ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0

Analysis

max time kernel
35s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 19:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0.exe
Size

790KB
MD5

ad31862fc7d282e7f85a5cdb500598e6
SHA1

cbb107aae4bfae21f63ab0fe99ddffcce03b274e
SHA256

ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0
SHA512

3dcd3609ebd8e5159b7a3bfefd43b884d9f92e25bed5cd2362ecb198c4303e2def898366b7aa340baad05b9d5feb0fd643eddb7e3da5fb33c18caed78f68b169
SSDEEP

12288:h1OgLdaOb5EaQpHXfierkG+GYdT1xiG4jCLrZK:h1OYdaOl7QJkxGYNiuw

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1580	CaUFuVs0ZM41kVr.exe

Loads dropped DLL 1 IoCs

pid	Process
1672	ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aagkphgjlggdamnbdamilkiejdnejmca\2.0\manifest.json	CaUFuVs0ZM41kVr.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aagkphgjlggdamnbdamilkiejdnejmca\2.0\manifest.json	CaUFuVs0ZM41kVr.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\aagkphgjlggdamnbdamilkiejdnejmca\2.0\manifest.json	CaUFuVs0ZM41kVr.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	CaUFuVs0ZM41kVr.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	CaUFuVs0ZM41kVr.exe
File opened for modification	C:\Windows\System32\GroupPolicy	CaUFuVs0ZM41kVr.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	CaUFuVs0ZM41kVr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1580	CaUFuVs0ZM41kVr.exe
1580	CaUFuVs0ZM41kVr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1580	1672	ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0.exe	27
PID 1672 wrote to memory of 1580	1672	ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0.exe	27
PID 1672 wrote to memory of 1580	1672	ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0.exe	27
PID 1672 wrote to memory of 1580	1672	ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0.exe	27

C:\Users\Admin\AppData\Local\Temp\ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0.exe
"C:\Users\Admin\AppData\Local\Temp\ce6aa0b9ed5a807baaab7d346684ab504d6c856fc55f26623c9fb493072a4ee0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\CaUFuVs0ZM41kVr.exe
  .\CaUFuVs0ZM41kVr.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\CaUFuVs0ZM41kVr.dat

Filesize
1KB

MD5
702500ee653f2c3b3c4479a3689af4fd

SHA1
e175eea542f96f5e5a087a6262366d4698fb685b

SHA256
11446fe1f2b2a4d390dd6741c1706943801bb009757da390019b32db5d6b1c0a

SHA512
ccb64da8653b0386f31cf16f6ecf8ce229e4755780cbeab2d9e6f26e6e9b92396062c60938a578e8586b5c566d661a006d0c8a0732f43a76e862e4a8f64aba1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\CaUFuVs0ZM41kVr.exe

Filesize
632KB

MD5
c40cbd955bd3bbbf7de8218b95004eeb

SHA1
fe5fccf0a2166f1fc11812de679d77475e9deb36

SHA256
76dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398

SHA512
6fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\Z3Dv@ygrR.org\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\Z3Dv@ygrR.org\chrome.manifest

Filesize
35B

MD5
bd0840a74f4c26d6e0a2e86e4237e7a1

SHA1
8fdd0b8a72254558c4c5fb71ccfc35b095062a2b

SHA256
298c88bf3595b1392bf06618bb7dac1483fd321acb3b3b2dd7fb1c69cab426d1

SHA512
03944d3dbdd413467246e304c49354cbf641b439e446b1594569f69f5fe69b53b32ed21bcb504cde1412ac6fe26cbc596caaabf305a0a8c12fc4fd174c34b303

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\Z3Dv@ygrR.org\content\bg.js

Filesize
8KB

MD5
f4f897ad47017647beac7f08bb402e53

SHA1
58822c348dcfeaff3e2ac3789539ec839edae399

SHA256
a8d047ef2ce5e9725a98b09d69fe1cbccf0184f0d766d97ac750bb6d0b700552

SHA512
2c66fd92f16303c2be7eb74a456e9547c4d384b8da5f794e494ab0682d37f78c3d7bfe29cfdeea65d8b70e0677050e20c6c38f7c03b73ab8238ef5f1c77a1204

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\Z3Dv@ygrR.org\install.rdf

Filesize
596B

MD5
771fc656e56937cddc547795204f1e03

SHA1
c93525980fbbe6f701752b6d7b4faac909cec455

SHA256
6ceb3efd5406322fcf1ea6fa5a50e50c5ebf7b35963532fa0e6d8a2fc64c9ee8

SHA512
c0db5c80fe24d305ab9ffd779a80d8722c2d41c8fc1d644b4f42b27d18fda6636549beed0a72d86073428dab99110d1fac5dff72df40c8c7e133698a9af60829

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\aagkphgjlggdamnbdamilkiejdnejmca\background.html

Filesize
145B

MD5
bafcc67d6ee6db3d7e1741bb8a6eee32

SHA1
05405f6192e76a532171eec955e01afb9fadd82a

SHA256
15b8ae03c5123037c83836c5ad16e66dff8765edb1a046d4d60beb6a4d7800b9

SHA512
c5eabbdee6af6c5dc13b9bc3fcedf7ea44f132b19ba0c3f5f59a0cc3c5bcf6b15594b180f4daab6099964abfa0e87fb31885ff16a386e90567334439f3c29e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\aagkphgjlggdamnbdamilkiejdnejmca\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\aagkphgjlggdamnbdamilkiejdnejmca\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\aagkphgjlggdamnbdamilkiejdnejmca\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5091.tmp\aagkphgjlggdamnbdamilkiejdnejmca\yHtT3pRI.js

Filesize
6KB

MD5
e22e6157834865f73a291674d029a901

SHA1
bf3a233a08111b4f5899f0abce7f2f0ecaabf092

SHA256
7b421bf785aa340cacd745911b9618b67340ed2cb2e508c7484bd04d2a28854f

SHA512
a2251a0efbe9014c7a002a9695bdf0eed8849a029f06846fcbbb0698434045babff471e3e7f0c283f762d6767e33bd9a1df09467539ce210e6ab4b868e046e35

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5091.tmp\CaUFuVs0ZM41kVr.exe

Filesize
632KB

MD5
c40cbd955bd3bbbf7de8218b95004eeb

SHA1
fe5fccf0a2166f1fc11812de679d77475e9deb36

SHA256
76dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398

SHA512
6fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba

Download Submit
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download