d8f57d9297582a17b7b271f8c528db019d65be5d9c94e401836588a1e4a9c311

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-07-2023 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

appeonbrowser.exe
Size

943KB
MD5

6ce6794762e600f20af74e81885dc18b
SHA1

a6c8ce316518a9af2324acfc23e04eb50e400dcf
SHA256

d8f57d9297582a17b7b271f8c528db019d65be5d9c94e401836588a1e4a9c311
SHA512

f50f680625fb3c6355a4de79a79830475f587184562d91c921c62d6a1ca61341c50e16afc6461aacf19f65621ff94bfccd7ce3a011bd6895619d37a097b12f82
SSDEEP

24576:eQiPoMBZ6lh4pEcDSbTNjdTSb4EL0uCWPlXg+p6MX//h18j5:e9PoA6IJSHNjZM0uDhg+lb81

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1796	appeonbrowser.tmp
2920	AppeonMultiBrowser.exe
2972	RunBat.exe
2716	AppeonMultiBrowserLauncher.exe

Loads dropped DLL 7 IoCs

pid	Process
2248	appeonbrowser.exe
1796	appeonbrowser.tmp
1796	appeonbrowser.tmp
1796	appeonbrowser.tmp
1796	appeonbrowser.tmp
1796	appeonbrowser.tmp
2716	AppeonMultiBrowserLauncher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	appeonbrowser.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppeonChromeWebSocketServer = "C:\\Users\\Admin\\AppData\\Local\\Appeon Multi-browser Plug-in\\AppeonMultiBrowserLauncher.exe"	appeonbrowser.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1796	appeonbrowser.tmp
1796	appeonbrowser.tmp
2716	AppeonMultiBrowserLauncher.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1796	appeonbrowser.tmp

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1796	2248	appeonbrowser.exe	28
PID 2248 wrote to memory of 1796	2248	appeonbrowser.exe	28
PID 2248 wrote to memory of 1796	2248	appeonbrowser.exe	28
PID 2248 wrote to memory of 1796	2248	appeonbrowser.exe	28
PID 2248 wrote to memory of 1796	2248	appeonbrowser.exe	28
PID 2248 wrote to memory of 1796	2248	appeonbrowser.exe	28
PID 2248 wrote to memory of 1796	2248	appeonbrowser.exe	28
PID 1796 wrote to memory of 2920	1796	appeonbrowser.tmp	31
PID 1796 wrote to memory of 2920	1796	appeonbrowser.tmp	31
PID 1796 wrote to memory of 2920	1796	appeonbrowser.tmp	31
PID 1796 wrote to memory of 2920	1796	appeonbrowser.tmp	31
PID 1796 wrote to memory of 2972	1796	appeonbrowser.tmp	32
PID 1796 wrote to memory of 2972	1796	appeonbrowser.tmp	32
PID 1796 wrote to memory of 2972	1796	appeonbrowser.tmp	32
PID 1796 wrote to memory of 2972	1796	appeonbrowser.tmp	32
PID 2972 wrote to memory of 1336	2972	RunBat.exe	33
PID 2972 wrote to memory of 1336	2972	RunBat.exe	33
PID 2972 wrote to memory of 1336	2972	RunBat.exe	33
PID 2972 wrote to memory of 1336	2972	RunBat.exe	33
PID 1796 wrote to memory of 2716	1796	appeonbrowser.tmp	35
PID 1796 wrote to memory of 2716	1796	appeonbrowser.tmp	35
PID 1796 wrote to memory of 2716	1796	appeonbrowser.tmp	35
PID 1796 wrote to memory of 2716	1796	appeonbrowser.tmp	35
PID 1796 wrote to memory of 2716	1796	appeonbrowser.tmp	35
PID 1796 wrote to memory of 2716	1796	appeonbrowser.tmp	35
PID 1796 wrote to memory of 2716	1796	appeonbrowser.tmp	35

C:\Users\Admin\AppData\Local\Temp\appeonbrowser.exe
"C:\Users\Admin\AppData\Local\Temp\appeonbrowser.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\is-PTF50.tmp\appeonbrowser.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PTF50.tmp\appeonbrowser.tmp" /SL5="$9001C,708219,61952,C:\Users\Admin\AppData\Local\Temp\appeonbrowser.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowser.exe
    "C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowser.exe" /win10edge
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\RunBat.exe
    "C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\RunBat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\spartan.bat" "
      4⤵
      PID:1336
- - C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowserLauncher.exe
    "C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowserLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowser.exe

Filesize
985KB

MD5
0c32959080135bd201d1ec02ec399b6d

SHA1
90dbdb9813aa828a839d84d06c337e2772cc0689

SHA256
48a378ba319956b1bebbdb18f3734d8e543ce19d446e03f23b6f9f6ec71da934

SHA512
df6d5c0c7400e944d0a4f0bbf794a55b9ac60c251ef1010966cb5cc3229cc4ea255bb2d3276fe7e1bcf3a86f8db6eb154b1901f40d7e22d94c4b940675091e4f

