bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5.exe
Size

781KB
MD5

457ea93b62327b3adeca1781cb8c34ac
SHA1

249042049a5ae9dac0dc1e9a5d9de8caa5140eee
SHA256

bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5
SHA512

9788d9ff572439113b3a4f2869407ff21d81533ddac425f1ea3f1139d8c5b4949c25f42657f0f90b4b4bd175d8d4a52b3d9eea7d02204bb6c78ba7e5d7a00985
SSDEEP

12288:h1OgLdaOz+f65f+YOfY0bU5phYwX6nK3LbbSLkUGr1:h1OYdaOz+C5fz+YRUwXV3Lbu4Dr1

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	STAiCbNv9QTtkIN.exe

Loads dropped DLL 1 IoCs

pid	Process
1668	bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bclefoflpdefljjmdcdopifocbnjglgb\2.0\manifest.json	STAiCbNv9QTtkIN.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bclefoflpdefljjmdcdopifocbnjglgb\2.0\manifest.json	STAiCbNv9QTtkIN.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bclefoflpdefljjmdcdopifocbnjglgb\2.0\manifest.json	STAiCbNv9QTtkIN.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	STAiCbNv9QTtkIN.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	STAiCbNv9QTtkIN.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	STAiCbNv9QTtkIN.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	STAiCbNv9QTtkIN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1712	STAiCbNv9QTtkIN.exe
1712	STAiCbNv9QTtkIN.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1712	1668	bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5.exe	27
PID 1668 wrote to memory of 1712	1668	bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5.exe	27
PID 1668 wrote to memory of 1712	1668	bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5.exe	27
PID 1668 wrote to memory of 1712	1668	bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5.exe	27

C:\Users\Admin\AppData\Local\Temp\bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5.exe
"C:\Users\Admin\AppData\Local\Temp\bb37a721d8a3af2c003e4e0982de6decd6f4d9e6a62219569f4a0a4b3ef7d4f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\STAiCbNv9QTtkIN.exe
  .\STAiCbNv9QTtkIN.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\STAiCbNv9QTtkIN.dat

Filesize
1KB

MD5
0921243c5cd90d3dfc0b6ccc96af4482

SHA1
ed8829818028be6bd47b48c133387ae1454e9d60

SHA256
f6d6902b9508dc1678f8122c54ddaa00b6078dba7e01819465bdf75f25535cd1

SHA512
23471acc7769e6035d366b9023387c7e450275acb7891355af6f11603e8ed2af3901809e8ac71a4f0fe5cbaf21b201a9ddc6cdb1a75cb9ad6307965c92436405

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\STAiCbNv9QTtkIN.exe

Filesize
623KB

MD5
3b3e9f85b1e1d1defb4813cb1676b553

SHA1
17a064e28b670d6d4e579ac078a81e7334704b58

SHA256
26fc2e717907241142895bb38734755ebb1ca82f1d23f48e09ec0d75cd4ad381

SHA512
0f7d3df630b73820490a0d767707c69f5cbb94265b67a202c6f652e601ba970d1257583cf6082aa9fea97b10e7c0a40d0ac3947599602964b14a492c7452da36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\bclefoflpdefljjmdcdopifocbnjglgb\background.html

Filesize
140B

MD5
157193dee1bfe0bb1ea41802bda2a6a2

SHA1
b96b040dd70482c938f19f611011f79769e8ac76

SHA256
eb504c1d700187e43ccb7ef566b1cb9f2bba1e5bac8e67aeef1246eceb5203ce

SHA512
caa137644472c9dbf9d3818d1b06fc473ae2dd134a2f6bc5cd72ec57774d026b5a8cbb13ec3f461c8f9327f75ae2a99aacf1fa3e5e8ea175ec3d7030d404e799

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\bclefoflpdefljjmdcdopifocbnjglgb\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\bclefoflpdefljjmdcdopifocbnjglgb\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\bclefoflpdefljjmdcdopifocbnjglgb\manifest.json

Filesize
499B

MD5
9ab7fff9f9835e96d693f50be6c718c1

SHA1
aa62433aa843dbedb095e4b32a0ad99e656119c5

SHA256
f283a02469301a791edbf56cb8a669889106a5561ef463901ccca63c8bc19044

SHA512
f1550485f9414a10c4062910e87425b89eb65c95c7245432b8f09b1d437324fb506dcef316c34d930945ec6b6699381fadd967fec7ffcec1b77cfa0d206a8b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\bclefoflpdefljjmdcdopifocbnjglgb\qTL.js

Filesize
6KB

MD5
4aa2932f5fe628ffba8708ce3007a6bb

SHA1
ba6ba63423a9c4b2f99392be8b4face46504bafb

SHA256
5ed9e769dcb8a1870230ccf0db5183f86003803e385aceb110cffb51e35598d1

SHA512
70a8e7f8ca37ccd75195c7eeb0f1b7bcb63fe5e75dcb7fd9b2558e6ed397e49f030f47cce4e57f57d75981d0282ac81c05f88b182e667c13ec03a03628833a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
b596e06ce31d707cce9637c65dd5dd66

SHA1
1c3c6928bfc8cf3fd9d503a81b8529b205e3c305

SHA256
868ddf003b67059d8f121feb8e2bd2bd29e82b060370fd18481be13dabcfd62e

SHA512
7b74173c3913dfef823ef00ae4a614fd1b9a965d9b847febc64aea169baaa9ea0eddf648f2f622c439cf31daada136664c2d45a29b3623e6f7ba3575ef36b12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
61f5d1f268d3cb3ff06a239d9ec7d661

SHA1
543918b8a4a414debc3057f1b17618f4fb870fd5

SHA256
272d37a5dda0641a6420f04046df6c539dfb18822ec05047e7fb94aee1b7c910

SHA512
b0ee81b5d9df613c75f8cf08c38a7f18ff8e6f298e6ce4c04b59923d21d74b371ab0604cfd208a909d8afe06b00d45d4f4b0fffab6e3c58df28a66f0ef32e952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\[email protected]\install.rdf

Filesize
593B

MD5
dd563ae56a73ef8d7eadf6543e5d4d81

SHA1
8eda3000a6883f655fcedce480f2d89255c52076

SHA256
9c869036dfcaffd523f68a22e1a2d47bf43344e1e2dad00a50f19412ae725be0

SHA512
b95b1850c16c9d9a74ba7022471886fc78df1bd14a37727dec10412074197ab975a1da7a9b79fb584de837853674094393d7e1d4d968bc881ab3b75c4230b081

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2C0.tmp\STAiCbNv9QTtkIN.exe

Filesize
623KB

MD5
3b3e9f85b1e1d1defb4813cb1676b553

SHA1
17a064e28b670d6d4e579ac078a81e7334704b58

SHA256
26fc2e717907241142895bb38734755ebb1ca82f1d23f48e09ec0d75cd4ad381

SHA512
0f7d3df630b73820490a0d767707c69f5cbb94265b67a202c6f652e601ba970d1257583cf6082aa9fea97b10e7c0a40d0ac3947599602964b14a492c7452da36

Download Submit
memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download