cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e

General

Target

cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe
Size

920KB
MD5

c7a9f88ca7de7668b1d4a586b570017f
SHA1

90d2de4646db74a9f78ed130548b3046dd16e6c7
SHA256

cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e
SHA512

8a2963642c5d81a224cf538925cc1ab57c1777898b7c54b5739e9ff67a464fe39e58bfc3e2b7944aa50407a7eba2386ce8d3c0872658307e201dd3791f5eb3a8
SSDEEP

24576:h1OYdaOoCZ/iWCvu/2sWsJA/jlt+DHhsX:h1OsaCpYO/dJJDHhsX

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

WfqK4mHv54dhlYO.exe

pid process

968 WfqK4mHv54dhlYO.exe
Loads dropped DLL 1 IoCs

Processes:

cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe

pid process

1668 cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
968	WfqK4mHv54dhlYO.exe

pid	process
1668	cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe

Drops Chrome extension 3 IoCs

Processes:

WfqK4mHv54dhlYO.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfnbeppfinmnjnjhedifcfllpcfgeea\163\manifest.json	WfqK4mHv54dhlYO.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfnbeppfinmnjnjhedifcfllpcfgeea\163\manifest.json	WfqK4mHv54dhlYO.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfnbeppfinmnjnjhedifcfllpcfgeea\163\manifest.json	WfqK4mHv54dhlYO.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

WfqK4mHv54dhlYO.exe

pid process

968 WfqK4mHv54dhlYO.exe

pid	process
968	WfqK4mHv54dhlYO.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe

description	pid	process	target process
PID 1668 wrote to memory of 968	1668	cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe	WfqK4mHv54dhlYO.exe
PID 1668 wrote to memory of 968	1668	cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe	WfqK4mHv54dhlYO.exe
PID 1668 wrote to memory of 968	1668	cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe	WfqK4mHv54dhlYO.exe
PID 1668 wrote to memory of 968	1668	cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe	WfqK4mHv54dhlYO.exe

C:\Users\Admin\AppData\Local\Temp\cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe
"C:\Users\Admin\AppData\Local\Temp\cf135d8664655cfe782d8d61e8611bba8353900fabce3195897e8f7556096a2e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\7zSD9FB.tmp\WfqK4mHv54dhlYO.exe
.\WfqK4mHv54dhlYO.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious behavior: EnumeratesProcesses
PID:968

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSD9FB.tmp\WfqK4mHv54dhlYO.dat
Filesize
1KB

MD5
bca411820c0159d2a5699a1c02521846

SHA1
1984690fd65aa771e0c9167df2281fabd158714d

SHA256
48523548f293362fc6eededf5170a3fef5d8f9cfb30b850d8504fbe2d039880f

SHA512
f68c1c8c63e130f99f27b77f7bc5615b33eec8e9e2a1e554f50b69b250c68aecb5b49258b26affc6ba8b63a9d696d12f596c4edd5cc2874c5622e559e9f0993d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD9FB.tmp\WfqK4mHv54dhlYO.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD9FB.tmp\fnfnbeppfinmnjnjhedifcfllpcfgeea\Lbjs.js
Filesize
7KB

MD5
f607c215ed879e065ec17f1c9eca2903

SHA1
d0d1de704513d5244ea5a0d27c5238557603957f

SHA256
1e36ea0c309fb270956bcff938dd2a0180dcf31496b2532fbf0ac9729591ace7

SHA512
3e8e24b6f4a37d41f3f096d1c076b76cf337bb6263f8e0a773d9f50415580a742ab61701f9233eeddf60a2e617f619bc8aab3d7c6074ce9b560d5974113905f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD9FB.tmp\fnfnbeppfinmnjnjhedifcfllpcfgeea\background.html
Filesize
141B

MD5
52e171afa1789b8c95ef7055dc83e0ec

SHA1
51e9fb9329ae1957a135d4ebea834e1cdb494d1e

SHA256
9d13b6b6affaeeca8239c4a0e1d1138ec0b622f37d9ea609a652bb257ccb7e84

SHA512
01e755e4faa6617894b361f09ec24fd694b33a32d2f1891e5fff39fbdb162d47c17e3e25fc39781fba3dc22b317e025674a880b978ae07945505c757436c2e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD9FB.tmp\fnfnbeppfinmnjnjhedifcfllpcfgeea\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD9FB.tmp\fnfnbeppfinmnjnjhedifcfllpcfgeea\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD9FB.tmp\fnfnbeppfinmnjnjhedifcfllpcfgeea\manifest.json
Filesize
600B

MD5
d792ec6313fd2699574fff3ce1426456

SHA1
099c7c90e0c9d1d868ea43b7b23fe433990b554a

SHA256
7848aab91c11c2207bd11e4158f22ee0fdcd87229cc990a7dd7723b0aa95f7d9

SHA512
d1ad82c55fdd181e5b893ecb2a02e0926e3fe28b68a1fffb21d6dd82ca99679f0a1029f5f856af894288aa16c37e445149176ed5b653f59e186d0a67eed41793

Download Submit
\Users\Admin\AppData\Local\Temp\7zSD9FB.tmp\WfqK4mHv54dhlYO.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/968-56-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing