84f917861bc4565f4fd4b0db17591c71bbc9d05bc7faecbe7a04f0855df31012

General

Target

84f917861bc4565f4fd4b0db17591c71bbc9d05bc7faecbe7a04f0855df31012.exe
Size

931KB
MD5

a2a99a78454233dee7aa5bf43cf162ac
SHA1

56e0fd24825b85a13a526d7370b448da4d7b6fef
SHA256

84f917861bc4565f4fd4b0db17591c71bbc9d05bc7faecbe7a04f0855df31012
SHA512

a52913a275130bd23849f1bac150a6a2081235e27a1d82024cd6d25a15826962d65b36be601a6c54f06c0e0dd3b88b5ba779c471a17be44c66d3484520d7b7ca
SSDEEP

24576:h1OYdaOfMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfp:h1Os5MWyUQ+GUVFIcHPvpfp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2624	fA57nT2SI1a6KaK.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\akpemngjiepnoocligaahkccgglbhhcg\2.0\manifest.json	fA57nT2SI1a6KaK.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe
2624	fA57nT2SI1a6KaK.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	fA57nT2SI1a6KaK.exe
Token: SeDebugPrivilege	2624	fA57nT2SI1a6KaK.exe
Token: SeDebugPrivilege	2624	fA57nT2SI1a6KaK.exe
Token: SeDebugPrivilege	2624	fA57nT2SI1a6KaK.exe
Token: SeDebugPrivilege	2624	fA57nT2SI1a6KaK.exe
Token: SeDebugPrivilege	2624	fA57nT2SI1a6KaK.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2624	4664	84f917861bc4565f4fd4b0db17591c71bbc9d05bc7faecbe7a04f0855df31012.exe	81
PID 4664 wrote to memory of 2624	4664	84f917861bc4565f4fd4b0db17591c71bbc9d05bc7faecbe7a04f0855df31012.exe	81
PID 4664 wrote to memory of 2624	4664	84f917861bc4565f4fd4b0db17591c71bbc9d05bc7faecbe7a04f0855df31012.exe	81

C:\Users\Admin\AppData\Local\Temp\84f917861bc4565f4fd4b0db17591c71bbc9d05bc7faecbe7a04f0855df31012.exe
"C:\Users\Admin\AppData\Local\Temp\84f917861bc4565f4fd4b0db17591c71bbc9d05bc7faecbe7a04f0855df31012.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\7zS1E36.tmp\fA57nT2SI1a6KaK.exe
  .\fA57nT2SI1a6KaK.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS1E36.tmp\akpemngjiepnoocligaahkccgglbhhcg\Xd.js

Filesize
6KB

MD5
be41451799205bf0a7f3c433e82aec58

SHA1
a3063fc8fb690fd10f05dce01dc68712da79440f

SHA256
e35e3a38b5a6a01ec675ba9a29ba243f43a1be0388f60f07982bcb2dad12fb95

SHA512
f3963184df5ba5f34dc0ff5d0ea9916cef733cce06440286b596978405b9ba2383d88c9ece95ffdb8e1bcde53598d44b2803f2a849d5472adf531ccedbfad026

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1E36.tmp\akpemngjiepnoocligaahkccgglbhhcg\background.html

Filesize
139B

MD5
8245dcefd17609186aee59eaeb63d479

SHA1
a1783537c065ee488ca91bb65c5372c6a237d30b

SHA256
b5453a279b15ef6cac72fe378db9d518b2465a578c1c59ecdf97cc34c275cd6b

SHA512
2dae6fd875d5790f24ad2097c4441b4855dcfe831fd29171ef873abddfbb31ea9b213f666a152e7a4f2ccd09ecbeaca939daa448b4fc5b70417cd537f6701e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1E36.tmp\akpemngjiepnoocligaahkccgglbhhcg\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1E36.tmp\akpemngjiepnoocligaahkccgglbhhcg\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1E36.tmp\akpemngjiepnoocligaahkccgglbhhcg\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1E36.tmp\fA57nT2SI1a6KaK.dat

Filesize
1KB

MD5
c7f3351dd0c4c093fb560a97ce657f2a

SHA1
9e7e567a066f674503c6b4664cb015e6c205da9a

SHA256
67945d0799637aeb73f1b5693b9561b325ee3dba46bd151918e786eda868f843

SHA512
4667e6f6ce66de459c3f399b6c990b7e75e09c177db119f4871d7e9683924d012824fb9f406a214ab84c05c5260b22e46edbfc4d73e87764b659488d4fb800ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1E36.tmp\fA57nT2SI1a6KaK.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1E36.tmp\fA57nT2SI1a6KaK.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit

Analysis

Sharing