Download Submit
C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowser.exe

Filesize
985KB

MD5
0c32959080135bd201d1ec02ec399b6d

SHA1
90dbdb9813aa828a839d84d06c337e2772cc0689

SHA256
48a378ba319956b1bebbdb18f3734d8e543ce19d446e03f23b6f9f6ec71da934

SHA512
df6d5c0c7400e944d0a4f0bbf794a55b9ac60c251ef1010966cb5cc3229cc4ea255bb2d3276fe7e1bcf3a86f8db6eb154b1901f40d7e22d94c4b940675091e4f

Download Submit
C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowserLauncher.exe

Filesize
985KB

MD5
0c32959080135bd201d1ec02ec399b6d

SHA1
90dbdb9813aa828a839d84d06c337e2772cc0689

SHA256
48a378ba319956b1bebbdb18f3734d8e543ce19d446e03f23b6f9f6ec71da934

SHA512
df6d5c0c7400e944d0a4f0bbf794a55b9ac60c251ef1010966cb5cc3229cc4ea255bb2d3276fe7e1bcf3a86f8db6eb154b1901f40d7e22d94c4b940675091e4f

Download Submit
C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowserLauncher.exe

Filesize
985KB

MD5
0c32959080135bd201d1ec02ec399b6d

SHA1
90dbdb9813aa828a839d84d06c337e2772cc0689

SHA256
48a378ba319956b1bebbdb18f3734d8e543ce19d446e03f23b6f9f6ec71da934

SHA512
df6d5c0c7400e944d0a4f0bbf794a55b9ac60c251ef1010966cb5cc3229cc4ea255bb2d3276fe7e1bcf3a86f8db6eb154b1901f40d7e22d94c4b940675091e4f

Download Submit
C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\InstallPlugin.dll

Filesize
324KB

MD5
bf529b0e176c7edc9c1ad3e28ed70fed

SHA1
017e17125f93bbf3a66c94cb1db19161ce6a42d0

SHA256
22d736b8898f45f34ba52671f9813bc41ff68eee1d2521423119b697874efa1c

SHA512
0fb03d954767c0a93a67bca18cb59ee1560c7e6c9882267e8dc73c4e30e06d6d2590b20985e2f0e10ef104ca0890a421eaaacc59a40b31fa685a742a6defa7ac

Download Submit
C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\RunBat.exe

Filesize
230KB

MD5
4c2e2b053ccc86b737752c693d9e58b2

SHA1
1c7e4fd10a5b3ed0dc6b80c9a571761414bf246f

SHA256
6984bdf3d13a99cd097a16e29dfc9aa3dde64d10365d1fd78f81c86c3c62aabc

SHA512
6e7b26ae1b802193f4d2583865aaebafbc4b17266555c559dd4fa1ed15cbe1a3e571ffba8c7e3e75fbe6fba509f67ab4a5af874f8442a51d84a317271c241798

Download Submit
C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\RunBat.exe

Filesize
230KB

MD5
4c2e2b053ccc86b737752c693d9e58b2

SHA1
1c7e4fd10a5b3ed0dc6b80c9a571761414bf246f

SHA256
6984bdf3d13a99cd097a16e29dfc9aa3dde64d10365d1fd78f81c86c3c62aabc

SHA512
6e7b26ae1b802193f4d2583865aaebafbc4b17266555c559dd4fa1ed15cbe1a3e571ffba8c7e3e75fbe6fba509f67ab4a5af874f8442a51d84a317271c241798

Download Submit
C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\appeoncert.cer

Filesize
1KB

MD5
34f2047a158e9af49fff369ad58bb730

SHA1
d3809e8747a32b78718960764678ce983a8029d3

SHA256
bc966b98197dd204acd7455c775f7d362ba4960881a880ec5c8c48d15abdec37

SHA512
b7e835568304747b79016da25de1f7049a9cb0124e9e057c30d565c71808e3380a53f21f27fd4e0c269bdf1565e3f3de8214fafdd2d7d5f031c404f3c91b1341

Download Submit
C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\key.pem

Filesize
1KB

MD5
4329745ccf0a87edad74303c839ce805

SHA1
9ab5071598d56781f853b0ab7c11bfd595abf855

SHA256
ce978ff998816abe9e8ea00b19fc208620eafcc6572f445409691feda2c26ab2

SHA512
cc63c0dece47e726c6cbe5cb794926a179a1ade86ea498e1bdb7c30052f55f5578333ae810c6b7624eea799ec08c6fd953c1e56f19d1b09dca8b29cddce811c6

Download Submit
C:\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\spartan.bat

