0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c

Analysis

max time kernel
59s
max time network
67s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c.exe
Size

788KB
MD5

916c31203d4f2da5df77d5295036ff4e
SHA1

ca80e8d8b8a61046f696ea88b119899114c8b1d0
SHA256

0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c
SHA512

c6dff4baa2321dfef52bae5dbb70a84541a5b3d45896379e3cb871e406d4054097f4801632a454f3a926db079759dccab09f45711590842ecde5a754d269c89b
SSDEEP

24576:h1OYdaOPM9WKfwIBWe9IWK7f6jd9YMhKTOoRW:h1OsgYIGWkf6jd9YMhKKP

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1472	CHPFm90yUYb3C6f.exe

Loads dropped DLL 1 IoCs

pid	Process
956	0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\onklbeonfhmjghhfcclleegpgjkhajbd\2.0\manifest.json	CHPFm90yUYb3C6f.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\onklbeonfhmjghhfcclleegpgjkhajbd\2.0\manifest.json	CHPFm90yUYb3C6f.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\onklbeonfhmjghhfcclleegpgjkhajbd\2.0\manifest.json	CHPFm90yUYb3C6f.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	CHPFm90yUYb3C6f.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	CHPFm90yUYb3C6f.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	CHPFm90yUYb3C6f.exe
File opened for modification	C:\Windows\System32\GroupPolicy	CHPFm90yUYb3C6f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1472	CHPFm90yUYb3C6f.exe
1472	CHPFm90yUYb3C6f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1472	956	0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c.exe	28
PID 956 wrote to memory of 1472	956	0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c.exe	28
PID 956 wrote to memory of 1472	956	0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c.exe	28
PID 956 wrote to memory of 1472	956	0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c.exe	28

C:\Users\Admin\AppData\Local\Temp\0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c.exe
"C:\Users\Admin\AppData\Local\Temp\0fed56146bb46fbc29e1ac756b5deeb4e8e7ef7b2f688109ad4a6343502b824c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\CHPFm90yUYb3C6f.exe
  .\CHPFm90yUYb3C6f.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\CHPFm90yUYb3C6f.dat

Filesize
1KB

MD5
484583c8bb8843361f1ca200861a6cfd

SHA1
9f007af262aede774b99ac8dcac4eabdaa9c011d

SHA256
fe815822d61a070cdd139da7bd0fee2c9a61487c4f4eadb915edd01ed9d6ff8c

SHA512
eca9922495e6e46fce069560768916d63b28f0aab49e8735d6d565c0e9f602324f21039a14e10b59f198ae167f582cc39695a2954e36fde44b14338aafdca647

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\CHPFm90yUYb3C6f.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
906f1b680b1c89a313793bea1d043ffd

SHA1
f303241597a74f4f1881b75c5f6fc69529973cc3

SHA256
7fe8d5744fb97e2892c148618efca86b387f8aa07d05b6871e120c1acb4c245b

SHA512
adf74e6ba4a801a6a39a3530742fc247ac7d62b08acb6effa68ba42e694ed8d2e3656d2bf9ae1dd454511fa254ca4b3e84253b3caa95fd099e7cef4ecffff22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
3b92a7b18d0431ad08b920dbf0d72895

SHA1
b022ce4c2c401554466b58294a9d1f1fe2e3105a

SHA256
59bb5284d3120f4c4adca84866ec068a52012deafbe1bb0d4f6f928ce3d5b32e

SHA512
f734c0858368356b96714e470dbd1bc829e4421e2577a8050029fde6a309ceff14bed3a3d4af7bf4b24cd7eec9d02180a920efe55fe06eed538e5349d174b4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\[email protected]\install.rdf

Filesize
599B

MD5
a053cf9e18dd46479449240174951071

SHA1
5f7764f214189132b39bb06b55a91edfb125e1c1

SHA256
f2a9cc13cfef6f5ba3216ccc2455e72c7104667762682b36ee5570296819bbc0

SHA512
e9356e69648f93454c55d3e32542ceced165a644005264b2013ab3b01d28edfcb59c2ba0e0020c224d54387232ce8442b4e00a84214252deb0455a9d6455667b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\onklbeonfhmjghhfcclleegpgjkhajbd\DwAP.js

Filesize
6KB

MD5
a38ffabb0a8541825a643a1174c6df46

SHA1
c8b64e5add411c64f4a9337db21eb9ce66d0aef9

SHA256
77b3fccbccd75eaf6efbab30d31f452ef41fd0b353de348fede7121669a336a9

SHA512
78e23dfacdedfddbe2fdac372c98ededbc4b533f5afb17adc4ea8987622b41b7e4009ffc1d5ebc8a9f24c282786e637918da716eb779ce93a5955f7362517b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\onklbeonfhmjghhfcclleegpgjkhajbd\background.html

Filesize
141B

MD5
ca894502956a370bcdd5f244a9907f99

SHA1
6f761a943aa193875e716d0093bc88c65c4a3ec3

SHA256
16c1c4da1c939e785259134c067cb892b940cf345002449ad1f0fc4c7f09db4c

SHA512
a84045c2e25e7754ac2becac759d16243fd8758ad984fe1caf74d3caa5f921a0985c99855ffa749487e82883382b9f35c8d555b7859b4951e569960a90f17bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\onklbeonfhmjghhfcclleegpgjkhajbd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\onklbeonfhmjghhfcclleegpgjkhajbd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\onklbeonfhmjghhfcclleegpgjkhajbd\manifest.json

Filesize
499B

MD5
4abaf4c10bb987d2b74659ca80be72d2

SHA1
891808ba9b934277d531123d76eff8e7eaa1f1a2

SHA256
1325d0e358dfc73213f08f73b9c56f2fb064d085942bc2eabef6b652d1a52f84

SHA512
a445356dc1d4bd4be918898fdf576f65b90492479ed569422ed71190f2172c4ab4540d057ba4cc5a0976363f23d34739f19e3913b38c8f8e2d409c5e8753688e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE11C.tmp\CHPFm90yUYb3C6f.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
memory/956-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1472-56-0x0000000000000000-mapping.dmp

Download