeOwnershipPrivilege	340	askinstall50.exe
Token: SeLoadDriverPrivilege	340	askinstall50.exe
Token: SeSystemProfilePrivilege	340	askinstall50.exe
Token: SeSystemtimePrivilege	340	askinstall50.exe
Token: SeProfSingleProcessPrivilege	340	askinstall50.exe
Token: SeIncBasePriorityPrivilege	340	askinstall50.exe
Token: SeCreatePagefilePrivilege	340	askinstall50.exe
Token: SeCreatePermanentPrivilege	340	askinstall50.exe
Token: SeBackupPrivilege	340	askinstall50.exe
Token: SeRestorePrivilege	340	askinstall50.exe
Token: SeShutdownPrivilege	340	askinstall50.exe
Token: SeDebugPrivilege	340	askinstall50.exe
Token: SeAuditPrivilege	340	askinstall50.exe
Token: SeSystemEnvironmentPrivilege	340	askinstall50.exe
Token: SeChangeNotifyPrivilege	340	askinstall50.exe
Token: SeRemoteShutdownPrivilege	340	askinstall50.exe
Token: SeUndockPrivilege	340	askinstall50.exe
Token: SeSyncAgentPrivilege	340	askinstall50.exe
Token: SeEnableDelegationPrivilege	340	askinstall50.exe
Token: SeManageVolumePrivilege	340	askinstall50.exe
Token: SeImpersonatePrivilege	340	askinstall50.exe
Token: SeCreateGlobalPrivilege	340	askinstall50.exe
Token: 31	340	askinstall50.exe
Token: 32	340	askinstall50.exe
Token: 33	340	askinstall50.exe
Token: 34	340	askinstall50.exe
Token: 35	340	askinstall50.exe
Token: SeDebugPrivilege	2820	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 1096	340	askinstall50.exe	32
PID 340 wrote to memory of 1096	340	askinstall50.exe	32
PID 340 wrote to memory of 1096	340	askinstall50.exe	32
PID 340 wrote to memory of 1096	340	askinstall50.exe	32
PID 1096 wrote to memory of 2820	1096	cmd.exe	34
PID 1096 wrote to memory of 2820	1096	cmd.exe	34
PID 1096 wrote to memory of 2820	1096	cmd.exe	34
PID 1096 wrote to memory of 2820	1096	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\askinstall50.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall50.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

Network

DNS

www.listincode.com

askinstall50.exe

Remote address:

8.8.8.8:53

Request

www.listincode.com

IN A

Response

www.listincode.com

IN CNAME

expired.namebright.com

expired.namebright.com

IN CNAME

cdl-lb-1356093980.us-east-1.elb.amazonaws.com

cdl-lb-1356093980.us-east-1.elb.amazonaws.com

IN A

54.205.158.59

cdl-lb-1356093980.us-east-1.elb.amazonaws.com

IN A

52.203.72.196
DNS

www.listincode.com

askinstall50.exe

Remote address:

8.8.8.8:53

Request

www.listincode.com

IN A
DNS

iplogger.org

askinstall50.exe

Remote address:

8.8.8.8:53

Request

iplogger.org

IN A

Response

iplogger.org

IN A

172.67.74.161

iplogger.org

IN A

104.26.2.46

iplogger.org

IN A

104.26.3.46
GET

https://iplogger.org/1756b7

askinstall50.exe

Remote address:

172.67.74.161:443

Request

GET /1756b7 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: iplogger.org
Cache-Control: no-cache

Response

HTTP/1.1 403 Forbidden

Date: Fri, 08 Nov 2024 01:41:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 8071
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: KAoy26QT91/73lrVb4VMTU4FfE30jYTcDRfeaTkY0vZKzRYpyg2eBsTPJhb/hV1A26eVTAZk4gUixRN+3olhTB0oZ1Jxil7jA/B5/GzEc2+eX1cIoVCwdgLGPI1rvly/yndKT2KPszjEpNytl3c4Iw==$soxrtGjzdCjxdxpPQXnCOQ==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F83gkcjUrn7Ge6oXAi%2Bdny8r90fxRG1bl89IpaeOzUz349dcj6peP8%2BepaO9d8RUfZupO7LhU%2Bmq70L5dqfa%2FoRsfAaEPJgPklwJwof2QERvtcfmqhi6yaDvctyxlQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8df1dc547c80e908-LHR
server-timing: cfL4;desc="?proto=TCP&rtt=42075&sent=6&recv=6&lost=0&retrans=1&sent_bytes=3185&recv_bytes=514&delivery_rate=83258&cwnd=254&unsent_bytes=0&cid=57849c2ac5d14bbb&ts=343&x=0"
DNS

c.pki.goog

askinstall50.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.227
GET

http://c.pki.goog/r/gsr1.crl

askinstall50.exe

Remote address:

