d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39

General

Target

d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
Size

1.6MB
MD5

34391bc02afb14842325b2c6f65ce7a9
SHA1

bce4c65f2dce6b8a20d9622a268e655ce582e83e
SHA256

d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39
SHA512

dad94fe0264f23a406fbd1c2d23f492ad04b0660f5cb7321b326e44a84b950c83ac1baa7900c3776d259595494043425c23f7edde8ceb1cd820362632dbb149a
SSDEEP

24576:d8KxJKb+XyQZ3jrEc0+q4Kim2kvzcmIFK3LX7LaBrQ2R9sjeQgrKYk1eTF1dOJRH:Qb0xE4tmLXniQW97QPYk19vFR

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieohfihhmkkibpcjnafnimenhdafegel\2.0\manifest.json	d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieohfihhmkkibpcjnafnimenhdafegel\2.0\manifest.json	d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieohfihhmkkibpcjnafnimenhdafegel\2.0\manifest.json	d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe

Drops file in System32 directory 4 IoCs

Processes:

d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe

pid	process
1736	d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
1736	d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe

C:\Users\Admin\AppData\Local\Temp\d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
"C:\Users\Admin\AppData\Local\Temp\d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe"
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1736

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1736-55-0x0000000000590000-0x0000000000637000-memory.dmp

Filesize
668KB

Download
memory/1736-60-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-61-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-62-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-63-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-64-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-65-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-66-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-67-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-68-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-69-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-70-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-71-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-72-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-73-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-74-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-75-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-76-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-77-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download
memory/1736-78-0x0000000000792000-0x0000000000796000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads