a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe
Size

932KB
MD5

3150ea072b3deeae6871b7c0b38f835e
SHA1

56f0fb8bef76afc9b2f9f71b117cec02668aab48
SHA256

a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb
SHA512

39282b4f4dd572f8213a06d3345b74686e97313536e79e13413b7a57025d416b1f40c30b1bdb63e4a27b6695ae6ae82e0087bb244ea95b5a336f474497718577
SSDEEP

24576:h1OYdaO8CZ/iWCvu/2sWsJA/jlt+DHhsd:h1Os2CpYO/dJJDHhsd

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

b9BYqT8nl1LzygA.exe

pid process

1104 b9BYqT8nl1LzygA.exe
Loads dropped DLL 1 IoCs

Processes:

a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe

pid process

2032 a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2032	a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe

Drops Chrome extension 3 IoCs

Processes:

b9BYqT8nl1LzygA.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\clbnogandmpblfdcgheifbndlagilnmf\2.0\manifest.json	b9BYqT8nl1LzygA.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\clbnogandmpblfdcgheifbndlagilnmf\2.0\manifest.json	b9BYqT8nl1LzygA.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\clbnogandmpblfdcgheifbndlagilnmf\2.0\manifest.json	b9BYqT8nl1LzygA.exe

Drops file in System32 directory 4 IoCs

Processes:

b9BYqT8nl1LzygA.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	b9BYqT8nl1LzygA.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	b9BYqT8nl1LzygA.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	b9BYqT8nl1LzygA.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	b9BYqT8nl1LzygA.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

b9BYqT8nl1LzygA.exe

pid	process
1104	b9BYqT8nl1LzygA.exe
1104	b9BYqT8nl1LzygA.exe
1104	b9BYqT8nl1LzygA.exe
1104	b9BYqT8nl1LzygA.exe
1104	b9BYqT8nl1LzygA.exe
1104	b9BYqT8nl1LzygA.exe
1104	b9BYqT8nl1LzygA.exe
1104	b9BYqT8nl1LzygA.exe
1104	b9BYqT8nl1LzygA.exe
1104	b9BYqT8nl1LzygA.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

b9BYqT8nl1LzygA.exe

description	pid	process
Token: SeDebugPrivilege	1104	b9BYqT8nl1LzygA.exe
Token: SeDebugPrivilege	1104	b9BYqT8nl1LzygA.exe
Token: SeDebugPrivilege	1104	b9BYqT8nl1LzygA.exe
Token: SeDebugPrivilege	1104	b9BYqT8nl1LzygA.exe
Token: SeDebugPrivilege	1104	b9BYqT8nl1LzygA.exe
Token: SeDebugPrivilege	1104	b9BYqT8nl1LzygA.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe

description	pid	process	target process
PID 2032 wrote to memory of 1104	2032	a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe	b9BYqT8nl1LzygA.exe
PID 2032 wrote to memory of 1104	2032	a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe	b9BYqT8nl1LzygA.exe
PID 2032 wrote to memory of 1104	2032	a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe	b9BYqT8nl1LzygA.exe
PID 2032 wrote to memory of 1104	2032	a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe	b9BYqT8nl1LzygA.exe

C:\Users\Admin\AppData\Local\Temp\a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe
"C:\Users\Admin\AppData\Local\Temp\a4a7ca31f97b54313c4a2b3ff0fbf2f03836c50067b3fec0c71c8c9819ae49fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\b9BYqT8nl1LzygA.exe
.\b9BYqT8nl1LzygA.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\b9BYqT8nl1LzygA.dat

Filesize
1KB

MD5
665662dbf57284a9136199bf858a8930

SHA1
a7c358e63ad089232d8b6e0ed289bc18ecb31cdc

SHA256
23258ea5ae391c7a9e75ba4365e9c0b986e41261ec54324a5a967dcf54a5f2a8

SHA512
87c864bce123e04fc5ba5e172a104bb598696a078d00b2a6042475ecc005d46ce0d9f0a3dd46edfeb5502f312c9ceddd9915ca21f9c862fc8cd52f7f336c6eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\b9BYqT8nl1LzygA.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\clbnogandmpblfdcgheifbndlagilnmf\RBTU8hW.js

Filesize
6KB

MD5
5ca72084573b80b1a7fb64502a9f3611

SHA1
3ad5bd894ac758fad69c19ee7fde28b9c3dcf151

SHA256
4600edba441967df85f4521ddabf05c377716d5d90a882c8ea37d1e1c20d1dfb

SHA512
559345ac6cc6f51f1bcc3f86c03d477e9651935d72fd5d637b9d9fd095cdc00e3ea7bca95a4e8918116a98c3b7a8c6a5bb04911456ada4fe87acf6fe2b5024c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\clbnogandmpblfdcgheifbndlagilnmf\background.html

Filesize
144B

MD5
f5e6cd8a80e5af0ce6652d47fdd4a352

SHA1
7758561261c7e34a5c767cf51b394a8568ec8eaf

SHA256
2096400c71fff2ce72ae28c779f1b28bff97082cc5234ec5098e3d78e9f26309

SHA512
83a620b1e96d8f6d23abd11cb343bfe3658a6f949646cc7bf6619dfe01dbb6499b0d49054a3eada5f3e3db0d328af52ea8a5f79c7d6b50aa0fad6227915e4e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\clbnogandmpblfdcgheifbndlagilnmf\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\clbnogandmpblfdcgheifbndlagilnmf\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\clbnogandmpblfdcgheifbndlagilnmf\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
e668b1f2ad14923027de015e2f9125e7

SHA1
829fa0015a40b4f9b3fc3d0d1bdfcbe26fc004f8

SHA256
1ad4dc2b66da2a4c0efc14e7fa2f41e9801fe8f5a5cd0a8f3cc34dc4197a1298

SHA512
00cec34bef5f89cd45a84723f4f8230319d38387a9f3a378766901baa3e83c9be109ac205d034a8f9567ca637db518ed7a55b357841baf941b59a50b47328e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
2f22c28c0ce996303f432d7f65421c71

SHA1
0da8984f8e7650b91af776303a5e6f6a23a5603d

SHA256
37b2253e073069764238a9066f175e141771965f99266a5cbade02eae9333970

SHA512
02274cbde7a557a57ca8111bec9ad076037432ea34cec0acbdcbcf3c48245460d1df62cdbffee5d472db025ad40b71e8218e1a194de49190cac4bbee107691b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3506.tmp\[email protected]\install.rdf

Filesize
591B

MD5
977d2f9e634f12392978249c7bfdb381

SHA1
7ca58d85d53ea335f41a081015a91979fa2f3fd0

SHA256
6f31f6d1cb0d53a5ab500ffbd4a3fc8b02375c6b984539161f2eb6d01cf33114

SHA512
c8e678fc2273ee628cbd01566284ebfaad6e8edc07675e92e3acac5ba9e600de5962b311fe91962a13fa9482753e33b42fee89f2ba5c726d1f5dee803d9449ad

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3506.tmp\b9BYqT8nl1LzygA.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/1104-56-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download