c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40

Analysis

max time kernel
25s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe
Size

926KB
MD5

39149b81d35659c5a0845625a5ce9b33
SHA1

79c08c7e4a39a76f10f0dc23388161da94779834
SHA256

c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40
SHA512

7913e58282af202d6e2eea7e75ce44ad4c83378747a09893ca8322b0fd7dfeea5eb273640eee102a9c3d23efcc606e351611e7be76a6ef65f1d31a008e8e21d6
SSDEEP

24576:h1OYdaO9nQju5vMu6qN2FctIOBYXZBai3GBlgpKLe/7rw:h1OsjQjO6HHzayGBe/7rw

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bD7AnjM11BmD3Wn.exe

pid process

384 bD7AnjM11BmD3Wn.exe
Loads dropped DLL 1 IoCs

Processes:

c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe

pid process

1072 c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1072	c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe

Drops Chrome extension 3 IoCs

Processes:

bD7AnjM11BmD3Wn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojgpgpdagnkhbhpppdohpdcpecipahkf\2.0\manifest.json	bD7AnjM11BmD3Wn.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojgpgpdagnkhbhpppdohpdcpecipahkf\2.0\manifest.json	bD7AnjM11BmD3Wn.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojgpgpdagnkhbhpppdohpdcpecipahkf\2.0\manifest.json	bD7AnjM11BmD3Wn.exe

Drops file in System32 directory 4 IoCs

Processes:

bD7AnjM11BmD3Wn.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	bD7AnjM11BmD3Wn.exe
File opened for modification	C:\Windows\System32\GroupPolicy	bD7AnjM11BmD3Wn.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	bD7AnjM11BmD3Wn.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	bD7AnjM11BmD3Wn.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

bD7AnjM11BmD3Wn.exe

pid	process
384	bD7AnjM11BmD3Wn.exe
384	bD7AnjM11BmD3Wn.exe
384	bD7AnjM11BmD3Wn.exe
384	bD7AnjM11BmD3Wn.exe
384	bD7AnjM11BmD3Wn.exe
384	bD7AnjM11BmD3Wn.exe
384	bD7AnjM11BmD3Wn.exe
384	bD7AnjM11BmD3Wn.exe
384	bD7AnjM11BmD3Wn.exe
384	bD7AnjM11BmD3Wn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

bD7AnjM11BmD3Wn.exe

description	pid	process
Token: SeDebugPrivilege	384	bD7AnjM11BmD3Wn.exe
Token: SeDebugPrivilege	384	bD7AnjM11BmD3Wn.exe
Token: SeDebugPrivilege	384	bD7AnjM11BmD3Wn.exe
Token: SeDebugPrivilege	384	bD7AnjM11BmD3Wn.exe
Token: SeDebugPrivilege	384	bD7AnjM11BmD3Wn.exe
Token: SeDebugPrivilege	384	bD7AnjM11BmD3Wn.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe

description	pid	process	target process
PID 1072 wrote to memory of 384	1072	c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe	bD7AnjM11BmD3Wn.exe
PID 1072 wrote to memory of 384	1072	c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe	bD7AnjM11BmD3Wn.exe
PID 1072 wrote to memory of 384	1072	c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe	bD7AnjM11BmD3Wn.exe
PID 1072 wrote to memory of 384	1072	c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe	bD7AnjM11BmD3Wn.exe

C:\Users\Admin\AppData\Local\Temp\c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe
"C:\Users\Admin\AppData\Local\Temp\c46b05ea984c04f3c76005fe798f1eff0b601fe45f1708b1139985a496778c40.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\bD7AnjM11BmD3Wn.exe
.\bD7AnjM11BmD3Wn.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\bD7AnjM11BmD3Wn.dat
Filesize
1KB

MD5
659047b724ec09117f875fa20538f921

SHA1
4784f5c6b5086895a4c9bd0e72de0422a67a8e5a

SHA256
5d3b13428c0ae5074987b1a8b05c4a7780e7a1d25d2162d50ccd16927e9d2fe5

SHA512
a5fdf9fcdd7c597eb4eb1c40f3891e01807d4b5c8f74de2ba432a5f7182592c1817707423efa15c9b1ff949d49c29d83d696ce34d0e36ea23f651b5c6a084492

