b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf

Analysis

max time kernel
28s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe
Size

931KB
MD5

3fd2520de4d42cad32a84b46e53ed52b
SHA1

40e163e55d90e18c9f20045af91e9b6abdb40eb9
SHA256

b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf
SHA512

16c996fe7a32180e57fda2a02077451d1846e51c30605b137e740aff1dbcd1368850c8d0e81ebba35677d2a101c4dbe061a398bbd3d1ad2f1cab4ee14f66bce8
SSDEEP

24576:h1OYdaOGMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfX:h1OssMWyUQ+GUVFIcHPvpfX

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SENeWqTwNYU4BxJ.exe

pid process

956 SENeWqTwNYU4BxJ.exe
Loads dropped DLL 1 IoCs

Processes:

b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe

pid process

1728 b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1728	b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe

Drops Chrome extension 3 IoCs

Processes:

SENeWqTwNYU4BxJ.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cajlbmigcfaapkionicllklpaiogpaha\2.0\manifest.json	SENeWqTwNYU4BxJ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cajlbmigcfaapkionicllklpaiogpaha\2.0\manifest.json	SENeWqTwNYU4BxJ.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cajlbmigcfaapkionicllklpaiogpaha\2.0\manifest.json	SENeWqTwNYU4BxJ.exe

Drops file in System32 directory 4 IoCs

Processes:

SENeWqTwNYU4BxJ.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	SENeWqTwNYU4BxJ.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	SENeWqTwNYU4BxJ.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	SENeWqTwNYU4BxJ.exe
File opened for modification	C:\Windows\System32\GroupPolicy	SENeWqTwNYU4BxJ.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

SENeWqTwNYU4BxJ.exe

pid	process
956	SENeWqTwNYU4BxJ.exe
956	SENeWqTwNYU4BxJ.exe
956	SENeWqTwNYU4BxJ.exe
956	SENeWqTwNYU4BxJ.exe
956	SENeWqTwNYU4BxJ.exe
956	SENeWqTwNYU4BxJ.exe
956	SENeWqTwNYU4BxJ.exe
956	SENeWqTwNYU4BxJ.exe
956	SENeWqTwNYU4BxJ.exe
956	SENeWqTwNYU4BxJ.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SENeWqTwNYU4BxJ.exe

description	pid	process
Token: SeDebugPrivilege	956	SENeWqTwNYU4BxJ.exe
Token: SeDebugPrivilege	956	SENeWqTwNYU4BxJ.exe
Token: SeDebugPrivilege	956	SENeWqTwNYU4BxJ.exe
Token: SeDebugPrivilege	956	SENeWqTwNYU4BxJ.exe
Token: SeDebugPrivilege	956	SENeWqTwNYU4BxJ.exe
Token: SeDebugPrivilege	956	SENeWqTwNYU4BxJ.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe

description	pid	process	target process
PID 1728 wrote to memory of 956	1728	b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe	SENeWqTwNYU4BxJ.exe
PID 1728 wrote to memory of 956	1728	b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe	SENeWqTwNYU4BxJ.exe
PID 1728 wrote to memory of 956	1728	b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe	SENeWqTwNYU4BxJ.exe
PID 1728 wrote to memory of 956	1728	b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe	SENeWqTwNYU4BxJ.exe

C:\Users\Admin\AppData\Local\Temp\b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe
"C:\Users\Admin\AppData\Local\Temp\b0f4a5af3ab4f1bb727102477eea80743552dedc7d0de5766b6acaad489264bf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\SENeWqTwNYU4BxJ.exe
.\SENeWqTwNYU4BxJ.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
3519b2bdeb3f67242c8c516809141212

SHA1
b14c4a1eb14c06c7e325de3dcbf60030ea2dc2e5

SHA256
18cf92bd30834f7fd5316e7b3de38ce7d35c430c01d4ff8844bef4f53db40be8

SHA512
23db0c4d973b107ad423561b7ce73edd7b0c695726f540bb9fb5697aada6e9db7251a467f025509e12b49d3b26a508947f56442470a4120cfc4ba1b5322c4d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
04759f82be645b9d2e2820efd4fecfa4

SHA1
2a479dc5911aeb9cb3357612c6ecbb47b2f9faf0

SHA256
bf2038ffcf0f4bcf8fb52720a3c863023017bc73f8a22919175aa99308504e73

SHA512
3f24f025a1ec09c35148e6f161a85ca2d5805cc81f9573667ac56f0eb9e5ffd25bfc682764e80ee740494bb612b0e0f9eb2a9ae737949904a5d9cd5bb111c1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\[email protected]\install.rdf

Filesize
594B

MD5
1aa977f8cbbb9e711150f06ebd8501b6

SHA1
ca134b49acca53cc5f2f41765cdcedb0efa6c81f

SHA256
ed783d218d492f463a6e736ba55fcdca4bc5debe5091a7bae0482f2936621ab3

SHA512
199ce94c10dde2aa9c1865111a00391d9afdb0b287f128e0794086736a433700d7e7b0675dff51793a7c9070bbd1d4206edfd8fe1dd74efcd12cf2cb42c16d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\SENeWqTwNYU4BxJ.dat

Filesize
1KB

MD5
0e06ae42d9920963cead7c1916bef6a2

SHA1
aad6ee839f16b6816bd78a0ae8da147516e86f30

SHA256
1e69cb57a83d7cf5e49ac793f4757674bf45d628d5c78498b33dd7433c83bea4

SHA512
193fec32101f999f143e96a2898e1bf96888550bf633071212db87757d85f1945db47555b5645641311f366ca7f6aebd3a133f46cb878b34a89212ee582b7331

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\SENeWqTwNYU4BxJ.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\cajlbmigcfaapkionicllklpaiogpaha\MymiZtYG.js

Filesize
6KB

MD5
f1f6379fec8eeec5fa5ec6e36e8e9739

SHA1
45dcb90fc786df485b57a2fa3c0191ccb7b8caf6

SHA256
aec3e69c7730c6a9ffe610f6eb65ae7e2e688d4a1fe4d0790db789f237dca93c

SHA512
3784b9afc9335ab57caf554175d04b2cd1bba6878919786565d099be87a009c3996801d75968aa8d2cd9f254f0e71d38d02160e2955612f75e143ad431ff0141

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\cajlbmigcfaapkionicllklpaiogpaha\background.html

Filesize
145B

MD5
b02a42b1c0358523d1ad00b27e8743ea

SHA1
56a7acdf1bda50b6bd689f372ed44b71a8228fcd

SHA256
11f3f802b76b7c04d56b584beb849ea15f73747d799ffa62239ca75152e0a6cd

SHA512
9de3da5c96d68dbee870003f7f51c22c25a6698a792852e678c476479c645c3e8f8cdad9cb1a0ace069a459162e5fe6c50458208373eb9a2b8992971c02becf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\cajlbmigcfaapkionicllklpaiogpaha\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\cajlbmigcfaapkionicllklpaiogpaha\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\cajlbmigcfaapkionicllklpaiogpaha\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\SENeWqTwNYU4BxJ.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/1728-54-0x0000000076221000-0x0000000076223000-memory.dmp

Filesize
8KB

Download