ba9688a388608356436e1723e5f538b8da39e79f11b4846aa4574c79ad9261cf

Analysis

max time kernel
117s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba9688a388608356436e1723e5f538b8da39e79f11b4846aa4574c79ad9261cf.exe
Size

688KB
MD5

45455d6e27fcedbfe1125eff97dabe00
SHA1

a28d825f4db9571dbe29658344fa667c331cf38c
SHA256

ba9688a388608356436e1723e5f538b8da39e79f11b4846aa4574c79ad9261cf
SHA512

73360fa4461abd355df0ea17abb62f1c8ba7c88d0ae76cadaf2f34830cbf860cff6e442881ed716eaac6b21e55503c157397a4cd3ec82d61e14fa1779d968074
SSDEEP

12288:7wSCzE7RFO/ZhXd88XaNjWuSkK6p7LZtqClOeZ02otvHloULL4akOs:7xCzbZhN88XKWuPK65amR02OqUL8akOs

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	t8l9zy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aakdenikljoehdhilnidgjfkkkjhhnad\5.14\manifest.json	t8l9zy.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aakdenikljoehdhilnidgjfkkkjhhnad\5.14\manifest.json	t8l9zy.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\aakdenikljoehdhilnidgjfkkkjhhnad\5.14\manifest.json	t8l9zy.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\aakdenikljoehdhilnidgjfkkkjhhnad\5.14\manifest.json	t8l9zy.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\aakdenikljoehdhilnidgjfkkkjhhnad\5.14\manifest.json	t8l9zy.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 2380	4308	ba9688a388608356436e1723e5f538b8da39e79f11b4846aa4574c79ad9261cf.exe	82
PID 4308 wrote to memory of 2380	4308	ba9688a388608356436e1723e5f538b8da39e79f11b4846aa4574c79ad9261cf.exe	82
PID 4308 wrote to memory of 2380	4308	ba9688a388608356436e1723e5f538b8da39e79f11b4846aa4574c79ad9261cf.exe	82

C:\Users\Admin\AppData\Local\Temp\ba9688a388608356436e1723e5f538b8da39e79f11b4846aa4574c79ad9261cf.exe
"C:\Users\Admin\AppData\Local\Temp\ba9688a388608356436e1723e5f538b8da39e79f11b4846aa4574c79ad9261cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\29606c2c\t8l9zy.exe
  "C:\Users\Admin\AppData\Local\Temp/29606c2c/t8l9zy.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29606c2c\aakdenikljoehdhilnidgjfkkkjhhnad\Q9IDp6R.js

Filesize
27KB

MD5
6d824d1f4a760f4f99a11d1775466c48

SHA1
bcbd8f7a7fe304fe530293dacb52db57f7e29100

SHA256
e7e587081842dd2036396a697ede8305c39b79fc0e0263cc6b1097c97707b0b6

SHA512
72d836cdab886436b3b440b683695792f438291db216b4d936cbe21dae50f0b49c019822e50c524ad3fdf39a0291e7f3b706bae3ed79bb596fda8b9a6d31b5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\aakdenikljoehdhilnidgjfkkkjhhnad\background.html

Filesize
144B

MD5
ddf6cedfec32e962c3711b19abcc0b70

SHA1
a2369c742d0f0a32c93a09f3021ec44acf876e28

SHA256
f17fc752e30a54b33978bfab3eb4632f76ef7bea2094cd60662f924959721d4c

SHA512
89535057a826e4dc678300d61b20900eeed86810af16ee531c1995702f98cdb78224bb526b1c2d9954a22aced3bfd6d8f72c40aefe38ba491ba702b837b54324

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\aakdenikljoehdhilnidgjfkkkjhhnad\content.js

Filesize
6KB

MD5
dfde2d862b06d1517bb60ee36c209576

SHA1
8f4c6de09d9c8b7f27a5c66916b7a6ee2ff32771

SHA256
8e20346b67e1997adf39078855a51ba5ef0b892179273f516a688fce9db2fb96

SHA512
d703f90a04ca8407492a7bb611c3c7a4c210000edef5d5dd27a8d9751fc0020456110aef4a2ff0e7864e514ea48bc4905d1902cd1919efa290a3f592ab809505

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\aakdenikljoehdhilnidgjfkkkjhhnad\lsdb.js

