socelars | b931c903ff14d82dce6daf9934209b5c71f982359847ed3e342e25fa88c99f03

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Osz8mRDYP0laXozOTuxyUiiF.exe
Size

1.4MB
MD5

0f01bbed1d28eba69835962f39d15261
SHA1

5538f0cc1959b565277060c53d2f5e4d633ed899
SHA256

3e34092ce27276c1b0cdeba1d3f8649258e55f23dfb92fcd9de6d52d5f559e91
SHA512

442a815bc696cdd57bd141565c0ccf983ff9d241129a4bd6ed19d629fd60a5207501abf3ef5c6f19e6e6eab79fc27059f04664809e7572173d3621a2bfb4436d
SSDEEP

24576:avp1T0ZhIjR+IXbtCOEqmb3tUJoEYdG/9QDMbh7zXIqnjvLZL:0pCuZ4OuD4+AhzXIqnjjZL

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	iplogger.org
6	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Osz8mRDYP0laXozOTuxyUiiF.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2908	taskkill.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeAssignPrimaryTokenPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeLockMemoryPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeIncreaseQuotaPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeMachineAccountPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeTcbPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSecurityPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeTakeOwnershipPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeLoadDriverPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSystemProfilePrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSystemtimePrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeProfSingleProcessPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeIncBasePriorityPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeCreatePagefilePrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeCreatePermanentPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeBackupPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeRestorePrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeShutdownPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeDebugPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeAuditPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSystemEnvironmentPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeChangeNotifyPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeRemoteShutdownPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeUndockPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeSyncAgentPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeEnableDelegationPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeManageVolumePrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeImpersonatePrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeCreateGlobalPrivilege	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 31	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 32	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 33	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 34	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: 35	2672	Osz8mRDYP0laXozOTuxyUiiF.exe
Token: SeDebugPrivilege	2908	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2924	2672	Osz8mRDYP0laXozOTuxyUiiF.exe	32
PID 2672 wrote to memory of 2924	2672	Osz8mRDYP0laXozOTuxyUiiF.exe	32
PID 2672 wrote to memory of 2924	2672	Osz8mRDYP0laXozOTuxyUiiF.exe	32
PID 2672 wrote to memory of 2924	2672	Osz8mRDYP0laXozOTuxyUiiF.exe	32
PID 2924 wrote to memory of 2908	2924	cmd.exe	34
PID 2924 wrote to memory of 2908	2924	cmd.exe	34
PID 2924 wrote to memory of 2908	2924	cmd.exe	34
PID 2924 wrote to memory of 2908	2924	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\Osz8mRDYP0laXozOTuxyUiiF.exe
"C:\Users\Admin\AppData\Local\Temp\Osz8mRDYP0laXozOTuxyUiiF.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2908