a89f7147beb6e2434818b6c558e7c51559e8fc4cef0d0d97cc582fe2bba56c84

General

Target

a89f7147beb6e2434818b6c558e7c51559e8fc4cef0d0d97cc582fe2bba56c84.exe
Size

778KB
MD5

2f00a27e6af893a57d9e64a8af670900
SHA1

e495cdee4fb86d3745a89d70d8aa713b3bddd993
SHA256

a89f7147beb6e2434818b6c558e7c51559e8fc4cef0d0d97cc582fe2bba56c84
SHA512

294cf0374b3b1f407624b17bd543c4b60530c03281b9ff7efa9844b9dd6e64fd436d9cd7a6a3c6f20d5ac8976870bb731424a734cebb0ded537f70a832df44df
SSDEEP

12288:h1OgLdaOm/5EaQpHXfierkG+GYdT1xiG4jCLrZO:h1OYdaO07QJkxGYNiu4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2232	R9bCjJwJ5R6GtNK.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkikpncfbjndhfkipijhdoddiadaipaa\149\manifest.json	R9bCjJwJ5R6GtNK.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkikpncfbjndhfkipijhdoddiadaipaa\149\manifest.json	R9bCjJwJ5R6GtNK.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkikpncfbjndhfkipijhdoddiadaipaa\149\manifest.json	R9bCjJwJ5R6GtNK.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkikpncfbjndhfkipijhdoddiadaipaa\149\manifest.json	R9bCjJwJ5R6GtNK.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkikpncfbjndhfkipijhdoddiadaipaa\149\manifest.json	R9bCjJwJ5R6GtNK.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2232	1524	a89f7147beb6e2434818b6c558e7c51559e8fc4cef0d0d97cc582fe2bba56c84.exe	84
PID 1524 wrote to memory of 2232	1524	a89f7147beb6e2434818b6c558e7c51559e8fc4cef0d0d97cc582fe2bba56c84.exe	84
PID 1524 wrote to memory of 2232	1524	a89f7147beb6e2434818b6c558e7c51559e8fc4cef0d0d97cc582fe2bba56c84.exe	84

C:\Users\Admin\AppData\Local\Temp\a89f7147beb6e2434818b6c558e7c51559e8fc4cef0d0d97cc582fe2bba56c84.exe
"C:\Users\Admin\AppData\Local\Temp\a89f7147beb6e2434818b6c558e7c51559e8fc4cef0d0d97cc582fe2bba56c84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\7zSCC39.tmp\R9bCjJwJ5R6GtNK.exe
  .\R9bCjJwJ5R6GtNK.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCC39.tmp\R9bCjJwJ5R6GtNK.dat

Filesize
1KB

MD5
65ae9492b55376dbda8e8a19c040d305

SHA1
1cd3357b115a7876a38f5245dd98513d33017ede

SHA256
dfb12a045a9a49e3ed9fec413cb1b35840b4bf0b3d5703eb437a60ce78118e1f

SHA512
77088671a6e2d5a36a0bff029ac96e362580d27f7e86b8ba688450c52fd6f7415f28094c6b4c6a32d1f89493222eb4e6f127114d0edc8fdc07d7c9b64b972dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC39.tmp\R9bCjJwJ5R6GtNK.exe

Filesize
632KB

MD5
c40cbd955bd3bbbf7de8218b95004eeb

SHA1
fe5fccf0a2166f1fc11812de679d77475e9deb36

SHA256
76dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398

SHA512
6fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC39.tmp\R9bCjJwJ5R6GtNK.exe

Filesize
632KB

MD5
c40cbd955bd3bbbf7de8218b95004eeb

SHA1
fe5fccf0a2166f1fc11812de679d77475e9deb36

SHA256
76dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398

SHA512
6fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC39.tmp\bkikpncfbjndhfkipijhdoddiadaipaa\background.html

Filesize
143B

MD5
498cb19dfbf9507e325f21bb3e95c0a1

SHA1
842bc2f188cde08401c24b6c55142f5a4f255288

SHA256
0cfe4d6d2d7a56e3abea8c27321d9905458faab6d93b22d8aefbf23b03a37757

SHA512
3a752116f87d0e83ae9eb3c16a583fdabcb5262a0db63d2d03d61d75fcb9ead464687da60d3fabf39f7a851d8e43cb229545de425d19188f64414814435595f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC39.tmp\bkikpncfbjndhfkipijhdoddiadaipaa\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC39.tmp\bkikpncfbjndhfkipijhdoddiadaipaa\k293L7.js

Filesize
6KB

MD5
0d91648461469f2eb47ecb4b9598cd7c

SHA1
fcfaaa28639d44fe2222b7e26548b675814092fe

SHA256
6c206ab2d2888cd03b5e8092c223fee941511a50c0436fb480488dc9994777ee

SHA512
95edada3b8425568d303d1e9d4bb724d10f983be09cd28ccf71f4e9e061ac4112c22ee150d915b71c1bacfea79fbf5cc09ef64b46f6694505117165de3d8c2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC39.tmp\bkikpncfbjndhfkipijhdoddiadaipaa\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC39.tmp\bkikpncfbjndhfkipijhdoddiadaipaa\manifest.json

Filesize
604B

MD5
b9dcb39b29e59c99e991aa0616ecde93

SHA1
bf95e79af7d843a05e2b07bf1a3c8036c48d4cdd

SHA256
2eb08154313c3dcdf5173ea9110ebc41e9fd127867a341d001a65d02440f66d1

SHA512
95e069fa64368df28712d40d4e5c7ce1f2306be1cd0fabbb6e86fb1f16e8e28d63eeda63b43ff7ae990f09c059615ab6d6773fe9740a5fd82d87d4b098c745ec

Download Submit

Analysis

Sharing