Filesize
8KB

MD5
b0591a51def3e3fa459f45eeeae18018

SHA1
0bacc951d03f78f344678ed72961f4540f3c6917

SHA256
e943f9ae1bb17e35ac5f0fa5a45595c8a5eb41636dc29d53f1eb6ea506196d4a

SHA512
8d2210db47057a85055a6f2861e0b405906e4e10ce2fe82da0e3a20d9e0f208e4f7b81ea9d5d1af6291ce18d377385e265ae8499e0e017596bb01669dc9bf6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\aakdenikljoehdhilnidgjfkkkjhhnad\manifest.json

Filesize
502B

MD5
0c0f5df1564976189527d0f7efe9a738

SHA1
c55c4b0d9302e176e5a80499ff96ebadc426ca90

SHA256
2a48df89643a2d8ea1a39eae2fdb5304fca8e6be588589ec3969d3e36084cf60

SHA512
37f086c4977abe6d6a3265f0a3fd1c16ae48128fa71e9f3e1e7321ea11145dcff55d270888ad342b0dca0f393fec15efe4fb28e965a59837658c4f397f742a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\[email protected]\chrome.manifest

Filesize
26B

MD5
4427503d510e392a735e5d07d9ed70c8

SHA1
d55a72b3fe8758f4b7b89011b859271c91f99124

SHA256
30302aa0eb030a7c18b995e406893835c3e9463f016c9d75017f2cca51d441c5

SHA512
bc8d1467905360d526f9de01d550bc1d734e0ae8cf9c5350375ad00a219fa907a44ca5016d27ecc553b4c43579816090eef3db557e24699ba03562194bd470fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\[email protected]\content\bg.js

Filesize
30KB

MD5
002b37719d58b5a0db61727858c19cde

SHA1
24dc2923e2577bd623aa18ca28b70c3e23efeeab

SHA256
26857db882f5eb5a060a832946d8d257d72f1b8121750b54e2d7ae5741843f04

SHA512
72585a16b636b8ef2f377e7a4dea6ded25491da699624215c07a1acd917ff201d2ff8911266c48ac5d354a17c6236e5c6c7f87a8574cb5b4666151d9acad6bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\[email protected]\install.rdf

Filesize
602B

MD5
fcc3f27fca91687e16dd0dd663f037fc

SHA1
64073c0d0c52cf100ec1f5b2129a3829cae57c85

SHA256
c04ed948ad616649ec2f291179daecf3f1d567824a0f98faa3b48e6e7c6a4e65

SHA512
5b78f72a2d888d30628918384e5a6ff73f1ba113511bbfe5207604ba6fe31cc5d00b7f917d4af64b0f38b616418a3c1988aa113e69a35c63b0ef219dcb6d3bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\t8l9zy.dat

Filesize
1KB

MD5
c67748c56f613090945916cbe72151f2

SHA1
ab1e982beba0caffa4647defd3a0d1233bfb2d0b

SHA256
db0791b7234fc6c21450064261a4314805b91c9935efe6eec4a825b6ced8fd6b

SHA512
86f0f8d87c72ef64e31a1f79a7dd34f29a179e974ecfaab5d39b21848943e00836b9aaae7ba83fd941bc37f5182e121a1e8e56f8be793bc1a3f4b169476ea6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\t8l9zy.exe

Filesize
448KB

MD5
15f67f067cc9df510882bf68bc1df4d7

SHA1
0722474b01bd1090c53c6da6508966355185c0df

SHA256
a7afe02d82d63547307b9adb7d9560f76e069b2825f018bf7b21863abcd60f66

SHA512
0a46ecb520fff477e050f3e749d0e394915a362176e94001c072f762bf7335521092d04860a13d1901cd57ca4c89e8f1c86f281bd5077d662f73c8c1dc098b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\29606c2c\t8l9zy.exe

Filesize
448KB

MD5
15f67f067cc9df510882bf68bc1df4d7

SHA1
0722474b01bd1090c53c6da6508966355185c0df

SHA256
a7afe02d82d63547307b9adb7d9560f76e069b2825f018bf7b21863abcd60f66

SHA512
0a46ecb520fff477e050f3e749d0e394915a362176e94001c072f762bf7335521092d04860a13d1901cd57ca4c89e8f1c86f281bd5077d662f73c8c1dc098b6f

Download Submit