0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
Size

348KB
MD5

a3a921c784125bf429841b0da5634086
SHA1

926dffdef5ad155c1b04c405035be2ea575603a4
SHA256

0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136
SHA512

bdd1444516f40c3519a3b0a0081e1e302d7a5a4d87edf5a04fee167c645050283e3acc96ae276d35a23f3b7cea77fc8131a3de19297d98656787a9a2b11b9c2e
SSDEEP

6144:qTX4MTAj8olritKpGmgXIaik9gvrmQGfMcIZnpYAHIe+cg/fpR:qTriEKGLXIJkwrmrrIZpYAHnkf

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1960	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.ogr

Loads dropped DLL 1 IoCs

pid	Process
836	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Mozilla Firefox\uninstall\helper.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\VideoLAN\VLC\vlc.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javaws.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\7-Zip\7zG.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\PurblePlace.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Mozilla Firefox\firefox.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\WINWORD.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\uninstall.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\misc.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\FreeCell.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Minesweeper\MineSweeper.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Google\Chrome\Application\chrome_proxy.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Java\jre7\bin\jp2launcher.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.ogr	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files\Google\Chrome\Application\chrome.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\oobb.exe	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1960	836	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe	28
PID 836 wrote to memory of 1960	836	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe	28
PID 836 wrote to memory of 1960	836	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe	28
PID 836 wrote to memory of 1960	836	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe	28
PID 836 wrote to memory of 1960	836	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe	28
PID 836 wrote to memory of 1960	836	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe	28
PID 836 wrote to memory of 1960	836	0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe	28

C:\Users\Admin\AppData\Local\Temp\0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe
"C:\Users\Admin\AppData\Local\Temp\0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.ogr
  C:\Users\Admin\AppData\Local\Temp\0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.ogr
  2⤵
  - Executes dropped EXE
  PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.ogr

Filesize
288KB

MD5
e5f457e3d89281b97b099a757b4d9577

SHA1
aa8a49a5cfff30f5cdd23a7659b1c3ecdc734711

SHA256
ebcfea076a3bdca680525b5ce11e7d918cf574f800971a4ddd081f5a6069f0b8

SHA512
ffbb2880e10084c187a8dd3c42198782bc50a24886b2a8ee523b4c70a2dbb0b46ee1aa799f44bdd5129935d9d12b3c09e9566278b2f088ede8a39c6ec203663e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.ogr

Filesize
288KB

MD5
e5f457e3d89281b97b099a757b4d9577

SHA1
aa8a49a5cfff30f5cdd23a7659b1c3ecdc734711

SHA256
ebcfea076a3bdca680525b5ce11e7d918cf574f800971a4ddd081f5a6069f0b8

SHA512
ffbb2880e10084c187a8dd3c42198782bc50a24886b2a8ee523b4c70a2dbb0b46ee1aa799f44bdd5129935d9d12b3c09e9566278b2f088ede8a39c6ec203663e

Download Submit
\Users\Admin\AppData\Local\Temp\0cfb019323baead727c02379fc5fe206ad328dbc50143610f2a1fa7f3942d136.ogr

Filesize
288KB

MD5
e5f457e3d89281b97b099a757b4d9577

SHA1
aa8a49a5cfff30f5cdd23a7659b1c3ecdc734711

SHA256
ebcfea076a3bdca680525b5ce11e7d918cf574f800971a4ddd081f5a6069f0b8

SHA512
ffbb2880e10084c187a8dd3c42198782bc50a24886b2a8ee523b4c70a2dbb0b46ee1aa799f44bdd5129935d9d12b3c09e9566278b2f088ede8a39c6ec203663e

Download Submit
memory/836-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/836-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1960-57-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download