104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b

Analysis

max time kernel
119s
max time network
195s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe
Size

789KB
MD5

8a823ad4824a0cb0ef970e7449d2922e
SHA1

b97f3ecfba074fe2a6202eaad61d100675cf9be5
SHA256

104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b
SHA512

f576cc95ab234bd9c3c75b06434e884eac1f517ecdb63d745bc075d5d85ebae4ba8cd65d1a547d37ef3f68b216d35239e509ea1bd27f6499b33746a079ccfbdb
SSDEEP

24576:h1OYdaOJM9WKfwIBWe9IWK7f6jd9YMhKTOoR2:h1OseYIGWkf6jd9YMhKK1

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

4q16Wc4kW59SN74.exe

pid process

652 4q16Wc4kW59SN74.exe
Loads dropped DLL 1 IoCs

Processes:

104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe

pid process

1116 104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
652	4q16Wc4kW59SN74.exe

pid	process
1116	104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe

Drops Chrome extension 3 IoCs

Processes:

4q16Wc4kW59SN74.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodadiejkopmbkgnfbhjfdkjbnielpfj\2.0\manifest.json	4q16Wc4kW59SN74.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodadiejkopmbkgnfbhjfdkjbnielpfj\2.0\manifest.json	4q16Wc4kW59SN74.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hodadiejkopmbkgnfbhjfdkjbnielpfj\2.0\manifest.json	4q16Wc4kW59SN74.exe

Drops file in System32 directory 4 IoCs

Processes:

4q16Wc4kW59SN74.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	4q16Wc4kW59SN74.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	4q16Wc4kW59SN74.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	4q16Wc4kW59SN74.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	4q16Wc4kW59SN74.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4q16Wc4kW59SN74.exe

pid process

652 4q16Wc4kW59SN74.exe
652 4q16Wc4kW59SN74.exe

pid	process
652	4q16Wc4kW59SN74.exe
652	4q16Wc4kW59SN74.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe

description	pid	process	target process
PID 1116 wrote to memory of 652	1116	104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe	4q16Wc4kW59SN74.exe
PID 1116 wrote to memory of 652	1116	104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe	4q16Wc4kW59SN74.exe
PID 1116 wrote to memory of 652	1116	104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe	4q16Wc4kW59SN74.exe
PID 1116 wrote to memory of 652	1116	104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe	4q16Wc4kW59SN74.exe

C:\Users\Admin\AppData\Local\Temp\104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe
"C:\Users\Admin\AppData\Local\Temp\104781b9abbb847011f7b724d76ca423ce5d26aa6cc8951d286fb0507095201b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\4q16Wc4kW59SN74.exe
.\4q16Wc4kW59SN74.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
d194c207bd913fd53e16b7f32e2f59d1

SHA1
d1131fbe13156e2487b1e4ff51fc7296030f02ce

SHA256
50d2a3d7510e5ca0c812d54ff92dc5531bac8a5eda4b1e50f36261e07ee6bc88

SHA512
33f7861747004e9be4029b1ee5a8012bb1fb263cd6ce7b9bd47fdeee3117c889b2bdeab756986cfca23782049918e2878404d3e7e0608cefffb6dbe60578ff21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
8f6dc2a777421b7ec06796b078fb2a57

SHA1
8eb7447c262c6b09edc142a2a905db10a40ad1cc

SHA256
96697246161f8320c4c75cc3c63036dc6d3a753542d0d86fdef523f7d5748f1b

SHA512
80e3d905c4d2598a4fe972887e131b51983fb63c31aa7be42034536ddcd1832e20f174773d2b66f68a7e995df5d29c892a6526bfe5bc0101005abe6c8b7362ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\[email protected]\install.rdf

Filesize
596B

MD5
cc3170c4cdd58b8409beb656868a9137

SHA1
1140e2180f9b602658a3e158f4627a9fee807fe1

SHA256
e0c1c14ea8dc67e4469d07f5725302c0723d90c217312b8b9209bea2c9b86794

SHA512
b057f451e7f655e536486d307ce3e10293938d0ef48a30c3fcc5cea32dbebe25412e8250a07f5e0fe60e588616e772bc9d2bf8e5cd884e8ccf2f25b5c5b5f55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\4q16Wc4kW59SN74.dat

Filesize
1KB

MD5
2e85483a1358f21617c188236485dc13

SHA1
ec08ff22e5d696dbdf4d936157f5a5d9dc556835

SHA256
fb4c943b8c935e2fb26eacac5b577197bd2a83576549b67dd863ce48741ff5f9

SHA512
d36913c828f6d24de044b4c50824ea21de36a992e97c96a385f1288c0ac0a85ca33d91ce0a63a4e59acd199a840c7322886f6e54c0b9eea416e76ec3053d5d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\4q16Wc4kW59SN74.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\hodadiejkopmbkgnfbhjfdkjbnielpfj\InDAy.js

Filesize
6KB

MD5
0704ecd778d7dc01569aa85b054fa734

SHA1
0c5bc5dd24a75f0dad21e7f386dbda07ceff2b04

SHA256
be162031ad84c5b010525a512a9e75b740e8a6271bbc1c0768d3f0b9d3ace3b5

SHA512
606158c72f9442104fb4337c03ec48c77d1479d1954fe94f03a1cb926f4a5db6169abcee65281569b7c40914aaaafc7d39ebed94ceac6dd5449611a4463e126b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\hodadiejkopmbkgnfbhjfdkjbnielpfj\background.html

Filesize
142B

MD5
698acae13200f71b0623d3682d490b4b

SHA1
bd1c27f0eb52ea2b4ad5358e3c5e9f16769c03f8

SHA256
766d96bd9e3a457bcbe33fe1f8367cbde6b844955e506d960257267938faeb86

SHA512
d761b563e9a339890b8cbed6a738b94212c1bc9a8e665abf7cd194a6e2c1b67153b67e02370300a727d2a4a81d1e474b580d0421e576ce093f71bceaeadd2fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\hodadiejkopmbkgnfbhjfdkjbnielpfj\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\hodadiejkopmbkgnfbhjfdkjbnielpfj\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\hodadiejkopmbkgnfbhjfdkjbnielpfj\manifest.json

Filesize
499B

MD5
412f42459d2bababeff0662c4acd8163

SHA1
f5d87fdb182074d09b9747d6df8abac5c32bbf77

SHA256
794c6c04f2c69455ac7f18ffc5a34814e2ad9a7dac62a44b57348330d2879217

SHA512
ecc4503e336f05efa9cb6459301c625c944846df474d96a4abfb4a37974c09e9c2bc04da02914aa6a13913d288b7d5329d8a2924012becb35d615a07b1b1ddda

Download Submit
\Users\Admin\AppData\Local\Temp\7zS25E9.tmp\4q16Wc4kW59SN74.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
memory/652-56-0x0000000000000000-mapping.dmp

Download
memory/1116-54-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download