2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c

General

Target

2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe
Size

778KB
MD5

9ad01f5b8ca1d4f88f10b2dfc42cd8b8
SHA1

a12740157e8582973eeb1724834eaeb2f02d3528
SHA256

2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c
SHA512

91031f0694eca538f94c09256df877c67a94b34f4ac3c9c14b00a4ae1dc8414f03a72e9cdfb07c39e09d5a97d020e193412f084ad6f6830a3ef6ea7206f67fc9
SSDEEP

24576:h1OYdaOhwkBM0MlnPTdF7/c4TTLWEuhMD:h1OsrM1PrQiLDuiD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1932	cpfH7NcBMgWXVJu.exe

Loads dropped DLL 1 IoCs

pid	Process
1440	2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\adnkagodbfngmdajbbocegjnllfmdaie\194\manifest.json	cpfH7NcBMgWXVJu.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\adnkagodbfngmdajbbocegjnllfmdaie\194\manifest.json	cpfH7NcBMgWXVJu.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\adnkagodbfngmdajbbocegjnllfmdaie\194\manifest.json	cpfH7NcBMgWXVJu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1932	1440	2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe	28
PID 1440 wrote to memory of 1932	1440	2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe	28
PID 1440 wrote to memory of 1932	1440	2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe	28
PID 1440 wrote to memory of 1932	1440	2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe	28

C:\Users\Admin\AppData\Local\Temp\2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe
"C:\Users\Admin\AppData\Local\Temp\2e147140e2ed3c966dd121a2b1d8fe56bffd06c478a63a8b994a707e4fad6d6c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Users\Admin\AppData\Local\Temp\7zSE80F.tmp\cpfH7NcBMgWXVJu.exe
  .\cpfH7NcBMgWXVJu.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSE80F.tmp\adnkagodbfngmdajbbocegjnllfmdaie\W.js

Filesize
6KB

MD5
fc6fdd935a9e497d7a14ed6051c6236c

SHA1
1b6fbd2643ae821aba3c18ae28ed4acffdf167ed

SHA256
10a9fe92a4f5532732e157af27f5d3956b5d820b8d3b2ed899e49e230866c488

SHA512
c5c7d8c840a4f0d86d0df28af0054a30ed567d9d5270946b607eaca90b846316daff46a3cb366ffd49798f7bdae109de12e35096b5096e0eac6896be0d9843a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE80F.tmp\adnkagodbfngmdajbbocegjnllfmdaie\background.html

Filesize
138B

MD5
3026b0ad6d0afbb764a8a27343b3939f

SHA1
b5d2d5e95c175ec0f99064f9fec624dfdea9e5af

SHA256
78d4139b86a3b6d4120a2cc842b297836a7105e88e31c0024b70509d75a3e4fe

SHA512
5f41b806a9609f10cb74843e37df8f83a0ce3a4486bc6e7a290565f4e4f0332255c535066a804ab3446c033e5675cc39ea12d075c52ad862f3f91d4bb7c79cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE80F.tmp\adnkagodbfngmdajbbocegjnllfmdaie\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE80F.tmp\adnkagodbfngmdajbbocegjnllfmdaie\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE80F.tmp\adnkagodbfngmdajbbocegjnllfmdaie\manifest.json

Filesize
602B

MD5
1c4ec8777b06b44ac733449636d41237

SHA1
14bf83feb6ee84cfcea24b85722024b7d12f6031

SHA256
e4e7eb22bc46bd3ece4cd3cfd870a3e96bd58dc29ea8926f0fa6889bdd94245d

SHA512
202f498effd0d182e33d0093cd425ccd03892c0e47e9f1c1d2665740530914aedac4c3f1b89b46f69dc830b4e075be0b5a51f775065e0c47214b0bccf6830efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE80F.tmp\cpfH7NcBMgWXVJu.dat

Filesize
1KB

MD5
efa49fd114d4bf4a05d50f09d567680c

SHA1
6a49cde626462db1ec81aefc1077e1aa22f8047a

SHA256
d2620184912c3d178287723f655cf6a09e452e849b4c107e74c5f7e6402a648d

SHA512
319698931df5e954a9bbaefd24b1154410b58c89032550a7da54a473323c8c07ffc270660650f4dea2db7f22a142c92f08960da4ed495287eb83091168e35df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE80F.tmp\cpfH7NcBMgWXVJu.exe

Filesize
631KB

MD5
8580d9d21b9f472b70bbc3a91b2dfb3b

SHA1
ec67fec4cecc50564c4c89db6c305b7c5dc8548e

SHA256
81d9ccdaefd6600fd727ca34ec858a126539e9204c0f842696b186b51ebc8fb0

SHA512
5af5106ebc64fc9df1d75b9f1045010ce60aaa706c5881bac28193dae5524ece55f81cba149076272a275535edab8f098920170f6a4554f92dd07b647f570948

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE80F.tmp\cpfH7NcBMgWXVJu.exe

Filesize
631KB

MD5
8580d9d21b9f472b70bbc3a91b2dfb3b

SHA1
ec67fec4cecc50564c4c89db6c305b7c5dc8548e

SHA256
81d9ccdaefd6600fd727ca34ec858a126539e9204c0f842696b186b51ebc8fb0

SHA512
5af5106ebc64fc9df1d75b9f1045010ce60aaa706c5881bac28193dae5524ece55f81cba149076272a275535edab8f098920170f6a4554f92dd07b647f570948

Download Submit
memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1932-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing