2e9e8d38bdba2b7f729e428ea8fea16e3f9241a1d6b71f7fee90cc8fe8e76b9c

General

Target

2e9e8d38bdba2b7f729e428ea8fea16e3f9241a1d6b71f7fee90cc8fe8e76b9c.exe
Size

2.0MB
MD5

efb7594401f4071256e34782dee8f134
SHA1

d872155287be8d7c58145f3be7b314592067be76
SHA256

2e9e8d38bdba2b7f729e428ea8fea16e3f9241a1d6b71f7fee90cc8fe8e76b9c
SHA512

91265e4efbbe23f11e5cf447fe75a51e91de6c35ddc885f86776a9508e33c6e8122cdc092de875f34d1ed52f30248e3ff6a1ff46c97c80104cd691b357fc9f1b
SSDEEP

24576:h1OYdaOGJo99gJW4tFAlN3DdJ6RND6oSnHA5NPFmTLc4ecFgAKnMpAUv:h1OsoJooJDtFgTy5snHSUc4E3cAUv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2912	n99RONmYqab73y3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\chacnkijhlimknekjfppieahimcgdnml\2.0\manifest.json	n99RONmYqab73y3.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\chacnkijhlimknekjfppieahimcgdnml\2.0\manifest.json	n99RONmYqab73y3.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\chacnkijhlimknekjfppieahimcgdnml\2.0\manifest.json	n99RONmYqab73y3.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\chacnkijhlimknekjfppieahimcgdnml\2.0\manifest.json	n99RONmYqab73y3.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\chacnkijhlimknekjfppieahimcgdnml\2.0\manifest.json	n99RONmYqab73y3.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	n99RONmYqab73y3.exe
File opened for modification	C:\Windows\System32\GroupPolicy	n99RONmYqab73y3.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	n99RONmYqab73y3.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	n99RONmYqab73y3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2912	n99RONmYqab73y3.exe
2912	n99RONmYqab73y3.exe
2912	n99RONmYqab73y3.exe
2912	n99RONmYqab73y3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2912	2088	2e9e8d38bdba2b7f729e428ea8fea16e3f9241a1d6b71f7fee90cc8fe8e76b9c.exe	82
PID 2088 wrote to memory of 2912	2088	2e9e8d38bdba2b7f729e428ea8fea16e3f9241a1d6b71f7fee90cc8fe8e76b9c.exe	82
PID 2088 wrote to memory of 2912	2088	2e9e8d38bdba2b7f729e428ea8fea16e3f9241a1d6b71f7fee90cc8fe8e76b9c.exe	82

C:\Users\Admin\AppData\Local\Temp\2e9e8d38bdba2b7f729e428ea8fea16e3f9241a1d6b71f7fee90cc8fe8e76b9c.exe
"C:\Users\Admin\AppData\Local\Temp\2e9e8d38bdba2b7f729e428ea8fea16e3f9241a1d6b71f7fee90cc8fe8e76b9c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\7zS66FD.tmp\n99RONmYqab73y3.exe
  .\n99RONmYqab73y3.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS66FD.tmp\chacnkijhlimknekjfppieahimcgdnml\background.html

Filesize
139B

MD5
0b4291036529f255da5116fbf6c1110e

SHA1
28e73f0f996a08e641da7c95cb671685a3e63996

SHA256
d4f15dca0df5bb0a57f4f53c8c99428cfe6747a1011b569727f4ee3caa0945e5

SHA512
5b1784817a5471cb069b7e9d4700e4e0b8edacc83a3a14ef6b06a41ca7369147d8af7fbe554557a1bc4bbda3f3a2604a962a12f47c6bbbc6148fce3a5b703c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS66FD.tmp\chacnkijhlimknekjfppieahimcgdnml\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS66FD.tmp\chacnkijhlimknekjfppieahimcgdnml\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS66FD.tmp\chacnkijhlimknekjfppieahimcgdnml\manifest.json

Filesize
499B

MD5
eb05de53f375bc74691c7651d864f770

SHA1
8b41a52cf88ca96cf83167435ffccc956595faaf

SHA256
c8d7ad676efff8b7496757cde7fcd4bf0b23769c1b375c6e1799fdff5ff53ff0

SHA512
8c052ecc894bdf4fbda1fc2c7d40420c7ac604820a1288a1fa6541f3738e7637cf9da709697a2516909d988f34f20a0330aaf1cd1b0b62c9bae55e237b90889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS66FD.tmp\chacnkijhlimknekjfppieahimcgdnml\r0.js

Filesize
6KB

MD5
586df7198b72c37b5bad18e159e99edc

SHA1
b382149401f70d3cf7f7e68dc9d3c51314aa63cc

SHA256
2fe771319cd177759bf2fd9b82b18f84025147dbc0a5e36c15e2d828cbca08c5

SHA512
76c7b5afe14496c31201dfe99e1006570fa82dcb436f89a363518645ed352df411d3aa6c720523151f6f2ce3a4cb544de10cc21d13992aa1199f0c205b3e44b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS66FD.tmp\n99RONmYqab73y3.dat

Filesize
6KB

MD5
b288aace2d009f86edafea5df4a9b5be

SHA1
db986b8ff9d267d225c1d5ca7d2646197cf21b74

SHA256
949fa802cbb633abdcbeb12778a7bac8547b69d1f1220f29b57d62f54c778441

SHA512
cd1c73d2ba44d467d61b830e3c15c02048980b250b81b46c4febdba95a2eddf4674f85fad6071fca2cd38fa477caec6a84c9f7b6d28349fa93c342a95a7deab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS66FD.tmp\n99RONmYqab73y3.exe

Filesize
623KB

MD5
92a70e40452d88d8c4b46f2ad8361977

SHA1
162c9ed1873fca1ef6ab9a2234a2812a203d6b56

SHA256
e61d40631449eb3f098a3bde542a0f87fc6f715cfcba919777e299e9ab12c1b8

SHA512
ef3aab2f1c816909878f6292bf0c2c4217c086a0bd39e936f8f2df19f2c2a16fbe8354d49048feddffa8e8e1ac7e3063b84fbaf0bdec7024494a87f807269e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS66FD.tmp\n99RONmYqab73y3.exe

Filesize
623KB

MD5
92a70e40452d88d8c4b46f2ad8361977

SHA1
162c9ed1873fca1ef6ab9a2234a2812a203d6b56

SHA256
e61d40631449eb3f098a3bde542a0f87fc6f715cfcba919777e299e9ab12c1b8

SHA512
ef3aab2f1c816909878f6292bf0c2c4217c086a0bd39e936f8f2df19f2c2a16fbe8354d49048feddffa8e8e1ac7e3063b84fbaf0bdec7024494a87f807269e81

Download Submit
memory/2912-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing