e04c85cd4bffa1f5465ff62c9baf0b29b7b2faddf7362789013fbac8c90268bf

General

Target

xpajB.exe
Size

520KB
MD5

bd76fc01deed43cd6e368a1f860d44ed
SHA1

a2e241e9af346714e93c0600f160d05c95839768
SHA256

e04c85cd4bffa1f5465ff62c9baf0b29b7b2faddf7362789013fbac8c90268bf
SHA512

d0ebe108f5baf156ecd9e1bf41e23a76b043fcaac78ff5761fdca2740b71241bd827e861ada957891fbc426b3d7baa87d10724765c45e25f25aa7bd6d31ab4ec
SSDEEP

12288:Kbx6vZrcRsEQNMnnGpL0zTnPzCFjBL0C2k8apE:Kbx6vam9innGWzUB

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

xpajB.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_ta.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\mso20imm.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	xpajB.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msvcp120.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x64\msvpxenc.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_ca-Es-VALENCIA.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\upe.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll	xpajB.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v11.1.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL	xpajB.exe
File opened for modification	\??\c:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.ServiceModel.NetTcp.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\EntPlat.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jsound.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\System\msadc\msdarem.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\oledb32.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_hi.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	xpajB.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\dxcompiler.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_es-419.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll	xpajB.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll	xpajB.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PackageManagement.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\vccorlib140_app.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Microsoft.IoT.Cortana.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll	xpajB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL	xpajB.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll	xpajB.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll	xpajB.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

xpajB.exe

pid process

1556 xpajB.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

xpajB.exe

pid process

1556 xpajB.exe

pid	process
1556	xpajB.exe

pid	process
1556	xpajB.exe

C:\Users\Admin\AppData\Local\Temp\xpajB.exe
"C:\Users\Admin\AppData\Local\Temp\xpajB.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1556-1-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-0-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-2-0x00000000005E0000-0x00000000005E5000-memory.dmp

Filesize
20KB

Download
memory/1556-3-0x00000000005E0000-0x00000000005E5000-memory.dmp

Filesize
20KB

Download
memory/1556-4-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/1556-5-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/1556-6-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1556-7-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-10-0x00000000005E0000-0x00000000005E5000-memory.dmp

Filesize
20KB

Download
memory/1556-11-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/1556-12-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-13-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-14-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-15-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-16-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-17-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-18-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-19-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-20-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-21-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-22-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1556-23-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing