aa36c9dda009d1191a763ae9ee43b21e90ee295cb006f13501c1bf199eb86865

General

Target

aa36c9dda009d1191a763ae9ee43b21e90ee295cb006f13501c1bf199eb86865.exe
Size

777KB
MD5

bdb3a24aae809cee38305043406a8f47
SHA1

0f5d97ec67b5fce2c2cf314f7287396826f96ae9
SHA256

aa36c9dda009d1191a763ae9ee43b21e90ee295cb006f13501c1bf199eb86865
SHA512

7a951a7a52cf5e7b0521fd5b9dbdaf5afa5915920fcb59bbc6091630eb536b73865e86d9835ef9b32f0fbe1258a8db7d4a7c378aa8b684966fb389495d136112
SSDEEP

24576:h1OYdaO9M9WKfwIBWe9IWK7f6jd9YMhKTOoR0:h1OsyYIGWkf6jd9YMhKKL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5060	xEuxwS5gztbclml.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhbmojliagbancdcmookpmaaoipjifmc\124\manifest.json	xEuxwS5gztbclml.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhbmojliagbancdcmookpmaaoipjifmc\124\manifest.json	xEuxwS5gztbclml.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhbmojliagbancdcmookpmaaoipjifmc\124\manifest.json	xEuxwS5gztbclml.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhbmojliagbancdcmookpmaaoipjifmc\124\manifest.json	xEuxwS5gztbclml.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhbmojliagbancdcmookpmaaoipjifmc\124\manifest.json	xEuxwS5gztbclml.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 5060	2268	aa36c9dda009d1191a763ae9ee43b21e90ee295cb006f13501c1bf199eb86865.exe	81
PID 2268 wrote to memory of 5060	2268	aa36c9dda009d1191a763ae9ee43b21e90ee295cb006f13501c1bf199eb86865.exe	81
PID 2268 wrote to memory of 5060	2268	aa36c9dda009d1191a763ae9ee43b21e90ee295cb006f13501c1bf199eb86865.exe	81

C:\Users\Admin\AppData\Local\Temp\aa36c9dda009d1191a763ae9ee43b21e90ee295cb006f13501c1bf199eb86865.exe
"C:\Users\Admin\AppData\Local\Temp\aa36c9dda009d1191a763ae9ee43b21e90ee295cb006f13501c1bf199eb86865.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\7zS743B.tmp\xEuxwS5gztbclml.exe
  .\xEuxwS5gztbclml.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:5060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS743B.tmp\lhbmojliagbancdcmookpmaaoipjifmc\background.html

Filesize
146B

MD5
9d0953def8b56f92d8c823274ba46465

SHA1
c6c6e53ac07e28beb50c91379071437c4bd267d3

SHA256
c55b7409383bcb5235b1dc5943a4cd18a38cacdda0b5207255665356e0e05d1a

SHA512
8b7942962552023a873dd0b00cd3e66a042005f4fa570d44f631e73720391989b60ed2c16faa5d346ba0d1194739699e1a06cc6c3a6fb743778835440926ef6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS743B.tmp\lhbmojliagbancdcmookpmaaoipjifmc\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS743B.tmp\lhbmojliagbancdcmookpmaaoipjifmc\kH9JfrkYY.js

Filesize
7KB

MD5
1e82047cbc5ddcc6e8f630e649274f4c

SHA1
726eeb687e2becdd50762221cccadd480f749482

SHA256
72af4f3e647c7188cd5a391295032935dd996d096fe8583c3d5758907e1d7301

SHA512
423696b60e94a922df38b9ea4659911fe9082deebceab7c9af6aebb5819f4c019b4cb5a747702e8af3afbdb191412476933f7ced92a00092d66af6c0852ba825

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS743B.tmp\lhbmojliagbancdcmookpmaaoipjifmc\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS743B.tmp\lhbmojliagbancdcmookpmaaoipjifmc\manifest.json

Filesize
614B

MD5
cab381c183babaa808ce059a06b49b2b

SHA1
417e89a27d70676f20811d318e85d07e25d873cc

SHA256
e4ca4b458712d727af588d6315b12b7f1dd0bd61c633c713a0ac230c09868d96

SHA512
2959dacf64302cbad506b47070b5f718fb5d99c776c159beae158719298e4ca48c113be9503fd82e38d9a362d2f9d791d1c38892ab1dd0aa42d9cb8ccf1593d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS743B.tmp\xEuxwS5gztbclml.dat

Filesize
1KB

MD5
9e515b399d0a17a59709a75cb18fa097

SHA1
f927f1c41652aa899212514354311308fe00fc2c

SHA256
01fab528c49516172275c7959987525d910742d74b6ff07a082e45edd4a36f4c

SHA512
2e82a2903b88f5c67d595245d6ae696d36ff7a692e8653aeb397ca6d54b11b6837d28b322483d383c092fc9e16a5446b9def3ddc6f4b86262c07c254ebdc8993

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS743B.tmp\xEuxwS5gztbclml.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS743B.tmp\xEuxwS5gztbclml.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit

Analysis

Sharing