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\bD7AnjM11BmD3Wn.exe
Filesize
768KB

MD5
09e156c94b649920c0c6efa8508ada9a

SHA1
8ba966f84a07648613468b06a11d17f2650e8af0

SHA256
2584e4b5077edba37c8e6f97ccdc2e582136ae0144212b37eb97cd4d8685059a

SHA512
1a1d2ff05d413ec1c18735dcb06775f0e652fc778f0ce31a9bdc8e567beb32253df635ee2e9b3bdc430c49f0f5ca6128e44cbd88b2cb712a6712c8327f209375

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
bbe2a2c8874d9d1377ddae663c1d9af3

SHA1
5b5873059054f4fb450edce25bdace4f8ced886d

SHA256
a8e37dd4b4ace59b7bb871f8a05ddcf9cbaf6e71dba1a40dc6e5988691af617c

SHA512
54ab15d853619ae6a5a7266e6109068e431aaff4eac6589f15a36a8a034f6e3afe26fcc7e6158530df9439b6e63bb1665bfc3205526e5b03bcb0b1a1dda57acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\[email protected]\content\bg.js
Filesize
7KB

MD5
7bbb858335be612f0bb26489338d7a89

SHA1
e2286052f922aae34a42d417e0f1f5cf916ca802

SHA256
37be5b906dbe93a013896d26fc502f7610ed30be1d82bbc3b534845e1a4b8927

SHA512
2016ff420c0e5aeb29e3e82b571fd4ac4abec446a4251e6307028d2d7ac11324ed77496c2870a7d9af1c05f347573ef2f58ee515370e35e9daa22a73e50cbe82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\[email protected]\install.rdf
Filesize
597B

MD5
5e494588e80cba9c3a4164e477840657

SHA1
cc92371d276b1d4133f77a976d50d07e5a439111

SHA256
ee8c722c8a20d20dfd1bb9654bc55fdd3ea33402411f0319e70f72e3b51b8487

SHA512
55f40d0b58d4d9650d9506cb4222a6004306d5e58893975610325db28fc5177b947bdae375362b1f4f46ae7ce4711c2056c5686a6fc3cdb793060418891e47f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\ojgpgpdagnkhbhpppdohpdcpecipahkf\ai.js
Filesize
5KB

MD5
04be62dee46bf5502ab6ad79943a4fd4

SHA1
9adc0c99848454468011d692069edffd69e4c059

SHA256
6c77ad22a71715fc8e4dba5565780fcad61bc61a1679f170f9db2b3f505b113d

SHA512
53d818e8f4aa0a3bdd86da1f075a491e3a938404e66b02abc1a36a4dd37cbd75db78c00d571fa1433fdf404afc4427a9fed9ca292ca9eadfe76e13be664ad8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\ojgpgpdagnkhbhpppdohpdcpecipahkf\background.html
Filesize
139B

MD5
d122b43f2ebbc02600d4e1e7ef3d5e89

SHA1
b10a69fb7106d2fb2cb4261a714b37f13c9479f9

SHA256
60a5e66b4d72f995d9a4dba89ead840a6d1bd7690b1136a2ff87cb453215bb3a

SHA512
449d25e4bcf3fee6636056f731ca5115d9a64e00afbcbc408c0f487e9a314516d27efb48535271a5df21868937228a4ece5f406c4e21c958657100bafa1f756c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\ojgpgpdagnkhbhpppdohpdcpecipahkf\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\ojgpgpdagnkhbhpppdohpdcpecipahkf\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS534F.tmp\ojgpgpdagnkhbhpppdohpdcpecipahkf\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS534F.tmp\bD7AnjM11BmD3Wn.exe
Filesize
768KB

MD5
09e156c94b649920c0c6efa8508ada9a

SHA1
8ba966f84a07648613468b06a11d17f2650e8af0

SHA256
2584e4b5077edba37c8e6f97ccdc2e582136ae0144212b37eb97cd4d8685059a

SHA512
1a1d2ff05d413ec1c18735dcb06775f0e652fc778f0ce31a9bdc8e567beb32253df635ee2e9b3bdc430c49f0f5ca6128e44cbd88b2cb712a6712c8327f209375

Download Submit
memory/384-56-0x0000000000000000-mapping.dmp

Download
memory/1072-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads