59b316f011eb67a5553c7f877b8dd70f9a69a59c265e8d7e54a33dee139ebff4

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b316f011eb67a5553c7f877b8dd70f9a69a59c265e8d7e54a33dee139ebff4.exe
Size

531KB
MD5

93079d3de850255017f4fa358af207b0
SHA1

a640233f82096febafd75452c03396cff9105901
SHA256

59b316f011eb67a5553c7f877b8dd70f9a69a59c265e8d7e54a33dee139ebff4
SHA512

2e94592951ba8bd25b47407d2fefead70317a7b568f3fce72ea0bcf7cdf8e825c4c8adeebbfb74fef8dce1ba3b9d8b1f5ac56f71fc2e52d69f4efc2e0ccfb01b
SSDEEP

12288:Jc1sFyvLt9+ZORsoV4yKu/RZ3qwIsCz3YrOGNA2XhqL/eRAFE:CLzGoLKu/LqDBnQQ/Y

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1448	Nwtw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\piclglmognjaijlpaljjkiiphkidghlb\2.7\manifest.json	Nwtw.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\piclglmognjaijlpaljjkiiphkidghlb\2.7\manifest.json	Nwtw.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\piclglmognjaijlpaljjkiiphkidghlb\2.7\manifest.json	Nwtw.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\piclglmognjaijlpaljjkiiphkidghlb\2.7\manifest.json	Nwtw.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\piclglmognjaijlpaljjkiiphkidghlb\2.7\manifest.json	Nwtw.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1448	4796	59b316f011eb67a5553c7f877b8dd70f9a69a59c265e8d7e54a33dee139ebff4.exe	83
PID 4796 wrote to memory of 1448	4796	59b316f011eb67a5553c7f877b8dd70f9a69a59c265e8d7e54a33dee139ebff4.exe	83
PID 4796 wrote to memory of 1448	4796	59b316f011eb67a5553c7f877b8dd70f9a69a59c265e8d7e54a33dee139ebff4.exe	83

C:\Users\Admin\AppData\Local\Temp\59b316f011eb67a5553c7f877b8dd70f9a69a59c265e8d7e54a33dee139ebff4.exe
"C:\Users\Admin\AppData\Local\Temp\59b316f011eb67a5553c7f877b8dd70f9a69a59c265e8d7e54a33dee139ebff4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\00294823\Nwtw.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/Nwtw.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\Nwtw.dat

Filesize
1KB

MD5
97c85419185a55f064c7081e62e9cdc6

SHA1
04d9713dcde1e5664cbf1d6e2a88ae9696bd866a

SHA256
5df921a6a122cb4761eb9d83b9dbf3e59047c7381e457fba67f4a01cfbf40cf8

SHA512
f4ef28ecb97528e8409370ac286e14a1a842b845b946e36ed2ce144a924b3dd51eed9d5e3bfead553c049429d0a9bfe6e0114af9167b5f03c9c6b3ed69245ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\Nwtw.exe

Filesize
388KB

MD5
b762b67e59693ce11d0d861fd9e9a0a9

SHA1
2daab823fc927aa07db12f51429d64dfd1518d6d

SHA256
9a29031b8a1fdef56a83ce1926292295ee28a3d31b8a039127fca0703350c5b2

SHA512
3b904e5c46ad9d11e333bcf6f220949fc293840432f2d5de302c5bf696bdc171e1995bc395826142e20dd79fff814cae94148eda195d2a789d2ff7034b2744d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\Nwtw.exe

Filesize
388KB

MD5
b762b67e59693ce11d0d861fd9e9a0a9

SHA1
2daab823fc927aa07db12f51429d64dfd1518d6d

SHA256
9a29031b8a1fdef56a83ce1926292295ee28a3d31b8a039127fca0703350c5b2

SHA512
3b904e5c46ad9d11e333bcf6f220949fc293840432f2d5de302c5bf696bdc171e1995bc395826142e20dd79fff814cae94148eda195d2a789d2ff7034b2744d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
24B

