c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364

Analysis

max time kernel
7s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe
Size

932KB
MD5

54280a701fd7161a791feb757c31f084
SHA1

3d1a32215c2bee5c44c2c42008d0a2253a88c1ae
SHA256

c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364
SHA512

eefca64f748ea30399579474ed00705589afe9f8af845c728c3d5331ef8453739270fcf759b310cb1687039fdb9517b83c64bbadaab6c89bfdbed37c472f9bbb
SSDEEP

24576:h1OYdaOBCZ/iWCvu/2sWsJA/jlt+DHhsR:h1OsPCpYO/dJJDHhsR

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

LOLLY1fxatj18UJ.exe

pid process

2012 LOLLY1fxatj18UJ.exe
Loads dropped DLL 1 IoCs

Processes:

c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe

pid process

1228 c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1228	c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe

Drops Chrome extension 3 IoCs

Processes:

LOLLY1fxatj18UJ.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngcbcoadgljfgedbiadmegmimihbcihc\2.0\manifest.json	LOLLY1fxatj18UJ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngcbcoadgljfgedbiadmegmimihbcihc\2.0\manifest.json	LOLLY1fxatj18UJ.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngcbcoadgljfgedbiadmegmimihbcihc\2.0\manifest.json	LOLLY1fxatj18UJ.exe

Drops file in System32 directory 4 IoCs

Processes:

LOLLY1fxatj18UJ.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	LOLLY1fxatj18UJ.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	LOLLY1fxatj18UJ.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	LOLLY1fxatj18UJ.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	LOLLY1fxatj18UJ.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

LOLLY1fxatj18UJ.exe

pid	process
2012	LOLLY1fxatj18UJ.exe
2012	LOLLY1fxatj18UJ.exe
2012	LOLLY1fxatj18UJ.exe
2012	LOLLY1fxatj18UJ.exe
2012	LOLLY1fxatj18UJ.exe
2012	LOLLY1fxatj18UJ.exe
2012	LOLLY1fxatj18UJ.exe
2012	LOLLY1fxatj18UJ.exe
2012	LOLLY1fxatj18UJ.exe
2012	LOLLY1fxatj18UJ.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

LOLLY1fxatj18UJ.exe

description	pid	process
Token: SeDebugPrivilege	2012	LOLLY1fxatj18UJ.exe
Token: SeDebugPrivilege	2012	LOLLY1fxatj18UJ.exe
Token: SeDebugPrivilege	2012	LOLLY1fxatj18UJ.exe
Token: SeDebugPrivilege	2012	LOLLY1fxatj18UJ.exe
Token: SeDebugPrivilege	2012	LOLLY1fxatj18UJ.exe
Token: SeDebugPrivilege	2012	LOLLY1fxatj18UJ.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe

description	pid	process	target process
PID 1228 wrote to memory of 2012	1228	c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe	LOLLY1fxatj18UJ.exe
PID 1228 wrote to memory of 2012	1228	c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe	LOLLY1fxatj18UJ.exe
PID 1228 wrote to memory of 2012	1228	c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe	LOLLY1fxatj18UJ.exe
PID 1228 wrote to memory of 2012	1228	c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe	LOLLY1fxatj18UJ.exe

C:\Users\Admin\AppData\Local\Temp\c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe
"C:\Users\Admin\AppData\Local\Temp\c346ea75129efc4f8b4d008543566df849ad2123b2642fc4efe8129a8dcd7364.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\LOLLY1fxatj18UJ.exe
.\LOLLY1fxatj18UJ.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
9a5bffc9fb9aba2fa3409423c6da0b4e

SHA1
b8591499a69bb3db56c8e2d25d04a6a86569f502

SHA256
95545a23b030f7d97fa7e9fd7e48eed513d971b0157596f7e9c2228da8d9130b

SHA512
84c7010523adc5af8f736dd31c5d897a49362c7829fe648787b1f2c4c40da7a3dd10342a02eecf4726d683982c63d681742b51d6ed62cf4fac285570f011fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\[email protected]\content\bg.js
Filesize
9KB

MD5
c0e666da59d7eba799b56a57ba344fb3

SHA1
538aee69196adde21398da743483a969e11ce410

SHA256
0586d610b1a04200daaeb27c2ee79497fcfc18af15a415b1e13be873fa488bff

SHA512
44ade8b215bbdbd6bae90ed15791ac02ad7406990102e3bb38a4c17a5c0891acfc463cc9e48491f85deee5d40a74da9eb91b4097a7df06181f32f809bf5e2f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\[email protected]\install.rdf
Filesize
595B

MD5
ec159a1d797d97c5990e68255805f44d

SHA1
049197ba3bfdcbb1fcb543a507c328adb01166d7

SHA256
f381f170260e55306592c37cf02dc332aef846aa96e33ade380c732612c40d71

SHA512
2e7120cbd0bb238fda9d8a6c1a5797b473bc93bd2b612d2d9e51adc874927bbbcbd082ac2b8d844aec179e658b685354174e815a3ec8183631b8beb03bbfcf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\LOLLY1fxatj18UJ.dat
Filesize
1KB

MD5
2125c00e0c6a90c52d904f4ada367a71

SHA1
118cead8473e4487ee4836edde5e6a8362d788a6

SHA256
5e5177d719f5ade6aa6e55d107225aa0245a5200dfd51c265fda7b076d5b7d5b

SHA512
b4f77ad25c9c130555fcd3f0537ec22425c6b179b225e44c0ebd7c14b0aff9dcc9cefe984ba105b7786ce8f56fe43a7155aa6c7626b513dac1ef367edb72cd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\LOLLY1fxatj18UJ.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\ngcbcoadgljfgedbiadmegmimihbcihc\DTHI.js
Filesize
6KB

MD5
3a85c92c794b216e2d1e94aa1ca4994c

SHA1
59697f5d0abcd2a3efe61cf72a954289b962eecb

SHA256
b6a154adc5e689a3ee9c9e4a50dc92d2ec366191cab8421a185e3c3bdf3f42d7

SHA512
ab5ad559e07e48b5975934725d8cb5d2dc979641ba49a22be0ed66df3d17f62aebc691065f5dc78ed439a012dc9b4fa769bc59ed5f853781915dfbfca1678ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\ngcbcoadgljfgedbiadmegmimihbcihc\background.html
Filesize
141B

MD5
8dc876f456b3f3deeffb0c7837c4438d

SHA1
6ea8fd1046262fc46f388e0059b076670840312e

SHA256
8785c4168d4c0879601345fc23f206262c56f7cc964666187fdecc15423536d7

SHA512
f1fd658f2b063d3a1b31a2fb60cd63cc973fb1d55b536c7b80b0984a1a8b4875a08f18f03be48bf1dcfa2625132562d7a3c7f697631dd74b48d95c37b164fd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\ngcbcoadgljfgedbiadmegmimihbcihc\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\ngcbcoadgljfgedbiadmegmimihbcihc\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\ngcbcoadgljfgedbiadmegmimihbcihc\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6365.tmp\LOLLY1fxatj18UJ.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/1228-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/2012-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads