7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2023, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4.dll
Size

1.5MB
MD5

379046f1fa4489686c19d45265609998
SHA1

0aae8f309766986ae8beb9d8ba14f8dd4047bf91
SHA256

7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4
SHA512

6e3dd828f3119fdd75422119271d52032d5b7a338dd06b5db1e43478d3cc1f068f0cbe65c76a9076bde640fc501f6002eaa583f03a08ad1602f1e3f5f687c197
SSDEEP

24576:ErSt7WN5l12bUU3sollRPBLcEVLRn/1WZoh3oLCiiEPeXjTm4nZTUZWIHy0jSOhf:rtyNT14Rfc6h8C8yO4ZgW6NzHTojV2r

Score

8^/10

spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2240	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gefpceefdmmojbgmfmnkeanmpclobjgj\1.0.13_0\manifest.json	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe
2240	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 2240	4012	rundll32.exe	82
PID 4012 wrote to memory of 2240	4012	rundll32.exe	82
PID 4012 wrote to memory of 2240	4012	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d1488961d0407f9095739824e5cff629afa067ed5e35403006e3cc0812c94a4.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Drops Chrome extension
  - Suspicious behavior: EnumeratesProcesses
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\gefpceefdmmojbgmfmnkeanmpclobjgj\1.0.13_0\img\logo128.png

Filesize
4KB

MD5
2dcb095aaca9f2d9f419546087d4d436

SHA1
c27be2e842a6d7d632f0fd82f653f6e7ad93b58a

SHA256
937ce536f22cbaee8b820ad80b9c552816cb59d11e4c55a5852dbc2fc7ccb8cf

SHA512
00a99dcfeea215172fe67ed39c4886765b24f8a2a01799b998029f821612151b54d2ab415d1c4686d4961ef518058b230159deea916ec67c8faa938b7c49e26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\_metadata\computed_hashes.json

Filesize
4KB

MD5
a8a3845a6fd51b78c2df013148cd93ca

SHA1
3fb18a55053d83347aceaa14fd8d2d543f822c79

SHA256
d332f6b67ca66a81088acbeca0aacc0b48b88ac7492e982be69d1fb26a47a45a

SHA512
ac2d235a254182a87d5981abace05bb24d51329b388c329766498f52786b78056156e77dc1615869b4683f18ab32bd9e3a8baabe99016edeb2f5ef53a2d63c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\_metadata\verified_contents.json

Filesize
3KB

MD5
7adb225924ad30a29296d983a9f57b76

SHA1
8975b615b3fce3c3e19c457ba6ba606fd8af2361

SHA256
ad56abbd4745dd325b820bfff11a3d722bd21018dd5e9878d4575fce638e15af

SHA512
de5ccf7f52ede138606ab766890568a88d5ae4956d0f1c5cd393462bc3d3ca587fc5f1fd721c00662fbf071ffa571aef334cb1b0724b2d40a9d6a281cb677e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\background.html

Filesize
231B

MD5
746812c8ba69a3e865ea01e633dbb5d8

SHA1
5ce303860a9bd74eb2faae54ce1129dc3b7307e9

SHA256
c088528618ca3be10b1dc4510bc1b275967b24f77f71100fa98b94e8920eab3a

SHA512
4a823bade387eb6ee244cedcd4eeb05347825708fe4ee3f0be2e0aa0a2704b87af240a8b7578b314b2afeedf793e2090ce4bc81ee49f59d3836f2f675e5e9be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\css\index.css

Filesize
2KB

MD5
a623d197330b6a19a21b97f68199a18d

SHA1
2632ef19b15af15747d8956054d2adec9a4540ef

SHA256
a415e3764664a37a5c80c12e1d555dcb86f060575481a767e0bbf83774935556

SHA512
3e11551c3449459b5c5a636f37a8ff51f7864a3b5f1f23c3d77fd92167f1a9b5c2d7e890f3dce8b1045551091b30c34e71688c1966c66b520049ae6b09c4af15

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\css\notice.css

Filesize
244B

MD5
49a723fdc81292cf0a4bd676b439b973

SHA1
b9986c2d06402fa10bb26e59e51d0f76fd9f5bfe

SHA256
5a0710d59197824ef8c3c9c1b9de9fe6c9cc3039083e04a7e78b763812cee8f2

SHA512
66d8028b2ee6edfcf4ef80d24467927216294685e267f3806aa7fe9602d962835fd7e80d9614c3489375577b73b7996b0dba51ab963ae3a727cd22451dd2c268

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\img\logo32.png

Filesize
1KB

MD5
323a52a3716ee74e6875c789ab60929a

SHA1
28a2c9051fc91dd88edfb6fe03448cd17969d3e0

SHA256
7391eda33020118e331316670091d6c25a3761ec516031cbb2f34c9ce33d896b

SHA512
b9e5d3fb4a06b400e50a03ff0184557e57a6dd0b46ebf641664b07e90188070ece935991bdb44475d4c654bf8a633e9e83fc8a850deb1db5c30a1402ca578d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\img\logo48.png