MD5
8d8cc1cb9ae80f1c3cd98d2c2a15b519

SHA1
f1ffb7e8000e68fa5fafecafb5671745989033d2

SHA256
6b188ffdb581b85269a1df42f2ebbf53fa9ee4745888606de20248cbec303682

SHA512
d98f0328b8d15d6ba4d78bef123d45425135f85edf0fb75f668c4eac76c1f2ed0ab6482d00354940ba13d1ceee5a1543c6b89f7802fc6676b50a0d1cbb72b525

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
8KB

MD5
bb81378df1253c97bca6761ed211359d

SHA1
25f1e7cb3d058610a80c3fe49788f22cb42c34b0

SHA256
40462e8e33ee2a39f06efcc7775850a3b30c7d64ac6b56c7c79aa9247aaf7249

SHA512
000b35765362beef68d3db7280037831fc95f442c98a15bb9be663dd1544bd30f695af8cd512dd277315a0d9e7bad03b077dfddf22d00bed3f32ca87abc1410d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
606B

MD5
a39223cf7abc15a2db244f26bb691829

SHA1
c5e93fd0d2a82d2e370d304c72d505be29383eef

SHA256
1a45986a2ca34afa6d95b3daf8d3f3c69b5a8785f0824e97f13c759c75e398be

SHA512
67eca81de063c1585f0cd5263bce2673321f90ed85d2246110ea8f63132d69e68548fbe12760446fa64eaa1339db3696b7e574b608d2bec19962ae342fa57afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\piclglmognjaijlpaljjkiiphkidghlb\background.html

Filesize
142B

MD5
da295f31e582c13c6f299946edc74617

SHA1
5cc5be32fbbcabf31628886995010cc3bba95d03

SHA256
5318dac8c14010ae97e75d8d29e7e0ec525060eaf6e18746056c10b9e6027d63

SHA512
9285dc1a7c5400fafaab16cfdbf620ac154867682ccb2bde5d9d112c5813d0f284ede936fab79e7acfeda5b7bc20e04e65e1fc68950083e106835516bde887c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\piclglmognjaijlpaljjkiiphkidghlb\content.js

Filesize
144B

MD5
0654917402505bc71a231599d02e09a2

SHA1
e24d4fcf6f136c3be86b4dc01bd3bf446ce462ff

SHA256
9577828de9e701114e75cca9918972c9028689518882edcb6aa193f9353c19ae

SHA512
3e7077342d4c06d1192898a4ec5c9b19f3ca8883c5fd7c6e2a581d855959b748b5a8c4b07e3468cfc8b79e6abc1595fefccb41011c179da665567d5dc4b2da5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\piclglmognjaijlpaljjkiiphkidghlb\lHrIl.js

Filesize
6KB

MD5
cbad83dbb191cf83198d4da5d771a648

SHA1
fc0a6a92905e6627460581a2b67dcae5c368bb93

SHA256
c82d1cbb84a82d4447bbd2e8df2693b77c2c57425b76692739d02a1b90bb73e3

SHA512
b6b54b71138bd15261ac01e75b0cb58b06e82afed0c8aeb491dba58932f22dcfc826944b6204b3c53b9e58f857771b3d4ae6763909d044668ab71707b266beed

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\piclglmognjaijlpaljjkiiphkidghlb\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\piclglmognjaijlpaljjkiiphkidghlb\manifest.json

Filesize
502B

MD5
e35fc698c81d86262022a3efdea8c11c

SHA1
45773343540291b314cfb1fa85aaf7620fae487c

SHA256
8356b079a0f46c25f4a808656c2e48a509b713c208708c8ef932ae8b8ad82cb7

SHA512
a7e32d5c899fa02bbbd2ce4c91762d7601f1a10b5f82c38457c4798af7213e4d5023b56e95d1b81d76e8abe90079d2b5724a422b43eb3b103412595a665dc42b

Download Submit