5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73

Analysis

max time kernel
23s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73.exe
Size

685KB
MD5

2d7f3386e73f62bdd44e29f8a2aceda0
SHA1

77305a2f0a2e66065674a39ba91ba5da87f8b53e
SHA256

5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73
SHA512

789dc141908c4e4af1eb61d22a6625cb485b7997aa4aa347bf6d85221a4bd9dae7edb3dcd48dcd6a4c5f3f11941d5aadfea7bdd2d8b082d30388753573c2cd8c
SSDEEP

12288:3wSCzE7RFO/Zho5T07IgY+fvQapk+FQRSqibXPt8JFgcFqUO5Z:3xCzbZho5TZgY+fvY+Fy4bFAF+5Z

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1788	8QDgndDvs.exe

Loads dropped DLL 1 IoCs

pid	Process
1848	5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hboogfmldkldmefgdmamefbobbdeebam\1.1\manifest.json	8QDgndDvs.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hboogfmldkldmefgdmamefbobbdeebam\1.1\manifest.json	8QDgndDvs.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hboogfmldkldmefgdmamefbobbdeebam\1.1\manifest.json	8QDgndDvs.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1788	1848	5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73.exe	28
PID 1848 wrote to memory of 1788	1848	5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73.exe	28
PID 1848 wrote to memory of 1788	1848	5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73.exe	28
PID 1848 wrote to memory of 1788	1848	5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73.exe	28

C:\Users\Admin\AppData\Local\Temp\5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73.exe
"C:\Users\Admin\AppData\Local\Temp\5287b0c0fa6ab9dc1981bdb83ac5e666f383cfed7f81ec8b8de983363ad89d73.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\434f0dc1\8QDgndDvs.exe
  "C:\Users\Admin\AppData\Local\Temp/434f0dc1/8QDgndDvs.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\434f0dc1\8QDgndDvs.dat

Filesize
1KB

MD5
306f1cfceec10d99595385cb97601eaa

SHA1
15b829bb1eb05fc097dd545a6762557c5878499f

SHA256
9ba17b93800d746aa89496824d3e12804b11fc7fce55ffa0643d5cde44c500f4

SHA512
52d2de9467d86cada860338831e414061e3741367ad90d7303f6e91a8d7822b98bccfdca0382c0061cf8bd75f32ae0293687055e3e03903c781f1b876ffdd20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\8QDgndDvs.exe

Filesize
448KB

MD5
15f67f067cc9df510882bf68bc1df4d7

SHA1
0722474b01bd1090c53c6da6508966355185c0df

SHA256
a7afe02d82d63547307b9adb7d9560f76e069b2825f018bf7b21863abcd60f66

SHA512
0a46ecb520fff477e050f3e749d0e394915a362176e94001c072f762bf7335521092d04860a13d1901cd57ca4c89e8f1c86f281bd5077d662f73c8c1dc098b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\hboogfmldkldmefgdmamefbobbdeebam\THtlm_DKvg.js

Filesize
25KB

MD5
e62b5a07ba83563a4780ad3b4f949a92

SHA1
79b33414f8514fddd5575b123767fd791bbba03c

SHA256
765ccb7919480c01f5031156611be8a4bc27ae19f0b60e1752d54a29ff3b248d

SHA512
cd46fb4c371d4235e59df97ef83e104f30aa79ee83277fa64148092e721f06d51b7367fccd8794a8b988c964f4b4e73f084e906ef1f885ef4005d2c87441f5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\hboogfmldkldmefgdmamefbobbdeebam\background.html

Filesize
147B

MD5
d50d49d8441bec0b0642ca0e1b5ba3df

SHA1
d3441b44d48457bdb69473de56c91775e601b9fc

SHA256
a820ff52efe9c4392719a55429534f57f5e8bdfa8880591b8cc92853b1c24558

SHA512
da3af3e71232908a85c46b68915a591a95bac2f4c8df3454bc529618a310edd7c7092762aade6552ea8dd93d2c96333c2b9f9b7c395046172942fbca30e883f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\hboogfmldkldmefgdmamefbobbdeebam\content.js

