9d609d6c67094c0eeb8d023fb3d98bc749a1545a71b45a1e8f1cbd3d8344c3c9

General

Target

9d609d6c67094c0eeb8d023fb3d98bc749a1545a71b45a1e8f1cbd3d8344c3c9.exe
Size

919KB
MD5

19d8eac4c41a0b8181816f737f85b79f
SHA1

365ab1abd81688fd9f503c437d01f8c40d2005ad
SHA256

9d609d6c67094c0eeb8d023fb3d98bc749a1545a71b45a1e8f1cbd3d8344c3c9
SHA512

2d442b226f5d161838349da4d8a7fbfe2d883c91c288f2c2c6f73ffe5cfaa4c2ba2622ebf02a105cbaaf9e8f6ebafd78aa7d97f7fc3eb59a7561c4b52a5d68f5
SSDEEP

24576:h1OYdaOpMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfe:h1Os/MWyUQ+GUVFIcHPvpfe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4908	qwrvBtiwpBc5bLB.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ognampngfcbddbfemdapefohjiobgbdl\183\manifest.json	qwrvBtiwpBc5bLB.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ognampngfcbddbfemdapefohjiobgbdl\183\manifest.json	qwrvBtiwpBc5bLB.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ognampngfcbddbfemdapefohjiobgbdl\183\manifest.json	qwrvBtiwpBc5bLB.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ognampngfcbddbfemdapefohjiobgbdl\183\manifest.json	qwrvBtiwpBc5bLB.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ognampngfcbddbfemdapefohjiobgbdl\183\manifest.json	qwrvBtiwpBc5bLB.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4908	qwrvBtiwpBc5bLB.exe
4908	qwrvBtiwpBc5bLB.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 4908	1056	9d609d6c67094c0eeb8d023fb3d98bc749a1545a71b45a1e8f1cbd3d8344c3c9.exe	80
PID 1056 wrote to memory of 4908	1056	9d609d6c67094c0eeb8d023fb3d98bc749a1545a71b45a1e8f1cbd3d8344c3c9.exe	80
PID 1056 wrote to memory of 4908	1056	9d609d6c67094c0eeb8d023fb3d98bc749a1545a71b45a1e8f1cbd3d8344c3c9.exe	80

C:\Users\Admin\AppData\Local\Temp\9d609d6c67094c0eeb8d023fb3d98bc749a1545a71b45a1e8f1cbd3d8344c3c9.exe
"C:\Users\Admin\AppData\Local\Temp\9d609d6c67094c0eeb8d023fb3d98bc749a1545a71b45a1e8f1cbd3d8344c3c9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\7zSA194.tmp\qwrvBtiwpBc5bLB.exe
  .\qwrvBtiwpBc5bLB.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Suspicious behavior: EnumeratesProcesses
  PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSA194.tmp\ognampngfcbddbfemdapefohjiobgbdl\background.html

Filesize
141B

MD5
bfb8c7666bc725114a83a85f806a894a

SHA1
439c3bb4c0d1ca804547f4659b0e73c4dec31a38

SHA256
b5134cf4cd4f3d29de4359d3a938fce448d7c4dc6d31efd9b67df4b4d104d228

SHA512
0bb4610bbea8c06f5558b9361805e231f48ed531ddad98dd0b4a79d387097bd9542d2fcbb28b9a5b1afed25a298bcdb0758f4e8f7a195269048d0920d7fc0da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA194.tmp\ognampngfcbddbfemdapefohjiobgbdl\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA194.tmp\ognampngfcbddbfemdapefohjiobgbdl\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA194.tmp\ognampngfcbddbfemdapefohjiobgbdl\manifest.json

Filesize
598B

MD5
58312d5d4e6a33b8f76286476b6cab8b

SHA1
ffbb70a5c9fdecabf5070cbea0e5ddad8b8c6db2

SHA256
3542911d36525d3bb1dbe976e1512f486d204b680d930b70fc821d6c4022041e

SHA512
8abac5aee60ab60446f25b13fc70882c4a51380e58b905db302e014d982148738ccfa19f158ee84a0c489f3f7229cce4bd1a34c9a0b62f56546120ffc58b493d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA194.tmp\ognampngfcbddbfemdapefohjiobgbdl\uMuw.js

Filesize
7KB

MD5
406b9177ce544eebf97c452c0797b27a

SHA1
2efafba044eedeb5df9a04206703ae67bc991a88

SHA256
e74f2dfaaf8951041b44093b8c53b74fd80b248d3376d5c26b16972503a7b394

SHA512
f0a163ca52fa26b5c41d8b00eef033acdc36f818811a6bff353d8f8084359775e2e16a98a3bde398fea320f621b4515aa46a18e178a1435308d2ce7fdbb6d579

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA194.tmp\qwrvBtiwpBc5bLB.dat

Filesize
1KB

MD5
25ce350d62315db96e8ffd3ea13b00d1

SHA1
45b9cb68eacbe3704ada572a1efd06f1161b7db3

SHA256
93e0599f916a2d3e9bb545026826f51767ec980db776d3b452371a1efb8ed101

SHA512
485c7a311dae5326fdead5828e1705a7e155e0792c7fe3f3f2133d8ffd4a53bb2e72dd4135b4f909c0b4c4574e7ee3243261b0c80e3039e9ed6aef421d7cc6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA194.tmp\qwrvBtiwpBc5bLB.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA194.tmp\qwrvBtiwpBc5bLB.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit

Analysis

Sharing