Analysis
-
max time kernel
163s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:44
Static task
static1
Behavioral task
behavioral1
Sample
c1b4b922cdec55249af32a2affe9359627f829ae8fd155a168c3865695c881ea.exe
Resource
win7-20221111-en
General
-
Target
c1b4b922cdec55249af32a2affe9359627f829ae8fd155a168c3865695c881ea.exe
-
Size
919KB
-
MD5
525be61a07c316d81867ef871f9ec082
-
SHA1
b7b4df91897fa2ec08eb777ec60d429463d08c2d
-
SHA256
c1b4b922cdec55249af32a2affe9359627f829ae8fd155a168c3865695c881ea
-
SHA512
640821d85906739fd05e5b39ada8e9048ff62cacba0cfebd494df3a20a1c2eed3bfbd5ee422a83627750b7a55c2b5743c61e176c8a74ab23f3faa55251ce19b1
-
SSDEEP
24576:h1OYdaOCCZ/iWCvu/2sWsJA/jlt+DHhsp:h1Os0CpYO/dJJDHhsp
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Wz8lA8WG8m6nGmo.exepid process 4584 Wz8lA8WG8m6nGmo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
Wz8lA8WG8m6nGmo.exedescription ioc process File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkihbloiacgiofaejgagokalpeflnmbe\122\manifest.json Wz8lA8WG8m6nGmo.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkihbloiacgiofaejgagokalpeflnmbe\122\manifest.json Wz8lA8WG8m6nGmo.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkihbloiacgiofaejgagokalpeflnmbe\122\manifest.json Wz8lA8WG8m6nGmo.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkihbloiacgiofaejgagokalpeflnmbe\122\manifest.json Wz8lA8WG8m6nGmo.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkihbloiacgiofaejgagokalpeflnmbe\122\manifest.json Wz8lA8WG8m6nGmo.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Wz8lA8WG8m6nGmo.exepid process 4584 Wz8lA8WG8m6nGmo.exe 4584 Wz8lA8WG8m6nGmo.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c1b4b922cdec55249af32a2affe9359627f829ae8fd155a168c3865695c881ea.exedescription pid process target process PID 396 wrote to memory of 4584 396 c1b4b922cdec55249af32a2affe9359627f829ae8fd155a168c3865695c881ea.exe Wz8lA8WG8m6nGmo.exe PID 396 wrote to memory of 4584 396 c1b4b922cdec55249af32a2affe9359627f829ae8fd155a168c3865695c881ea.exe Wz8lA8WG8m6nGmo.exe PID 396 wrote to memory of 4584 396 c1b4b922cdec55249af32a2affe9359627f829ae8fd155a168c3865695c881ea.exe Wz8lA8WG8m6nGmo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1b4b922cdec55249af32a2affe9359627f829ae8fd155a168c3865695c881ea.exe"C:\Users\Admin\AppData\Local\Temp\c1b4b922cdec55249af32a2affe9359627f829ae8fd155a168c3865695c881ea.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC47D.tmp\Wz8lA8WG8m6nGmo.exe.\Wz8lA8WG8m6nGmo.exe2⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSC47D.tmp\Wz8lA8WG8m6nGmo.datFilesize
1KB
MD500db400ed1112c7b5c3713e4616bcfec
SHA11e121fd248f1534420169547cb3ec195ed2a032a
SHA2566a679e33eabe583b70fcf910d015327ae24b3691c6801f4dabd4b8d9d231b2c1
SHA512c2985dc431d808af9d92c5c9e8e5a1fe2eebbff3061c7d2b23d257f829020063a34e75587b14e176f6f54cf16e0a469b8b3a9a44d9bbf731c83c78e9e02a17d0
-
C:\Users\Admin\AppData\Local\Temp\7zSC47D.tmp\Wz8lA8WG8m6nGmo.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zSC47D.tmp\Wz8lA8WG8m6nGmo.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zSC47D.tmp\mkihbloiacgiofaejgagokalpeflnmbe\TXTV.jsFilesize
7KB
MD5c8f329a095b6af7c9d6cb982ec2ca04f
SHA1a24f1271caa96dfa692a888dd76f82aa52128cb7
SHA256abcc8464d06853b9d0714acc0c4f578d3dffb0757cb5153837e0b8724ed463d1
SHA512f2a5f50d20d18e4bde030f57d828bdcaf3524db8e0e450604336e0b5d9012d642769810df1a04763c60c3eef5741206b7d81595a7dc582454d7175481f58be7d
-
C:\Users\Admin\AppData\Local\Temp\7zSC47D.tmp\mkihbloiacgiofaejgagokalpeflnmbe\background.htmlFilesize
141B
MD553bad2c7fb9f9bb11b7ef319c9ea606a
SHA13a3b39c8c9dd636430ab7dfab628700fad579ed0
SHA2569a3d5e676e955a602513144e61fd9e124e98aebbe839b7fe3d9497b8b1272c10
SHA51215c2c347938aefb2c5c7e212609269d1a6d578c8aed8d2e05c047c59d86bd87a3eb5c9e58a3b985a801c30b928d0de0f7e14114f42eb370a6b4f63d6165ef84e
-
C:\Users\Admin\AppData\Local\Temp\7zSC47D.tmp\mkihbloiacgiofaejgagokalpeflnmbe\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSC47D.tmp\mkihbloiacgiofaejgagokalpeflnmbe\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSC47D.tmp\mkihbloiacgiofaejgagokalpeflnmbe\manifest.jsonFilesize
597B
MD5e316a32ae692eacd6f6e546a257aee99
SHA1953eb2a4268ba5164c9d1ac6765623015a3f37cb
SHA256503487ce0924c160815d78414947088ba4b0cc3372cd4bcf7b49873fa006efb3
SHA512bd942537290a9a905f1a36352e02a0627d91b1945be7efcebd53204615d5dff93a6459e28e79e90453470562d33287de4f3812416b647823d08e52057be086f1
-
memory/4584-132-0x0000000000000000-mapping.dmp