fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88

General

Target

fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe
Size

920KB
MD5

ca3741e0b8d7f8318603a1ac5f3aaa97
SHA1

ca1e4a22623eb77e1a79c010c86b01bc2ecb31df
SHA256

fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88
SHA512

e9a476735f85cfdee4b8527372a462f4969ad765f877d7b65722ad8b59b55a517d6059a50360da9156ba6eacf8cf895d4b5dd82c0b0e3be7f201949495ebd216
SSDEEP

24576:h1OYdaO7CZ/iWCvu/2sWsJA/jlt+DHhs1:h1OsBCpYO/dJJDHhs1

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

BpsivuGbQT5ZWqA.exe

pid process

960 BpsivuGbQT5ZWqA.exe
Loads dropped DLL 1 IoCs

Processes:

fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe

pid process

1492 fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
960	BpsivuGbQT5ZWqA.exe

pid	process
1492	fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe

Drops Chrome extension 3 IoCs

Processes:

BpsivuGbQT5ZWqA.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oolpphfmdmjbojolagcbgdemojhcnlod\143\manifest.json	BpsivuGbQT5ZWqA.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\oolpphfmdmjbojolagcbgdemojhcnlod\143\manifest.json	BpsivuGbQT5ZWqA.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\oolpphfmdmjbojolagcbgdemojhcnlod\143\manifest.json	BpsivuGbQT5ZWqA.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

BpsivuGbQT5ZWqA.exe

pid process

960 BpsivuGbQT5ZWqA.exe

pid	process
960	BpsivuGbQT5ZWqA.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe

description	pid	process	target process
PID 1492 wrote to memory of 960	1492	fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe	BpsivuGbQT5ZWqA.exe
PID 1492 wrote to memory of 960	1492	fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe	BpsivuGbQT5ZWqA.exe
PID 1492 wrote to memory of 960	1492	fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe	BpsivuGbQT5ZWqA.exe
PID 1492 wrote to memory of 960	1492	fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe	BpsivuGbQT5ZWqA.exe

C:\Users\Admin\AppData\Local\Temp\fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe
"C:\Users\Admin\AppData\Local\Temp\fd3d9dcf526246915a31c172ecfcf00c599ca3c8401f0a50c0878da861affb88.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\7zS8E7.tmp\BpsivuGbQT5ZWqA.exe
.\BpsivuGbQT5ZWqA.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious behavior: EnumeratesProcesses
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8E7.tmp\BpsivuGbQT5ZWqA.dat

Filesize
1KB

MD5
b3072a9142d5787c65a207c0324467dc

SHA1
ed4605d64b5d555318ffa1e36130aed84d55f71b

SHA256
1bce46d77e4a7d8464738780364237b5c7df593ed98dfe767ecfc2625ad4a0ff

SHA512
282ca8cb44918488c811b8e0ad678dc2e8348b266d11299e4ce223754e509f5d4e687d173aab5d37c930797b6ace6b12ae9dbfa488e7667f5d94b3eaf2024398

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E7.tmp\BpsivuGbQT5ZWqA.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E7.tmp\oolpphfmdmjbojolagcbgdemojhcnlod\BV9Tr.js

Filesize
7KB

MD5
676880dca4f1dabf870494d24716b9b8

SHA1
4933b708ea9018f988a7d8544aa691d84ea1ba32

SHA256
cc177fccae6e9800392aed1fd3d27ef9658fffbd4b98aa44514825f9b3913816

SHA512
f187a5e130040b3f17fba785b994f76f513398adde9abbb6303cab17b2b0b1be3a7bf2b912b32349d07e86f2f57c9d2cc224813870e1d769b8b43c0f74e1a437

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E7.tmp\oolpphfmdmjbojolagcbgdemojhcnlod\background.html

Filesize
142B

MD5
75111cfdb38c649a39c319ec5fd9b0f1

SHA1
083dc856e77699abe3818a89266cb97ed725c9e6

SHA256
9073594d4ee66705446149f98e10a8bc868f587d9ecb3f93c17c63706e3e3bdf

SHA512
0ddc8d310672d4f7ed1ccec0427d125751c88a1c02fe43f8fe4677bb5f850c5cb508bf6ce209bc5768a8c94f051dceb5518d965671f5313a9e6677022b9a4cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E7.tmp\oolpphfmdmjbojolagcbgdemojhcnlod\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E7.tmp\oolpphfmdmjbojolagcbgdemojhcnlod\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E7.tmp\oolpphfmdmjbojolagcbgdemojhcnlod\manifest.json

Filesize
605B

MD5
2485e6da8ca3b4da7d9fe0783b8df662

SHA1
499949ef5b46157ab75e0c72db3764e7ae6225f9

SHA256
19da4e35f5be6bc34314965fa3b8afb9a7b6a1aeeee5a5494d1a0712dd599443

SHA512
6273e5ef548162fcf813ae1fe7ffd38743e71f0d20f3f7c703fcc21ecb38bd9e684c45d33c37f84df9efec3c2170b63cb35587ff0285851f6eb7660be0993e65

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E7.tmp\BpsivuGbQT5ZWqA.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/960-56-0x0000000000000000-mapping.dmp

Download
memory/1492-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing