dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe
Size

684KB
MD5

706c7452edc5df97bc5a2e9c6a547c80
SHA1

12f492e1e6b343c26fcb4e6e4de42889d2f37225
SHA256

dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d
SHA512

dd34e76f57edcb63373fa9fffbc882ec46dbbf1acd4310de026116b675b422f21ba102211a448c0b057c701d976b946e31b4d1bb5a456e72b5e5b0cd62398e1e
SSDEEP

12288:MtgyG9ZO6ZDjPtGPO5jy1lXb2eYcL0ouDpGGf04txw03Xt4hKKgcKoC:Mt376Z3PuO5jGlXb2eYqTGVPRt7KVKp

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
544	qVinGi.exe

Loads dropped DLL 1 IoCs

pid	Process
1424	dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eaelckandghlilipifnecbjbgchhbkkb\2.7\manifest.json	qVinGi.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eaelckandghlilipifnecbjbgchhbkkb\2.7\manifest.json	qVinGi.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eaelckandghlilipifnecbjbgchhbkkb\2.7\manifest.json	qVinGi.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 544	1424	dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe	26
PID 1424 wrote to memory of 544	1424	dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe	26
PID 1424 wrote to memory of 544	1424	dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe	26
PID 1424 wrote to memory of 544	1424	dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe	26
PID 1424 wrote to memory of 544	1424	dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe	26
PID 1424 wrote to memory of 544	1424	dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe	26
PID 1424 wrote to memory of 544	1424	dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe	26

C:\Users\Admin\AppData\Local\Temp\dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe
"C:\Users\Admin\AppData\Local\Temp\dc52c91a60a95d0c69177e6eef335b42a2e4f68165142419aea59fe873d1102d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\3ac211f8\qVinGi.exe
  "C:\Users\Admin\AppData\Local\Temp/3ac211f8/qVinGi.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ac211f8\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\[email protected]\chrome.manifest

Filesize
26B

MD5
a8d385c4edb26268477f6f7750ea78c9

SHA1
5d31fef67550fae304d3475af1c0ad09bca71a35

SHA256
5f54abb0c80b265b2914c2363cec04aa14ca33daed764a53bd946d6c6a2f26dd

SHA512
6faf4f79f0df07f935a319ce7d052954203cdc4c5f917651820ffae81695b773e307adc943fbbbb858a253fd9134848fba606630580acd788525d95bf2db30b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\[email protected]\content\bg.js

Filesize
8KB

MD5
a2531ed8578fba056e7ea6f3054a6b8c

SHA1
674f830add13397264485a2db2d396208632f8b7

SHA256
dd1885c3d7c98fe4dddf78e1e3c71579bb38cf9a0245a563c775af2ee7e9f0c5

SHA512
66c5d71058c03c62e92dc03801dbfc828849fdc96d15a50db943aa7ec13910fa1b4d49eb0413aa0cfa808bd63b1971f00d5655889e68757c995b5f5bbc1fd9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\[email protected]\install.rdf

Filesize
605B

MD5
405b6c1c7b2ec0fd24f31acb09bc8aad

SHA1
1c8ae2b604d261dec911f6c866af6f624cd9ba7a

SHA256
0e107355eb51d099f7d9a8390a78242df6596481d533a5a45f9d000acce9312e

SHA512
abdfa446a6cbe5ce16221746817317d65a421986f8ae3c7af8eb0465ecb56c05ef69e453f28a41ccdc18c0d999d77a387854e7759a6ec9e23002e1dc95fe2cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\eaelckandghlilipifnecbjbgchhbkkb\V2h8CRc.js

Filesize
6KB

MD5
2c743f6445f9c0b98a4cf80b4c5c541b

SHA1
b7ca1094c1d06341bd6edbb32def42955656eec3

SHA256
2e520300bac5b3f9f744bcfbf8761ab3036cb0c6afc76e05e70a18388cfc1411

SHA512
8f6091f95271a1d231b7261a735fb63a6e07c775479a0aa368607e30ba10b5251a237d7e665250a319ab706cd84c2f9601c94205aeb01b146643b1d5f525b888

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\eaelckandghlilipifnecbjbgchhbkkb\background.html

Filesize
144B

MD5
3abf9edfbd9e520b49d3857d253921d9

SHA1
9fe91eea17798192ddebbac67c2e0f9c2d618635

SHA256
6b5260883749463c53d757d91098e87109ef5b1ce7a9cf2e63f7bacffb65a044

SHA512
64d3a8e2ecf072015a44832233cb44213842a6f1278df48ceadff1f803152523e22e358182eae4c92d9b37c35eacc100120586e368eb1eb6c359a417793fa554

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\eaelckandghlilipifnecbjbgchhbkkb\content.js

Filesize
144B

MD5
0654917402505bc71a231599d02e09a2

SHA1
e24d4fcf6f136c3be86b4dc01bd3bf446ce462ff

SHA256
9577828de9e701114e75cca9918972c9028689518882edcb6aa193f9353c19ae

SHA512
3e7077342d4c06d1192898a4ec5c9b19f3ca8883c5fd7c6e2a581d855959b748b5a8c4b07e3468cfc8b79e6abc1595fefccb41011c179da665567d5dc4b2da5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\eaelckandghlilipifnecbjbgchhbkkb\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\eaelckandghlilipifnecbjbgchhbkkb\manifest.json

Filesize
505B

MD5
da3e1d46d840c9f4aa77c5925bb32b75

SHA1
ccf345966906987c1c1723d6debc26cce9530fee

SHA256
64a7a937f9eb22630bf9fade1fe0446ef2dfec1e28162ad887c9df198063fd71

SHA512
ab465032a17b130b1822c87038e8abea86a844638b765736d742cc427184f098ba7ed56585d88466db9301bcfa1365399d7bd065ea1c2ec1c0cb1428564b108f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\qVinGi.dat

Filesize
1KB

MD5
df69282e24c386e1883d2acce2add883

SHA1
558343b147c32525ae07692d7697a42687bd9e55

SHA256
5147d7bcb0ec4ac9d02ee3727d0fae4e6d94001e7542263fcd5d6ea16f8d9a40

SHA512
344b1cc692ced3f463eca8b45143f3757b26adc54d96812c0baded15e7b5bd069ce475bae456a55964294a19207fbcf87ce23fadf17453d2d6674288f7e981c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ac211f8\qVinGi.exe

Filesize
528KB

MD5
9c354249e2b00af7362d8eecaee9b2b2

SHA1
13ffdbab9f8df78798ee14ab2640f21eb7deaa67

SHA256
69da81656ee601972241df4c1cf0debdf2c09eefce5753b10d58a9136cf45023

SHA512
55713fdbee4a11a4677d6375f5975e7ff2c1a197a3bc639beba09b506a6d8856793f9ee3cf917be0ae24cddbc47b24d6e36c01be0841f85d84d7069f389c1119

Download Submit
\Users\Admin\AppData\Local\Temp\3ac211f8\qVinGi.exe

Filesize
528KB

MD5
9c354249e2b00af7362d8eecaee9b2b2

SHA1
13ffdbab9f8df78798ee14ab2640f21eb7deaa67

SHA256
69da81656ee601972241df4c1cf0debdf2c09eefce5753b10d58a9136cf45023

SHA512
55713fdbee4a11a4677d6375f5975e7ff2c1a197a3bc639beba09b506a6d8856793f9ee3cf917be0ae24cddbc47b24d6e36c01be0841f85d84d7069f389c1119

Download Submit
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download