9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3

General

Target

9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe
Size

1.6MB
MD5

1feaafd93d5a9922a59924e799884550
SHA1

da19dd53c1bde0ab3781995a706e65d080939850
SHA256

9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3
SHA512

060a5dd649af46465658d150889c8b227c6924526ddd49b052843350729e0f01dd9aee792acf36dbf0becac7c660d64615c7f05cebba3ac978bb26f2a9ab3038
SSDEEP

24576:j3Kxpq7FXyYZ3j4MO6l0eKYtiLXftzcNbOKXAUKCY07u8Sb4P7VxwzgvwW3VsPJt:77Np8MO6wLGAUR7jwRW3Su2N

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpglhpajdkiohfhfcnmldlehehgccbeb\2.0\manifest.json	9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpglhpajdkiohfhfcnmldlehehgccbeb\2.0\manifest.json	9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpglhpajdkiohfhfcnmldlehehgccbeb\2.0\manifest.json	9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe

Drops file in System32 directory 4 IoCs

Processes:

9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe
File opened for modification	C:\Windows\System32\GroupPolicy	9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe

pid	process
1600	9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe
1600	9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe

C:\Users\Admin\AppData\Local\Temp\9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe
"C:\Users\Admin\AppData\Local\Temp\9c2b7a04a3f6c17e60305704cc932a47a3c293dc78e844bfe8be9809e8f9cfe3.exe"
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1600-60-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-61-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-62-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-63-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-64-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-65-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-66-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-79-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-67-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-68-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-69-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-70-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-71-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-72-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-73-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-74-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-75-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-76-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-77-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1600-78-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads