3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7

General

Target

3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe
Size

1.6MB
MD5

057d4caa10c7197dc8d24b8e0ec17400
SHA1

699de8d7bc570c6a9a3500bf66e9230f9748c19c
SHA256

3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7
SHA512

94eb28210e09275ae3bae68e4cb712f740b6bcaae86849a5c0e8668d94dfec42d6f409bc33436823ecd877a0685444378b6e68e606d409a8c7eff533e17c9ef8
SSDEEP

24576:V8KxJKb+XyQZ3jrEc0+q4Kim2kvzcmIFK3zJ9BPe//kN6Y3x4XbZiN6cpw2+P8sg:ob0xE4tmJWuNxobZyKRg

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\icpjpmhcifanennfoibkockegllmgooe\2.0\manifest.json	3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\icpjpmhcifanennfoibkockegllmgooe\2.0\manifest.json	3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\icpjpmhcifanennfoibkockegllmgooe\2.0\manifest.json	3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe

Drops file in System32 directory 4 IoCs

Processes:

3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe

pid	process
1584	3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe
1584	3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe

C:\Users\Admin\AppData\Local\Temp\3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe
"C:\Users\Admin\AppData\Local\Temp\3f9c32d1d85d2482d45be99ccba91a38c16e712d31bc5ed92299c215fd8ed3e7.exe"
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1584-55-0x0000000002200000-0x00000000022A7000-memory.dmp

Filesize
668KB

Download
memory/1584-60-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-61-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-62-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-63-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-64-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-65-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-66-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-67-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-68-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-69-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-70-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-72-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-71-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-73-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-74-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-75-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-76-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-77-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download
memory/1584-78-0x00000000008A2000-0x00000000008A6000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads