ab979a1caf5e2b5a6032a6452d50ef4fca737e3cc2d642845112a5b56e8a987e

General

Target

ab979a1caf5e2b5a6032a6452d50ef4fca737e3cc2d642845112a5b56e8a987e.exe
Size

770KB
MD5

6a8878bd6300462401c84c3863b9d419
SHA1

663cd0a37307517c87bc5b3f641065cc3e2d3cef
SHA256

ab979a1caf5e2b5a6032a6452d50ef4fca737e3cc2d642845112a5b56e8a987e
SHA512

3b53de5a138e15b448f3f07f9090edf294938a5c9ea98bea60001c32861829da8a8ed7886ec3f2d80e53b7f14b3e3cbd2f7250944554071df48bbdc166b193d5
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5AcpukdtqCo5imi5SIbSocpzWzZ+v9Z94Aq9SDkncvxVW:h1OgLdaORSConAwWcv9nq9JcjToFM4td

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4064	vxyoI7S2HcPe61P.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclekbbjgpehabpidkpgnnjmohldmedi\148\manifest.json	vxyoI7S2HcPe61P.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclekbbjgpehabpidkpgnnjmohldmedi\148\manifest.json	vxyoI7S2HcPe61P.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclekbbjgpehabpidkpgnnjmohldmedi\148\manifest.json	vxyoI7S2HcPe61P.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclekbbjgpehabpidkpgnnjmohldmedi\148\manifest.json	vxyoI7S2HcPe61P.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iclekbbjgpehabpidkpgnnjmohldmedi\148\manifest.json	vxyoI7S2HcPe61P.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4064	2420	ab979a1caf5e2b5a6032a6452d50ef4fca737e3cc2d642845112a5b56e8a987e.exe	78
PID 2420 wrote to memory of 4064	2420	ab979a1caf5e2b5a6032a6452d50ef4fca737e3cc2d642845112a5b56e8a987e.exe	78
PID 2420 wrote to memory of 4064	2420	ab979a1caf5e2b5a6032a6452d50ef4fca737e3cc2d642845112a5b56e8a987e.exe	78

C:\Users\Admin\AppData\Local\Temp\ab979a1caf5e2b5a6032a6452d50ef4fca737e3cc2d642845112a5b56e8a987e.exe
"C:\Users\Admin\AppData\Local\Temp\ab979a1caf5e2b5a6032a6452d50ef4fca737e3cc2d642845112a5b56e8a987e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\7zSF429.tmp\vxyoI7S2HcPe61P.exe
  .\vxyoI7S2HcPe61P.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF429.tmp\iclekbbjgpehabpidkpgnnjmohldmedi\I5a.js

Filesize
6KB

MD5
20f3cdfaa2a82edc5e33039d73b2f634

SHA1
7ef6343cdc82f93cef659d87bb51ed1d2e029828

SHA256
de0a61c729961aa66baeb785721497bc247e8aacc2a2fc4665f8148e95f0ad9e

SHA512
4a31e86bd522790b49e52d5c293f57d93bc00b6bb6ed9f29072a63c058b153fe1d8f1f3832262fe3822130a4a16001eaadb5435d42a3db845d304f474bbe663a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF429.tmp\iclekbbjgpehabpidkpgnnjmohldmedi\background.html

Filesize
140B

MD5
c3768aab58fd062a3e60b2e4b47ee2dc

SHA1
3383ae3ba4ba847f0b732c5e6b997277a46cca84

SHA256
bd095160e419e314538d3c9a7661362ebc3ac6be8f08e997d066724e8c2cecfe

SHA512
3a8dbb9d83988da8469c11839292cb2e98f3b7e3bc31f9ca5d9060b1f8519fd162c80b346426cc19204e614a24f9e2ef95a40dd4ac6ff925c28c04818a5fa451

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF429.tmp\iclekbbjgpehabpidkpgnnjmohldmedi\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF429.tmp\iclekbbjgpehabpidkpgnnjmohldmedi\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF429.tmp\iclekbbjgpehabpidkpgnnjmohldmedi\manifest.json

Filesize
597B

MD5
238f238798123e7ad65ff9c71a77a34a

SHA1
980e001921b79cf9ce89d42d5a213d6d8b13fc4e

SHA256
8a7f1074babba68a26507a884df4809c63357ca9b8904dd3e4088eb0fe8a767d

SHA512
5338ebaadc2b98cc4e7cb11e9b688706b07e1957429f16b3cb36e3fbb8d3e67e62e5c22640967e624e7099ab6adf98261036080ec2b4ccaba65bbe3c21428ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF429.tmp\vxyoI7S2HcPe61P.dat

Filesize
1KB

MD5
965ecc00f5435862c8766d378b6b5c05

SHA1
0bb7f09779b1c8bc7d374ede6b075c68555a02e2

SHA256
3a4fdd16e32ff6762bbe91bb4c141c48c557a524ee0e5e8ca7b0120a7560ea87

SHA512
5cfbc5a673ed8864ed8260b313a5c95740a46416d88adc07f02f4f4d827a785a6920889b1475137a2953464e005ce5fff95a618f04c73dd0ca81a27f0f4a8c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF429.tmp\vxyoI7S2HcPe61P.exe

Filesize
623KB

MD5
92a70e40452d88d8c4b46f2ad8361977

SHA1
162c9ed1873fca1ef6ab9a2234a2812a203d6b56

SHA256
e61d40631449eb3f098a3bde542a0f87fc6f715cfcba919777e299e9ab12c1b8

SHA512
ef3aab2f1c816909878f6292bf0c2c4217c086a0bd39e936f8f2df19f2c2a16fbe8354d49048feddffa8e8e1ac7e3063b84fbaf0bdec7024494a87f807269e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF429.tmp\vxyoI7S2HcPe61P.exe

Filesize
623KB

MD5
92a70e40452d88d8c4b46f2ad8361977

SHA1
162c9ed1873fca1ef6ab9a2234a2812a203d6b56

SHA256
e61d40631449eb3f098a3bde542a0f87fc6f715cfcba919777e299e9ab12c1b8

SHA512
ef3aab2f1c816909878f6292bf0c2c4217c086a0bd39e936f8f2df19f2c2a16fbe8354d49048feddffa8e8e1ac7e3063b84fbaf0bdec7024494a87f807269e81

Download Submit

Analysis

Sharing