77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8.exe
Size

789KB
MD5

5c97c3e39b929f03f9680e75fd72f42a
SHA1

40b18122ac4c50b511e0b07a2f92c9e9c44819bb
SHA256

77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8
SHA512

e8dc1fc20a1f0babdc1f58d3388cf24378cc8a0ec7a4a58352d437126185fccc10f01383610c52f88ba6ce976e04322ce23a2213be50961685b674ae4f977e9e
SSDEEP

24576:h1OYdaOrM9WKfwIBWe9IWK7f6jd9YMhKTOoR+:h1OsoYIGWkf6jd9YMhKKD

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
940	0exc3lxkzYBITNj.exe

Loads dropped DLL 1 IoCs

pid	Process
2020	77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcakbdbhkbckiebfnphbooelbkkgccdc\1.3\manifest.json	0exc3lxkzYBITNj.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcakbdbhkbckiebfnphbooelbkkgccdc\1.3\manifest.json	0exc3lxkzYBITNj.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcakbdbhkbckiebfnphbooelbkkgccdc\1.3\manifest.json	0exc3lxkzYBITNj.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	0exc3lxkzYBITNj.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	0exc3lxkzYBITNj.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	0exc3lxkzYBITNj.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	0exc3lxkzYBITNj.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
940	0exc3lxkzYBITNj.exe
940	0exc3lxkzYBITNj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 940	2020	77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8.exe	28
PID 2020 wrote to memory of 940	2020	77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8.exe	28
PID 2020 wrote to memory of 940	2020	77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8.exe	28
PID 2020 wrote to memory of 940	2020	77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8.exe	28

C:\Users\Admin\AppData\Local\Temp\77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8.exe
"C:\Users\Admin\AppData\Local\Temp\77a8023fe56ce581ea096db9b46f1052aa36df5938492d5d16ea879eaa920ee8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\0exc3lxkzYBITNj.exe
  .\0exc3lxkzYBITNj.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\0exc3lxkzYBITNj.dat

Filesize
1KB

MD5
fd4fed0f6e40a6a911eabd735777b8e2

SHA1
bd6fb81d19c5ead3571d5264e759b209ad1f9f93

SHA256
4a107ff36115de51c9b5bcb9712e5cda82bc2ccae5dc6859dd413df55d718490

SHA512
cf016dcaddf78e46f14db45b1853bc2b2442894443c8f678e9dcd98221d71e9812981f13b5296d2a5dae2072aaf125baa91fe1332d8e38c78b8e0187457560f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\0exc3lxkzYBITNj.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\mcakbdbhkbckiebfnphbooelbkkgccdc\Q.js

Filesize
6KB

MD5
d1dd2db2c755e7f683f80db1a71a62d6

SHA1
9330af5df0b0df94c34a66403bff31de361fc23a

SHA256
043d1ed9ed8f52c6f19287b92ac1349db9ac20b1e4887e67807e01cae4e3967e

SHA512
221a7a0fe31adeddeca202b07489437b27d5da3ff9ee0b7085915652e6b38bb7c3fab8dbd20fe5456bb45c0f87f891711384b2af9cd3558a0257468ad27d9fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\mcakbdbhkbckiebfnphbooelbkkgccdc\background.html

Filesize
138B

MD5
d1aa69a518cf74ee8a03571ddb78c436

SHA1
7c1a0ee021a8d63c3d4d9e53dea93a8768f04d76

SHA256
8b94f47f8a0cfce2adcee6d859caf2d3f3cd435d62050d0c562547664aaf6d91

SHA512
64a8867968c4f14c750eb7721999e00f9564644ea4ca671ab91d20b1ab7049a4a9c85908bef857dfb20acf44b64b2740598a97d5349159c8f1c2d1120c2a32c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\mcakbdbhkbckiebfnphbooelbkkgccdc\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\mcakbdbhkbckiebfnphbooelbkkgccdc\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\mcakbdbhkbckiebfnphbooelbkkgccdc\manifest.json

Filesize
500B

MD5
8ef83ffe39c89eda0d19f49d8a895655

SHA1
60430585ed622ba3eb764e486f985dc56bc9c750

SHA256
e77e468564d747911d508448f41335a0285dc8ee609722020f5dcdef8a7ed013

SHA512
4567201308e9422adfb8c65e5ffacd3a1a74ebd396864a82507faea00358ea52b7abe82a799de7ac384a39ae5a44f0dc6279cb1fed741586a5c8b7764490d12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
dc58dbc925fb5b1b5176da7434640f22

SHA1
13be99a3a16f0e024723b93355efc06e8145bdeb

SHA256
8505cae7cf33e2d8e0ae198cdc8f0e2b46bfa541ed9f5ad56d09a3f6d118c08e

SHA512
93cf6228e8db4a9016caf0a2ba6f3d522e4edb7f3407e14087d344bba87c9ea14e9bce59b5d4ab981d73567cc39d2030dba7265860b355be71ad3cc446804c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
803a550e66842d967edabb2699407de2

SHA1
30f058089578546802d74fdac72c284145c133f6

SHA256
474167229fc726bb75cc54de8603ab4a2e4881d2080a922afe0876455eed9e3e

SHA512
264252e4d069c30927f10c833181899b8b33b4e2b78865b245da65edb2b057fd2a2e6de4696c841a0e365faa22ff47511483f995545b193357ffd1e9f057d073

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\[email protected]\install.rdf

Filesize
599B

MD5
4a56d741d35f93fc6a6f71634e46d951

SHA1
03d439900b3c322a028883e68173be1721466d40

SHA256
866357dd8e00f104bab9d2ed2e6ea760c37b0af0e427aeec0aa642e3919cc510

SHA512
7c9463099634eaf652014057cf7486d832b7f3ef2c8baf563a2a92ce35922db2d97c97a3b707bceb50113168e22292d5296d909f90c2229ccc35a553e1c98f86

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE39C.tmp\0exc3lxkzYBITNj.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download