Filesize
1KB

MD5
947e74dedc4ed9ff4961c49a8df663ef

SHA1
8e7023ccaab5b682161c23f307c5e41b2a8b1b1f

SHA256
fca8d44d2378a1c6718df224ab2a56226d8b4303a5b88548e19e724348106adc

SHA512
15ff5b94fa1de2107b73049d63f6c44248ad83d7cda06ed8a3ce6871ca37925e667ca1d4942e05631f1568293dad371202ecca2e93fce16c3be1d73ac9a01ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\img\logo64.png

Filesize
2KB

MD5
a58b93ac921da7a2239346df36d44cae

SHA1
f20c4eee69be2c44b837fa7b7d2ed357a5dc1471

SHA256
d592ead27f29f5b9a002ab473b1e5f45f3a5c0a3b41f6b494d71f133971d9e2e

SHA512
f5cc347a838890ccc8257a6c1a972910089ec0e64fc78d73a24e2bfbab6ca646a3a90a3dd75ec80e7ba0a1230fa0c267bb578e2554fa41922ecdb35495e8d40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\img\logo96.png

Filesize
3KB

MD5
b519bb8e3f4a291cb60433480ce8b3cb

SHA1
e668dfef2d2f5d20876f94af319ad651432b3d30

SHA256
2c38ed3a84470dd2763db093145c4d7cd10d4724651f75efde6e42d094aa69c8

SHA512
1794243eeb41f5ee3678f4fff27f321b00f44b15ad9c807aa52b8cbb5a3d1898376048649ec60f5c14ad6ae02746b8e35966177f19318e3321b54136c1b8b19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\js\bg.js

Filesize
13KB

MD5
4b17e71844fc01d826aa9eb55072aa06

SHA1
4851bedacca51792ed58cd8f637471d7e0e34af5

SHA256
81ed495f818ea2277e03ad7343290ef802e5b710c05310126c09ad5ee5026a8f

SHA512
7b98796472a263a6827eda75a0382643646cccb73736582a9a1abddca59f099188a82bfbadc0783ae7cc5bb57de7979ac5b83cdfe87aa8d0c1e7d3f6fd1e46cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\js\common.js

Filesize
1KB

MD5
e89557e0f922f33f9d853159f9dcd677

SHA1
4d171421585eb751c93b3bcead821a92db8de6d9

SHA256
64e39c79f6f920c18a780e7ee3bf6f174ce82a5fa36f8a24f7cf9a35662b6244

SHA512
593109ecfbaaffcb0f0720e24369248a69837bbf9c0f7fbe8cebeead51726c6902d6f1a7213edf0c8d8577ea54fe3940bc3618aec72529229fc22c72f1889d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\js\jquery.js

Filesize
94KB

MD5
0fca26b5a37a66d68d0f4406976be4b5

SHA1
ee000eb654b3bd37185665d3901e93b34ce1aa52

SHA256
8c2812ded6436715279f8fd8db58de307aa39ab0296fe3cf0e879067c51e9b18

SHA512
cf010995991a8f8b50cfb4b466d3b457b0a6addc4f2fd96c48c33d40ac251de400894828ccd99662b13fc9ca25c676ef0aee05faa4910530ff9996d03c411645

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\js\notice.js

Filesize
1KB

MD5
90711c1dc641b97d52ef481efd9b93b5

SHA1
ff55c5d681aae36d4197a3a12eff7bae553c5d4a

SHA256
285a8f4e13f045f2f160c50372411927101ad3d8397a7eb7591523ab9ab8299e

SHA512
1f2355aa09392a6a0df6c1485ce48c0fe42371c2af517d9905e08ea99d4dba5a7b694bd24b23e9557a552977b8c1de598f9281cab5184bd414e0e85ab9f2f7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\js\popup.js

Filesize
5KB

MD5
1328355bfc0d58fc6dd6cc762ee27610

SHA1
393b92c2fa01b3289c87fd04c5052d30657a3584

SHA256
e2006ed68762166696159c14eec2cd85578cb8ab45b12778121f1bed0c255306

SHA512
a85f2b75d21cd6f0203c4b474a96c3d8201c50f68039d4cbfcc71041585b5ce2d18a17fbc5b7e4d58f099192f21dba9d46dcee7073317ae6035885aa1a65488a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\manifest.json

Filesize
1KB

MD5
ac642694049fb57616e49d2c7686789f

SHA1
38e380295ba21ce2421fa0b25de8c039bfe3603a

SHA256
b823a6c2c5681fb9f8f7b02e381ad68275e84f9c54e161edba3e704e4e74fe9c

SHA512
0413cffbe3a44aa33347de77fe38f1bf565bbba25cbca0c3cbc188d6ee2d20c6c72d8fa6814ef6bf6ecd7de461541c373fcd1d6fb5af69c21b339a2e24da17a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qs_2240_11005\gefpceefdmmojbgmfmnkeanmpclobjgj\popup.html

Filesize
2KB

MD5
d63b1f15e85a71033f6cb61b68fed650

SHA1
ade4a88cbffb8fde451a76eb146707e59734a8a0

SHA256
8a33320876d94b4da8ff3501867a275a12c2eb6f656e80d0d5798271ad23708b

SHA512
2e24587885455035391325d9c7501001ee590098debdb33bc462542013514de2b95e393139791c5f1d2edd8c7328a4c722802872b984ca854ba33e02c0c757ab

Download Submit