Filesize
6KB

MD5
e97255a5f053555bf3469aeaa0c1a5e4

SHA1
6a19639ff274d55022ed909f24509eb1c3254c28

SHA256
38f9a634dffb61dc8c0979083cf96200930b9a6be93141623b07e8ee3f0a98c0

SHA512
5018661263cfda146637677db0bd677b3fa47f711da432a10138a8c0131c4eaa38b74bd70dafb3a12b0f0223c591ef121eed197bcfe23dd8a6b8468e7af2cb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\hboogfmldkldmefgdmamefbobbdeebam\lsdb.js

Filesize
7KB

MD5
6e4ea693720eb09d4f8f956ffb15ad76

SHA1
faed2b40524993c24f75fd1eb8bd28ddfc07c65d

SHA256
0382ad5fef1c027125c2756659753f9dff405b66d04d0d17fb78c2d4cdacdf05

SHA512
8dc94d18d1682c6566bb3ee621935b60df192745f1be8f68716668b89a7723e6093d6036d42478ed6e96e8a3cfdd433776543f5a3cc5451c5353ab46358917ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\hboogfmldkldmefgdmamefbobbdeebam\manifest.json

Filesize
499B

MD5
2a7dac56f92276562ccf3c46d901abb5

SHA1
53eebd1a7c1d0c1b5608eafc216348a9fb100861

SHA256
dc5a2e7b50d3bbebae2e3c3d09a69bf0adb23d2bdd349fabcc2645363e4105f8

SHA512
91dcfe17e5b152ee067b58d45d3152488b8a2657154727d13309802d83c39fcd363d37ceaaf2a9ce31faac60562330a06d0e765556518cee7dfc76c374e9d622

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\[email protected]\chrome.manifest

Filesize
29B

MD5
61e695f63bae006674616dba1f4bd67b

SHA1
aa498205da13925bb2d54c98c852e859d3434a55

SHA256
351916de7ba0697655d76f81ee0f9cd2ece87dddba3136725c58d92becb4bc68

SHA512
65b8f1700c07583ef78ead4266c222831aadd61b45c3eb0e0ee25447b554a39c0eaf378c9bab64527aafa954ab18116755b5bde6bd83bb49cb80b1f72e2c93ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\[email protected]\content\bg.js

Filesize
30KB

MD5
7a377c3846ecb7b64d9a69d52eb2a407

SHA1
b507d38dd9870c5d20d7a4bf2b981f9bc884705d

SHA256
6d6330d13f96724305d09b82e4d8db77c08c456a9c020df383405576e33fad11

SHA512
53608a81612f9f6501dc8ccc51c00589b0725916b9f1f398dac2d91f8b8d8b3891ce44313b7cfbce78bb625a7e8b90fe429b2f40722c9fc11cb3bba04b1b9df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\434f0dc1\[email protected]\install.rdf

Filesize
599B

MD5
51db795542e310b0b862b6aaf55e541b

SHA1
d3de2e15ba3e1e55bb4c104a919b6f539e733140

SHA256
525f892e4c404ad3d78703df5dad97c29e3d45c57b0c337a427021b4a8e690c6

SHA512
e01b46bbc27aa94084a3a28b8ea45d144c035d8c3e01f6a825b16ef39cc6b765e4c7302fe2439b5987db4fbc12dafb311a340fdfb0553e2fb16785a020f8c6dc

Download Submit
\Users\Admin\AppData\Local\Temp\434f0dc1\8QDgndDvs.exe

Filesize
448KB

MD5
15f67f067cc9df510882bf68bc1df4d7

SHA1
0722474b01bd1090c53c6da6508966355185c0df

SHA256
a7afe02d82d63547307b9adb7d9560f76e069b2825f018bf7b21863abcd60f66

SHA512
0a46ecb520fff477e050f3e749d0e394915a362176e94001c072f762bf7335521092d04860a13d1901cd57ca4c89e8f1c86f281bd5077d662f73c8c1dc098b6f

Download Submit
memory/1788-56-0x0000000000000000-mapping.dmp

Download
memory/1848-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download