7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
11/08/2023, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4.dll
Size

1.5MB
MD5

379046f1fa4489686c19d45265609998
SHA1

0aae8f309766986ae8beb9d8ba14f8dd4047bf91
SHA256

7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4
SHA512

6e3dd828f3119fdd75422119271d52032d5b7a338dd06b5db1e43478d3cc1f068f0cbe65c76a9076bde640fc501f6002eaa583f03a08ad1602f1e3f5f687c197
SSDEEP

24576:ErSt7WN5l12bUU3sollRPBLcEVLRn/1WZoh3oLCiiEPeXjTm4nZTUZWIHy0jSOhf:rtyNT14Rfc6h8C8yO4ZgW6NzHTojV2r

Score

8^/10

spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2424	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gefpceefdmmojbgmfmnkeanmpclobjgj\1.0.13_0\manifest.json	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2424	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2424	2852	rundll32.exe	28
PID 2852 wrote to memory of 2424	2852	rundll32.exe	28
PID 2852 wrote to memory of 2424	2852	rundll32.exe	28
PID 2852 wrote to memory of 2424	2852	rundll32.exe	28
PID 2852 wrote to memory of 2424	2852	rundll32.exe	28
PID 2852 wrote to memory of 2424	2852	rundll32.exe	28
PID 2852 wrote to memory of 2424	2852	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Drops Chrome extension
  - Suspicious behavior: EnumeratesProcesses
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qs_2424_31683\gefpceefdmmojbgmfmnkeanmpclobjgj\img\logo_def.png

Filesize
1KB

MD5
323a52a3716ee74e6875c789ab60929a

SHA1
28a2c9051fc91dd88edfb6fe03448cd17969d3e0

SHA256
7391eda33020118e331316670091d6c25a3761ec516031cbb2f34c9ce33d896b

SHA512
b9e5d3fb4a06b400e50a03ff0184557e57a6dd0b46ebf641664b07e90188070ece935991bdb44475d4c654bf8a633e9e83fc8a850deb1db5c30a1402ca578d4d

Download Submit