76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38

Analysis

max time kernel
22s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38.exe
Size

781KB
MD5

b281d34b634b46cd92fe99aa1b0fe1f1
SHA1

79c0c74f644afa6ac249c6cfaa06bb728c74b0f6
SHA256

76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38
SHA512

223ecb0637e0e12a04f2c41374c7d2e78d043f685426536799c39ca885b207f9a9858116a9e03b630fc8b53f53e8aba45b10147a0b4d1ac9c2c89d933fc0a2a2
SSDEEP

12288:h1OgLdaO2+f65f+YOfY0bU5phYwX6nK3LbbSLkUGh:h1OYdaO2+C5fz+YRUwXV3Lbu4Dh

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
732	QVYS6dT8Jij5VQC.exe

Loads dropped DLL 1 IoCs

pid	Process
1200	76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blenobcoagfeeikbhjoohnjkgcogenhm\2.0\manifest.json	QVYS6dT8Jij5VQC.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blenobcoagfeeikbhjoohnjkgcogenhm\2.0\manifest.json	QVYS6dT8Jij5VQC.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\blenobcoagfeeikbhjoohnjkgcogenhm\2.0\manifest.json	QVYS6dT8Jij5VQC.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	QVYS6dT8Jij5VQC.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	QVYS6dT8Jij5VQC.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	QVYS6dT8Jij5VQC.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	QVYS6dT8Jij5VQC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
732	QVYS6dT8Jij5VQC.exe
732	QVYS6dT8Jij5VQC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 732	1200	76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38.exe	27
PID 1200 wrote to memory of 732	1200	76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38.exe	27
PID 1200 wrote to memory of 732	1200	76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38.exe	27
PID 1200 wrote to memory of 732	1200	76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38.exe	27

C:\Users\Admin\AppData\Local\Temp\76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38.exe
"C:\Users\Admin\AppData\Local\Temp\76764fe94155ddf7b197d77283a219ea3168745892f691ebe51232d14cc5aa38.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\QVYS6dT8Jij5VQC.exe
  .\QVYS6dT8Jij5VQC.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
ab54a4b86191fbfc6797059c32768b5c

SHA1
c36ccfed0439eb0c4671f41770e2d17824c3d8e5

SHA256
e51d50ac15da6ff55e39f9ac0ea872789e970675a858555511f2f1d67511ff1d

SHA512
9403df5c1087129f69639a49aa682935a4ae4f6bb2ca2fca0bbc19fe2a8512e6403731331d036bdae0e62c54c4ffa734a79f27aa1edff2bb296c014996dee4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
6f132cf90eed58c98fc77d10a3fbb55f

SHA1
ccf9076c3ae74dc2358825f028b8296a9a678bc7

SHA256
fc047040ab6c78bbfbd9988a5670183041fc741cacbbbbea240fcc38e35266f5

SHA512
5d58c1c9e5c2805382912807e3939e1c7cab89dfc0e5e7e00a6beed9cc8241c6aafdb9a6a8f9624bc440bd0501c9f5eea45b72d8958f8cedd0c41a5cde855baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\[email protected]\install.rdf

Filesize
596B

MD5
e53755e11ae137aad3d2bd08a798aec0

SHA1
220c759eb11e8785c08f0152d2c818f5a2192f63

SHA256
561e63ef0b6c46737995ac9f3f952b9d17c7a456b668877808532acc279b9b70

SHA512
16f1b30594d15a4273b37736516f7a3ad98015f1351b0bff7c66206baf43ab11a27233b3c9e7362844821a78384f32df4c7e3bb5a1f2167d14d8564b4d752350

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\QVYS6dT8Jij5VQC.dat

Filesize
1KB

MD5
5d278c9bebcb9b3c77185a8241bdb804

SHA1
9bd1561dcfea7ae5459bd149a3793e079fa64273

SHA256
782e8d996dc3115ee9e540193d41324c0de46ae41f0df43a3ae3ebfc05c38e30

SHA512
adaba1c3186712efc893eb3da03a46eae28b701aea6ef70b0b63e84103bf426739156606e26b92e4ceb828bde612c113c51807c3615e7e39c1aa3491195fcb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\QVYS6dT8Jij5VQC.exe

Filesize
623KB

MD5
3b3e9f85b1e1d1defb4813cb1676b553

SHA1
17a064e28b670d6d4e579ac078a81e7334704b58

SHA256
26fc2e717907241142895bb38734755ebb1ca82f1d23f48e09ec0d75cd4ad381

SHA512
0f7d3df630b73820490a0d767707c69f5cbb94265b67a202c6f652e601ba970d1257583cf6082aa9fea97b10e7c0a40d0ac3947599602964b14a492c7452da36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\blenobcoagfeeikbhjoohnjkgcogenhm\S9RnrhC7ys.js

Filesize
6KB

MD5
2fb8e095880a73de220395dc4e31d210

SHA1
5f7d00e258b3f83132a7d837df47a1dc4173216a

SHA256
a7607f1df85bd2599c2130cbf7118e6927916717e201ddd4c9a8870de615280a

SHA512
4cfc6ed7e990dd326f09e3c202fdd4836834eada4445ef3a13c7bd42998fb4434df58d5ffdda15e383ef5c9bf31a5947419c487d3e95bd1608893816c5083ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\blenobcoagfeeikbhjoohnjkgcogenhm\background.html

Filesize
147B

MD5
e682d27ef1f484e69fc16090ed8748b1

SHA1
edb8224f1f6af81bb6d2919d9f2aa09113b78ab7

SHA256
e43e4cd9ad33caa9b07f9e2c5d124eb285df062ac2515c4752d0f042cbf06b07

SHA512
1911d7d25faf94d26fe57752a532e64726d98651a108bb8e51f82bfa869bad2e3acaeeb0e5605af5de05b462a1cce26907f4cc82c66cde6c04e0226b929435ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\blenobcoagfeeikbhjoohnjkgcogenhm\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\blenobcoagfeeikbhjoohnjkgcogenhm\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\blenobcoagfeeikbhjoohnjkgcogenhm\manifest.json

Filesize
499B

MD5
412f42459d2bababeff0662c4acd8163

SHA1
f5d87fdb182074d09b9747d6df8abac5c32bbf77

SHA256
794c6c04f2c69455ac7f18ffc5a34814e2ad9a7dac62a44b57348330d2879217

SHA512
ecc4503e336f05efa9cb6459301c625c944846df474d96a4abfb4a37974c09e9c2bc04da02914aa6a13913d288b7d5329d8a2924012becb35d615a07b1b1ddda

Download Submit
\Users\Admin\AppData\Local\Temp\7zS56D8.tmp\QVYS6dT8Jij5VQC.exe

Filesize
623KB

MD5
3b3e9f85b1e1d1defb4813cb1676b553

SHA1
17a064e28b670d6d4e579ac078a81e7334704b58

SHA256
26fc2e717907241142895bb38734755ebb1ca82f1d23f48e09ec0d75cd4ad381

SHA512
0f7d3df630b73820490a0d767707c69f5cbb94265b67a202c6f652e601ba970d1257583cf6082aa9fea97b10e7c0a40d0ac3947599602964b14a492c7452da36

Download Submit
memory/1200-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download