Filesize
164B

MD5
fb51f657475c59a4fa2218938a3899dd

SHA1
454ea3c27731dc63b1986624e9bfb7fbfefdc310

SHA256
d9d8c8b3ab2cb51f22b9f55c311e9a09788c67c9a33d6a0d9b81936f6f06056a

SHA512
100ce7783d37bf4265d1dc80d3e8a2d6b508a469eb0a4419b9633466b3932b4ea7d5db0ff741e25bdea1ecf794b855646b43bf81acfe16daf0e0c6404255b988

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PTF50.tmp\appeonbrowser.tmp

Filesize
699KB

MD5
168ef028377827870bdd34c159f1e473

SHA1
a089de7ef0cff8b389c3977c0dd42b6ad2377746

SHA256
862e2e0082d71b32a61263b1809d88d2a2739167905a66ebf59e9e94e165afa7

SHA512
13ffab674629ccdcd1ff5ded2e34945c6365e3dbeee2c858c1bad96b6ee4d09e97add3f8166a0eee057a385ba54d73b28b2d9b22d08d625609b64d8123459d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PTF50.tmp\appeonbrowser.tmp

Filesize
699KB

MD5
168ef028377827870bdd34c159f1e473

SHA1
a089de7ef0cff8b389c3977c0dd42b6ad2377746

SHA256
862e2e0082d71b32a61263b1809d88d2a2739167905a66ebf59e9e94e165afa7

SHA512
13ffab674629ccdcd1ff5ded2e34945c6365e3dbeee2c858c1bad96b6ee4d09e97add3f8166a0eee057a385ba54d73b28b2d9b22d08d625609b64d8123459d4e

Download Submit
\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowser.exe

Filesize
985KB

MD5
0c32959080135bd201d1ec02ec399b6d

SHA1
90dbdb9813aa828a839d84d06c337e2772cc0689

SHA256
48a378ba319956b1bebbdb18f3734d8e543ce19d446e03f23b6f9f6ec71da934

SHA512
df6d5c0c7400e944d0a4f0bbf794a55b9ac60c251ef1010966cb5cc3229cc4ea255bb2d3276fe7e1bcf3a86f8db6eb154b1901f40d7e22d94c4b940675091e4f

Download Submit
\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\AppeonMultiBrowserLauncher.exe

Filesize
985KB

MD5
0c32959080135bd201d1ec02ec399b6d

SHA1
90dbdb9813aa828a839d84d06c337e2772cc0689

SHA256
48a378ba319956b1bebbdb18f3734d8e543ce19d446e03f23b6f9f6ec71da934

SHA512
df6d5c0c7400e944d0a4f0bbf794a55b9ac60c251ef1010966cb5cc3229cc4ea255bb2d3276fe7e1bcf3a86f8db6eb154b1901f40d7e22d94c4b940675091e4f

Download Submit
\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\InstallPlugin.dll

Filesize
324KB

MD5
bf529b0e176c7edc9c1ad3e28ed70fed

SHA1
017e17125f93bbf3a66c94cb1db19161ce6a42d0

SHA256
22d736b8898f45f34ba52671f9813bc41ff68eee1d2521423119b697874efa1c

SHA512
0fb03d954767c0a93a67bca18cb59ee1560c7e6c9882267e8dc73c4e30e06d6d2590b20985e2f0e10ef104ca0890a421eaaacc59a40b31fa685a742a6defa7ac

Download Submit
\Users\Admin\AppData\Local\Appeon Multi-browser Plug-in\RunBat.exe

Filesize
230KB

MD5
4c2e2b053ccc86b737752c693d9e58b2

SHA1
1c7e4fd10a5b3ed0dc6b80c9a571761414bf246f

SHA256
6984bdf3d13a99cd097a16e29dfc9aa3dde64d10365d1fd78f81c86c3c62aabc

SHA512
6e7b26ae1b802193f4d2583865aaebafbc4b17266555c559dd4fa1ed15cbe1a3e571ffba8c7e3e75fbe6fba509f67ab4a5af874f8442a51d84a317271c241798

Download Submit
\Users\Admin\AppData\Local\Temp\is-GU6IQ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-GU6IQ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PTF50.tmp\appeonbrowser.tmp

Filesize
699KB

MD5
168ef028377827870bdd34c159f1e473

SHA1
a089de7ef0cff8b389c3977c0dd42b6ad2377746

SHA256
862e2e0082d71b32a61263b1809d88d2a2739167905a66ebf59e9e94e165afa7

SHA512
13ffab674629ccdcd1ff5ded2e34945c6365e3dbeee2c858c1bad96b6ee4d09e97add3f8166a0eee057a385ba54d73b28b2d9b22d08d625609b64d8123459d4e

Download Submit
memory/1796-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1796-71-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1796-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1796-124-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2248-69-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2248-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2248-126-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download