5af2b7b4991ac3e32ede7536c879539633fadd058feb1abcf50a4d530cde6617

General

Target

5af2b7b4991ac3e32ede7536c879539633fadd058feb1abcf50a4d530cde6617.exe
Size

776KB
MD5

82322a79344f83a000f134573a03a629
SHA1

a30a0aa9d1c5bc251e1910ca9698fd85553cb408
SHA256

5af2b7b4991ac3e32ede7536c879539633fadd058feb1abcf50a4d530cde6617
SHA512

34126dc10d1569fe6eb84f46ea13b2016e1042034bdf565da314dff55a37c14abddca9dc5d054c830ccc83c0391b406714fbe2e723b7bd7d36ad38bb2c20221a
SSDEEP

24576:h1OYdaOyM9WKfwIBWe9IWK7f6jd9YMhKTOoRd:h1OsHYIGWkf6jd9YMhKK+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4732	I0bIe6jf606mwsz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmgagnmbebdebebbcleklifnobamjonh\247\manifest.json	I0bIe6jf606mwsz.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmgagnmbebdebebbcleklifnobamjonh\247\manifest.json	I0bIe6jf606mwsz.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmgagnmbebdebebbcleklifnobamjonh\247\manifest.json	I0bIe6jf606mwsz.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmgagnmbebdebebbcleklifnobamjonh\247\manifest.json	I0bIe6jf606mwsz.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmgagnmbebdebebbcleklifnobamjonh\247\manifest.json	I0bIe6jf606mwsz.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4732	5048	5af2b7b4991ac3e32ede7536c879539633fadd058feb1abcf50a4d530cde6617.exe	81
PID 5048 wrote to memory of 4732	5048	5af2b7b4991ac3e32ede7536c879539633fadd058feb1abcf50a4d530cde6617.exe	81
PID 5048 wrote to memory of 4732	5048	5af2b7b4991ac3e32ede7536c879539633fadd058feb1abcf50a4d530cde6617.exe	81

C:\Users\Admin\AppData\Local\Temp\5af2b7b4991ac3e32ede7536c879539633fadd058feb1abcf50a4d530cde6617.exe
"C:\Users\Admin\AppData\Local\Temp\5af2b7b4991ac3e32ede7536c879539633fadd058feb1abcf50a4d530cde6617.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\7zS7F18.tmp\I0bIe6jf606mwsz.exe
  .\I0bIe6jf606mwsz.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS7F18.tmp\I0bIe6jf606mwsz.dat

Filesize
1KB

MD5
9d5bf0e610c8ce79f69e5cc482e6f631

SHA1
18f2dc183e88d2fe41954175cbaefc938d1447d5

SHA256
516e0f3aac92d31249c8f5e55ca1224457ea85000ae0b7618e024b2642dda852

SHA512
03816cf8b14de9b864754bf4dc0d8eae4174e887718a6c3c46f01a0b2219d5f6d3df20ba9869962778a994a9e8ccd66188ed02d64716822fd8f4c9ceeabb8376

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F18.tmp\I0bIe6jf606mwsz.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F18.tmp\I0bIe6jf606mwsz.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F18.tmp\mmgagnmbebdebebbcleklifnobamjonh\background.html

Filesize
144B

MD5
a7866321f649cb6e8a96167dd948b4d1

SHA1
63735035ea6c4e5fad62fdd96537664a3b5e3f18

SHA256
33c75f0d41e3ab687119d07dc458be35fb93a776e662eea534e7c7c309ddb75d

SHA512
8298454ab91c7ec0896826c9044cd42810b8178b5296e680e7a1588349ff11afdbf2778341307ff6d034c3af3dba1d6f1cab0e8ba0cd9aa7c9a19d567f62d68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F18.tmp\mmgagnmbebdebebbcleklifnobamjonh\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F18.tmp\mmgagnmbebdebebbcleklifnobamjonh\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F18.tmp\mmgagnmbebdebebbcleklifnobamjonh\manifest.json

Filesize
600B

MD5
07c9c7c3a63b280aa107a8fbe5df2e6c

SHA1
2ad9f7793d7f6727399043492af6aac1713114b9

SHA256
f9db7267ba5b99a0b8f05f623edacb2eea71a7d25db5249bcc428457b9f58d22

SHA512
19baaaa020e0112aa46510589923f014a8eead884ed3d8b3ce5a3708c0883f386db7585c76a0db66f47b6a35509625bbcc5d590a6abc03cc462d7a1cfb6a33f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F18.tmp\mmgagnmbebdebebbcleklifnobamjonh\yAZLOXo.js

Filesize
6KB

MD5
779930c85b94977d5fcf6903c2120a84

SHA1
38316173ba20f0da7a46cca99a49b8ad76fcc074

SHA256
e5155eefdcba7fc1e7eea1eb54d62484431e34a11bcf618f7abb754bfbcd47df

SHA512
e7e4fd4059f5b45b8d7fe937a63328e42d77429fbbefc1833e091a0f635a943f5f741d88ba5a766cb98343eda27d295cf0132efb8266fb5cb8c935deb3169b57

Download Submit

Analysis

Sharing