c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3

Analysis

max time kernel
43s
max time network
78s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe
Size

920KB
MD5

71be0c036225ebe5081c1423154ad9dc
SHA1

d289b5abe77963ff59147803a19cc9e8d3fd0897
SHA256

c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3
SHA512

cbc12cd2a24f0f75ede01c68d3e8970725b106ee8278f158b5331092eccbe24f8df55e2c98be1aea14de90df1a22ab756eec0e5f0fc9e528a9e4b666ae30828b
SSDEEP

24576:h1OYdaOZMtdHAqcdDVhYwiei7+EpFAh/kKc:h1OswPHVmVhYwiLtKkKc

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ChJoxRdXpq2j45i.exe

pid process

688 ChJoxRdXpq2j45i.exe
Loads dropped DLL 1 IoCs

Processes:

c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe

pid process

956 c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
956	c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe

Drops Chrome extension 3 IoCs

Processes:

ChJoxRdXpq2j45i.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcmjokgikeciaidljfhjchcgagieicfi\2.0\manifest.json	ChJoxRdXpq2j45i.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcmjokgikeciaidljfhjchcgagieicfi\2.0\manifest.json	ChJoxRdXpq2j45i.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcmjokgikeciaidljfhjchcgagieicfi\2.0\manifest.json	ChJoxRdXpq2j45i.exe

Drops file in System32 directory 4 IoCs

Processes:

ChJoxRdXpq2j45i.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	ChJoxRdXpq2j45i.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	ChJoxRdXpq2j45i.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	ChJoxRdXpq2j45i.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	ChJoxRdXpq2j45i.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

ChJoxRdXpq2j45i.exe

pid	process
688	ChJoxRdXpq2j45i.exe
688	ChJoxRdXpq2j45i.exe
688	ChJoxRdXpq2j45i.exe
688	ChJoxRdXpq2j45i.exe
688	ChJoxRdXpq2j45i.exe
688	ChJoxRdXpq2j45i.exe
688	ChJoxRdXpq2j45i.exe
688	ChJoxRdXpq2j45i.exe
688	ChJoxRdXpq2j45i.exe
688	ChJoxRdXpq2j45i.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ChJoxRdXpq2j45i.exe

description	pid	process
Token: SeDebugPrivilege	688	ChJoxRdXpq2j45i.exe
Token: SeDebugPrivilege	688	ChJoxRdXpq2j45i.exe
Token: SeDebugPrivilege	688	ChJoxRdXpq2j45i.exe
Token: SeDebugPrivilege	688	ChJoxRdXpq2j45i.exe
Token: SeDebugPrivilege	688	ChJoxRdXpq2j45i.exe
Token: SeDebugPrivilege	688	ChJoxRdXpq2j45i.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe

description	pid	process	target process
PID 956 wrote to memory of 688	956	c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe	ChJoxRdXpq2j45i.exe
PID 956 wrote to memory of 688	956	c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe	ChJoxRdXpq2j45i.exe
PID 956 wrote to memory of 688	956	c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe	ChJoxRdXpq2j45i.exe
PID 956 wrote to memory of 688	956	c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe	ChJoxRdXpq2j45i.exe

C:\Users\Admin\AppData\Local\Temp\c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe
"C:\Users\Admin\AppData\Local\Temp\c14ab7ca692fbc40d2abe707419d4b6a5489ea879495ca35d90d98db103bacb3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\ChJoxRdXpq2j45i.exe
.\ChJoxRdXpq2j45i.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\ChJoxRdXpq2j45i.dat
Filesize
1KB

MD5
84b0284518cd5c2c7ac001db9b07eeee

SHA1
951b80ff4b222828cef371efc625b9487ddd217f

SHA256
57f423ae21906d84287a577f6e3db93cd1676a54009ba61f67944769718c9278

SHA512
6b7c71839f78ac8542726a453885be10512bc698de0735d3258497921646f279d3c13ebc67ff1056f8246c9cd93e9695b5245657fcb3d7a90c27e88a67153730

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\ChJoxRdXpq2j45i.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\bcmjokgikeciaidljfhjchcgagieicfi\background.html
Filesize
146B

MD5
fc662fc62d10e7d0c96048579cb11073

SHA1
7b86bdbf8ff775c42ae001935e02096e1a1931d5

SHA256
581096daee4fea0806301c54e51dcd4fa8394bf8c51729fffc5ed25f5080a309

SHA512
44989ab20834a3a8e34c304bb11a33036e1d08a997c9a2689c2d1114fe6b742d82403dea020628c31f14fab9213928f99540c95015eab39cb771feb14ec0d4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\bcmjokgikeciaidljfhjchcgagieicfi\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\bcmjokgikeciaidljfhjchcgagieicfi\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\bcmjokgikeciaidljfhjchcgagieicfi\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\bcmjokgikeciaidljfhjchcgagieicfi\v8mYhZqN1.js
Filesize
6KB

MD5
d1efe9cf5d52faa554082f927425b6b2

SHA1
208e9a09c8f95e16137470005e31832f884e08d6

SHA256
734b180bafff12f59ecf8e3f8978210215203b3536d0b3507e6024b869093396

SHA512
ef9ce43732b963e9241676cee3fb79a48d95607d064d9f528de65b07cf0216f2f6371e4fc6d621a48cffb91cd5550965e5231960f2ad87ed55e63e8d115a9044

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\m@HM4fj.org\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\m@HM4fj.org\chrome.manifest
Filesize
35B

MD5
7a9753fd89a5aa4c8d766c999440a240

SHA1
cf74f3a3d530e92059199823878810f2f9b6bdde

SHA256
f2d14513d042c08a612809dd4d0fff254d7210923603ebee20afce4c9001598f

SHA512
c9116b5e5e2c7870dd491758ebd0c66a70024bd2301c7b02527f156c771536d595668ed40520496029080cd7a12b26c0f370532f2f32fab028713bf22d2d05bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\m@HM4fj.org\content\bg.js
Filesize
8KB

MD5
4b44cae1ee1667e96101e9d3f2387235

SHA1
1f404df8256b2730b4071eeae052cbc6ea5426df

SHA256
6e49175ea7fc5104338c7a91b047f102aa6d11f2bde3856f350aeb2e6ea56894

SHA512
46a008918e264a73d24cdbe2535a718876a4d9a5388c703d552cc9ad696df627acd30f8aacf014917ff7241908d72076cd3f83415805ed84f2fb453137fbcc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\m@HM4fj.org\install.rdf
Filesize
593B

MD5
099a38a434f20b7f5d450d503dc58bd2

SHA1
2a7ecac0c95541358a9dc2487573f39d2706d39d

SHA256
88c2b841318ce45fd96e2e41e58ebf6f40a6a23da09aaa85d5a450184bee6996

SHA512
07a43aa958b40ab62d78cdd9874421d68b7185aa09bf8b5da29cd871dbad26d406fa687442e586b82b2f15f060233e4de845dae2e2dc87b29c7eaf13aebb6ca3

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8B11.tmp\ChJoxRdXpq2j45i.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
memory/688-56-0x0000000000000000-mapping.dmp

Download
memory/956-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads