20eefaac6a4b66d018a6c3ac42bfc5978327f98bb89b68d5b152378e19191d19

Analysis

max time kernel
359s
max time network
454s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20eefaac6a4b66d018a6c3ac42bfc5978327f98bb89b68d5b152378e19191d19.exe
Size

2.1MB
MD5

b0e5f882b4ea113fa011fc54e96989e3
SHA1

31b2920f4f33366155bb4181cf92e3984c381c5d
SHA256

20eefaac6a4b66d018a6c3ac42bfc5978327f98bb89b68d5b152378e19191d19
SHA512

7c08f2f0af7c60aead87a5b785caa1e7e6df16e2122b87a258cc38c1836a451f9ff24229514e7836edb5b9a15316db6eaf6b139960e13b4dab6fc3b67a610958
SSDEEP

49152:h1Os8hvaZG1MVEtzijkTvu2x/uw4B8FHFF6I:h1OTvaxMziy3D

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
808	p0ojBTkCLB46fm7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofkilcjmhhglmniacplooepfcpcnpmbi\200\manifest.json	p0ojBTkCLB46fm7.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofkilcjmhhglmniacplooepfcpcnpmbi\200\manifest.json	p0ojBTkCLB46fm7.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofkilcjmhhglmniacplooepfcpcnpmbi\200\manifest.json	p0ojBTkCLB46fm7.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofkilcjmhhglmniacplooepfcpcnpmbi\200\manifest.json	p0ojBTkCLB46fm7.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofkilcjmhhglmniacplooepfcpcnpmbi\200\manifest.json	p0ojBTkCLB46fm7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 808	4904	20eefaac6a4b66d018a6c3ac42bfc5978327f98bb89b68d5b152378e19191d19.exe	82
PID 4904 wrote to memory of 808	4904	20eefaac6a4b66d018a6c3ac42bfc5978327f98bb89b68d5b152378e19191d19.exe	82
PID 4904 wrote to memory of 808	4904	20eefaac6a4b66d018a6c3ac42bfc5978327f98bb89b68d5b152378e19191d19.exe	82

C:\Users\Admin\AppData\Local\Temp\20eefaac6a4b66d018a6c3ac42bfc5978327f98bb89b68d5b152378e19191d19.exe
"C:\Users\Admin\AppData\Local\Temp\20eefaac6a4b66d018a6c3ac42bfc5978327f98bb89b68d5b152378e19191d19.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\p0ojBTkCLB46fm7.exe
  .\p0ojBTkCLB46fm7.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
2aced921a5e085e5c0cf7c70bcff2f40

SHA1
3dd559880994217d6163cac7a87fd81d3c5fec79

SHA256
2a85e5a159e4310b26e8cd0c79553303bd50f2cc032a951439c852e444483d2c

SHA512
e142b50307ed1cab814a0a30148843d430db514b79645270e16dfc81bed8dd8cf8269d02dba3898c1e9e8c012779a86fc51f0de41a009df4493093b9a2b6763d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
48106dd53c210cac3ef3936ae11a6ff0

SHA1
c0e79ea7fae8dd55a9a0e0720904797dbc5b175e

SHA256
e85b5bc3738b5b104f554cea7e0f4d60d408871ce19f711d14a5e1006c6454ab

SHA512
7425860740238c78db04dad86af69234eeee88b344fb6f4834d8dbf5e9629d1790a6dd342b4f1bb886ef0cbed4a63f3147f142adc7ad93fa91bd27a5269c161a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\[email protected]\install.rdf

Filesize
608B

MD5
f3d01d6372a6964702063920a1d7e15d

SHA1
8829f29a89bb956b8e7f1718171b788f8493306c

SHA256
f5893a2985cf0752a779bfd619d7ad36e33491d8ec4fb141d22a1c23a529ff87

SHA512
b43ee69fae44a8d1502e94168b7b46c6a02d09bf4ef17559c04ee8f46c4d3ddc056b6677219ca8bbc471e096c5050bda30ff2b20490b5fa877372c4793734e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\ofkilcjmhhglmniacplooepfcpcnpmbi\background.html

Filesize
140B

MD5
996943e1d102f53f2b8dfa390a9c1078

SHA1
911add610ea62e6bc22d016dd62d957016cdee71

SHA256
d3c3d4b51f07e7e360f66427d4e0eb40bfc9947418ffcf7d24137e21d34af5c5

SHA512
79c85da6c7ce895caf52963a3b4a24234bd61f8b109dbc278321e0eeb4c28915e7a62bf7baa7fe02c90e44755ce57c8eb91f943e0d87b01ea184172d6e5ef859

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\ofkilcjmhhglmniacplooepfcpcnpmbi\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\ofkilcjmhhglmniacplooepfcpcnpmbi\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\ofkilcjmhhglmniacplooepfcpcnpmbi\manifest.json

Filesize
509B

MD5
7b82091172334e7309e76969f776e938

SHA1
0441248b05b232c5d82c92a44f376a90c86ac760

SHA256
3d20b3564a2af6779cd09feb0a73e4c289b84caa239ab945b6c4dfdd89a7bb23

SHA512
75b156ffd4c7101f34a66cc47a1fa9a3511f331899f9acda793dea5104f8df33206c8616b5ebfacd5d1366650f64e59ae48dc5e159d49b1eeed702d5dc6f4308

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\ofkilcjmhhglmniacplooepfcpcnpmbi\nDA.js

Filesize
5KB

MD5
729bbbd9d81eea7d98636a7399917bcd

SHA1
c36523045fab7faf0509dd4f39bc3e2507834bed

SHA256
ed68f7b0fa2bc01fcfbfb35297e3119345faa3c64bb2c872e6bc80bd3ab410b4

SHA512
8759872c3567133a32e0d569f0ba211b2c40347ddb0588be1298a191853e8b7ae37ceab346c6bf40939b0fd98ab24ef58e5fe7403ab88c899d273d8ec0d5b842

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\p0ojBTkCLB46fm7.dat

Filesize
6KB

MD5
b9c6a01269824e904026aac49b60ae05

SHA1
05154a6a4673f42fd23995a92731c1d5abf7964e

SHA256
4c427bb5c4f8950c12d0e40451876a403cd52013bf5d64366592047ac70c386d

SHA512
3a666647b96040a643e1d6779e477a81bd9afa8601c026e516cb9dc3d794b5fa5036c143b23ff2662bc4b7a0b2a243534740e9cd32a04b27b07880e6dedffd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\p0ojBTkCLB46fm7.exe

Filesize
634KB

MD5
bd1503d4eaae5e7f2a8cdbd9a88ec02a

SHA1
730280a7839bb46bdeeaa47797d926f8d57e1da1

SHA256
724380928512fc5261d5f42e64f7705fcdeae1410f24a8ec6b0a2ba783675cb4

SHA512
0dc06ce8e78f6b0ebbe65723791ea4ffde8a9d55534dda1b02e81f1a109fce77f26e4bdfb9fd18b5ca9f4d9ff2454e6b05eca325539148512f762b5d2f225c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3782.tmp\p0ojBTkCLB46fm7.exe

Filesize
634KB

MD5
bd1503d4eaae5e7f2a8cdbd9a88ec02a

SHA1
730280a7839bb46bdeeaa47797d926f8d57e1da1

SHA256
724380928512fc5261d5f42e64f7705fcdeae1410f24a8ec6b0a2ba783675cb4

SHA512
0dc06ce8e78f6b0ebbe65723791ea4ffde8a9d55534dda1b02e81f1a109fce77f26e4bdfb9fd18b5ca9f4d9ff2454e6b05eca325539148512f762b5d2f225c7b

Download Submit