142.250.187.227:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 08 Nov 2024 01:34:28 GMT
Expires: Fri, 08 Nov 2024 02:24:28 GMT
Cache-Control: public, max-age=3000
Age: 417
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

askinstall50.exe

Remote address:

142.250.187.227:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Fri, 08 Nov 2024 01:34:28 GMT
Expires: Fri, 08 Nov 2024 02:24:28 GMT
Cache-Control: public, max-age=3000
Age: 417
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

www.iyiqian.com

askinstall50.exe

Remote address:

8.8.8.8:53

Request

www.iyiqian.com

IN A

Response

www.iyiqian.com

IN A

13.251.16.150
DNS

www.iyiqian.com

askinstall50.exe

Remote address:

8.8.8.8:53

Request

www.iyiqian.com

IN A
GET

http://www.iyiqian.com/

askinstall50.exe

Remote address:

13.251.16.150:80

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Host: www.iyiqian.com
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Fri, 08 Nov 2024 01:41:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=; path=/; domain=.www.iyiqian.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=; path=/; domain=www.iyiqian.com; Max-Age=1; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: btst=8d8789dc20cc4ad9bfe3a9e1a6aa27ae|138.199.29.44|1731030090|1731030090|0|1|0; path=/; domain=.iyiqian.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=138.199.29.44; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

crl.microsoft.com

Remote address:

8.8.8.8:53

Request

crl.microsoft.com

IN A

Response

crl.microsoft.com

IN CNAME

crl.www.ms.akadns.net

crl.www.ms.akadns.net

IN CNAME

a1363.dscg.akamai.net

a1363.dscg.akamai.net

IN A

2.19.117.18

a1363.dscg.akamai.net

IN A

2.19.117.22
GET

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

Remote address:

2.19.117.18:80

Request

GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
ETag: 0x8DCDDD1E3AF2C76
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: b28c4ea1-d01e-0016-0ebc-0fa13d000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Fri, 08 Nov 2024 01:41:56 GMT
Connection: keep-alive

54.205.158.59:443

www.listincode.com

askinstall50.exe

152 B
120 B
3
3
52.203.72.196:443

www.listincode.com

askinstall50.exe

152 B
120 B
3
3
172.67.74.161:443

https://iplogger.org/1756b7

tls, http

askinstall50.exe

1.2kB
14.5kB
14
19

HTTP Request

GET https://iplogger.org/1756b7

HTTP Response

403
142.250.187.227:80

http://c.pki.goog/r/r4.crl

http

askinstall50.exe

560 B
5.0kB
7
6

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
13.251.16.150:80

http://www.iyiqian.com/

http

askinstall50.exe

423 B
878 B
5
5

HTTP Request

GET http://www.iyiqian.com/

HTTP Response

200
2.19.117.18:80

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

http

399 B
1.7kB
4
4

HTTP Request

GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

HTTP Response

200

8.8.8.8:53

www.listincode.com

dns

askinstall50.exe

128 B
185 B
2
1

DNS Request

www.listincode.com

DNS Request

www.listincode.com

DNS Response

54.205.158.59

52.203.72.196
8.8.8.8:53

iplogger.org

dns

askinstall50.exe

58 B
106 B
1
1

DNS Request

iplogger.org

DNS Response

172.67.74.161

104.26.2.46

104.26.3.46
8.8.8.8:53

c.pki.goog

dns

askinstall50.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.227
8.8.8.8:53

www.iyiqian.com

dns

askinstall50.exe

122 B
77 B
2
1

DNS Request

www.iyiqian.com

DNS Request

www.iyiqian.com

DNS Response

13.251.16.150
8.8.8.8:53

crl.microsoft.com

dns

63 B
162 B
1
1

DNS Request

crl.microsoft.com

DNS Response

2.19.117.18

2.19.117.22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Windows 7 deprecation

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.