e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4

General

Target

e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe
Size

779KB
MD5

9f49665018215bb52edd1f83d7a3e911
SHA1

30fc77c613dc0154c183c10d6c3a0c3bde5b7c3f
SHA256

e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4
SHA512

5fae5817f671186ff12f6bf82a88bf1952f271daea64b51800edb33aef3d28b16bb8709689af1976ffbd75d2b51b051860a69ecab9135a118e217b267ea5ff88
SSDEEP

12288:h1OgLdaOo5EaQpHXfierkG+GYdT1xiG4jCLrZJ:h1OYdaOa7QJkxGYNiub

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ZCjgxcGZPliUnjN.exe

pid process

1720 ZCjgxcGZPliUnjN.exe
Loads dropped DLL 1 IoCs

Processes:

e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe

pid process

1672 e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1720	ZCjgxcGZPliUnjN.exe

pid	process
1672	e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe

Drops Chrome extension 3 IoCs

Processes:

ZCjgxcGZPliUnjN.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojmmnceaidnmminjjffpndcbdibelgam\155\manifest.json	ZCjgxcGZPliUnjN.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojmmnceaidnmminjjffpndcbdibelgam\155\manifest.json	ZCjgxcGZPliUnjN.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojmmnceaidnmminjjffpndcbdibelgam\155\manifest.json	ZCjgxcGZPliUnjN.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe

description	pid	process	target process
PID 1672 wrote to memory of 1720	1672	e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe	ZCjgxcGZPliUnjN.exe
PID 1672 wrote to memory of 1720	1672	e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe	ZCjgxcGZPliUnjN.exe
PID 1672 wrote to memory of 1720	1672	e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe	ZCjgxcGZPliUnjN.exe
PID 1672 wrote to memory of 1720	1672	e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe	ZCjgxcGZPliUnjN.exe

C:\Users\Admin\AppData\Local\Temp\e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe
"C:\Users\Admin\AppData\Local\Temp\e602e10060cff00c86447403a58939695f12af586e89cc8b18daf36c556dd3d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\7zS1A45.tmp\ZCjgxcGZPliUnjN.exe
.\ZCjgxcGZPliUnjN.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
PID:1720

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS1A45.tmp\ZCjgxcGZPliUnjN.dat
Filesize
1KB

MD5
67fe1f14225e896e8b6d29ae79879ac6

SHA1
1fcff508e8adf6362d451d4b76a1bcd45bc70b67

SHA256
ece981267a58bbd74abc97f81f05f3e22cb99ec5c17f7b1b321fc26a17a46b6c

SHA512
b40f8306d44cb748d557a6df0e43010639224fe453212b15fc160c199bf585df17c14fc403a6fe34a2856849adc9499c2794744cca46c16bfc73310240b4dfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A45.tmp\ZCjgxcGZPliUnjN.exe
Filesize
632KB

MD5
c40cbd955bd3bbbf7de8218b95004eeb

SHA1
fe5fccf0a2166f1fc11812de679d77475e9deb36

SHA256
76dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398

SHA512
6fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A45.tmp\ojmmnceaidnmminjjffpndcbdibelgam\FPL3z.js
Filesize
6KB

MD5
6cb9cc2f21f01e59223c62d538d6d5de

SHA1
c8875a19cf1d59de891c06ff772a955b5a6cfd3a

SHA256
19fad6a6ab48927f15cea29b5fb823339645ecdd8f129941604f0ddaad695c05

SHA512
51849c946c8e5678b27fb3c788e2902242f66fe2fb5150af831ab07904ed03873e7d1114d187c034b47fe13500d21f81356bdb3caa7e989e5d15999e37ced6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A45.tmp\ojmmnceaidnmminjjffpndcbdibelgam\background.html
Filesize
142B

MD5
a19ed8836763a8a3506b6ed1ae1dbe36

SHA1
96411f94fe7b4e1adc29532fddcf17d121bcec6b

SHA256
791697cfb928b836c268c0a774a7d9554c56267e14169d528aab0637744d94cf

SHA512
980de81412a85127a83e9a1e06d8a3a5c95e60183da5d3b76ec0bd422c67c1c461904f3ea055502412040913802a6f5ae0f003ab063f9b1d13474d24def25b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A45.tmp\ojmmnceaidnmminjjffpndcbdibelgam\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A45.tmp\ojmmnceaidnmminjjffpndcbdibelgam\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A45.tmp\ojmmnceaidnmminjjffpndcbdibelgam\manifest.json
Filesize
602B

MD5
a6a8f185e80b322e7bae7836244e0247

SHA1
82d2b57031d63666500f9518668b37da76b1ebdd

SHA256
7b3f7dc190683c08e04be8f59684ee5f0ab07f313a9c2a271d7668f42c21a498

SHA512
63b2604e763ee3272b73653aa62f360200a062ef4c87c15b3a64fa26fbeb359813c4707ad4860ae54445f3b8e3e770cf389fbf5ed2cfb2491093f09466553f24

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1A45.tmp\ZCjgxcGZPliUnjN.exe
Filesize
632KB

MD5
c40cbd955bd3bbbf7de8218b95004eeb

SHA1
fe5fccf0a2166f1fc11812de679d77475e9deb36

SHA256
76dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398

SHA512
6fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba

Download Submit
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1720-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing