c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09

General

Target

c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe
Size

920KB
MD5

6137adb4677ed21492d421fe344df229
SHA1

1ea3edc7307104b3359a24b06ed9b13871445387
SHA256

c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09
SHA512

a82789b12115fa9a8c160655202d011f957e9a815ef1089454c72ef6de9cdd5681f4dc94693ceb4b68100e6e45c5f0df535816675679a12da41d3a4bdc10705a
SSDEEP

24576:h1OYdaOyCZ/iWCvu/2sWsJA/jlt+DHhsZ:h1Os4CpYO/dJJDHhsZ

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Cc4Bozlf9pPGdFf.exe

pid process

1676 Cc4Bozlf9pPGdFf.exe
Loads dropped DLL 1 IoCs

Processes:

c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe

pid process

1092 c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1676	Cc4Bozlf9pPGdFf.exe

pid	process
1092	c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe

Drops Chrome extension 3 IoCs

Processes:

Cc4Bozlf9pPGdFf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eohjkphdfajdfhpmdaedemmgmbidbldc\135\manifest.json	Cc4Bozlf9pPGdFf.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eohjkphdfajdfhpmdaedemmgmbidbldc\135\manifest.json	Cc4Bozlf9pPGdFf.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eohjkphdfajdfhpmdaedemmgmbidbldc\135\manifest.json	Cc4Bozlf9pPGdFf.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Cc4Bozlf9pPGdFf.exe

pid process

1676 Cc4Bozlf9pPGdFf.exe

pid	process
1676	Cc4Bozlf9pPGdFf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe

description	pid	process	target process
PID 1092 wrote to memory of 1676	1092	c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe	Cc4Bozlf9pPGdFf.exe
PID 1092 wrote to memory of 1676	1092	c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe	Cc4Bozlf9pPGdFf.exe
PID 1092 wrote to memory of 1676	1092	c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe	Cc4Bozlf9pPGdFf.exe
PID 1092 wrote to memory of 1676	1092	c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe	Cc4Bozlf9pPGdFf.exe

C:\Users\Admin\AppData\Local\Temp\c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe
"C:\Users\Admin\AppData\Local\Temp\c0e2c4f529ddbab58c4e1db5ff8a74628fcab31229d08d5ca8431f0daca78e09.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\7zS51AA.tmp\Cc4Bozlf9pPGdFf.exe
.\Cc4Bozlf9pPGdFf.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious behavior: EnumeratesProcesses
PID:1676

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS51AA.tmp\Cc4Bozlf9pPGdFf.dat
Filesize
1KB

MD5
79cc7cade8397c004b23ee028bc9a706

SHA1
370a45ccd4213b05a83bafbefdd96d10fbcd9a60

SHA256
b1ac3113980244c56dfdad2df68cbc019dae6377cfabe294228685988bea3e60

SHA512
86fae22313f98af165a3b113d0c23cecddd2a509cc4d4529a95c0472701718cc1b3741f687eedf6926e8ac0074f3368cfcb76614f4f5eae119684386cc41c64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS51AA.tmp\Cc4Bozlf9pPGdFf.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS51AA.tmp\eohjkphdfajdfhpmdaedemmgmbidbldc\P.js
Filesize
7KB

MD5
05fcb50c063697fb9e2cdecb9fd6f133

SHA1
2a6a24c29434fd81f882ae2472bec04963dbd5e4

SHA256
a7512c2873c41d385a29d4cd9028f6a2b8b7a679e94e0175bc63d80bdbf5546d

SHA512
2f9bb554d2f127fd8646aff0a6f007d8b05ce4e3f026fa03c428ee368d8385e575eed03665bf2b8e5be38caf36b3cc467dc9894698e6bff5cf16641e556fbf6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS51AA.tmp\eohjkphdfajdfhpmdaedemmgmbidbldc\background.html
Filesize
138B

MD5
1f87601796fa3cbcfe357523c6776694

SHA1
22ac49ecab70c09f35ac388f04244e62208c7b6d

SHA256
82aa95cc0fdece5b48bcbabdc4ed95850d2924e846117a8d3533f2b5c9dc9b94

SHA512
b798b9eec2ed97ca40b1f8ba52335fc1c7eab83a4c8581f81717036bb76787f8f0613e3efe19f475741056691425056e49dbad946d8a3665b9d8109c3cefd6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS51AA.tmp\eohjkphdfajdfhpmdaedemmgmbidbldc\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS51AA.tmp\eohjkphdfajdfhpmdaedemmgmbidbldc\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS51AA.tmp\eohjkphdfajdfhpmdaedemmgmbidbldc\manifest.json
Filesize
609B

MD5
740cc048ac99dd1aa96ba06340ade675

SHA1
28b0878219c380408f273e24f8a76c3bec0bbd34

SHA256
4c98c8e27e1b6df76fa6214a9af3a1e8af38524c72a7e2b6e30de9695c4f270a

SHA512
77d4ab3d6d96d65b7c686d295583bad5fff74bedca064da4f97690ffdb661fbfa61897d02120ec82e8ffb503c630bbb5dc8725ca1115ccc10aff009811f86f45

Download Submit
\Users\Admin\AppData\Local\Temp\7zS51AA.tmp\Cc4Bozlf9pPGdFf.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/1092-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1676-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing