7e8b75f452060674da90410be10b51ed1f714e08d53243cfee48a259d369cab4

Analysis

max time kernel
0s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 00:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a22ce6eb27c5858957506cad4f0fa35.exe
Size

313KB
MD5

4a22ce6eb27c5858957506cad4f0fa35
SHA1

7da25391bf947cbfcdfe7aca3684101ddaf7a339
SHA256

7e8b75f452060674da90410be10b51ed1f714e08d53243cfee48a259d369cab4
SHA512

df42f56636aa3ccb59ed4629e8613bdba21955026b8d84b6a0362efff0c50bbcd6a5809f5cc78679fb8925fabe5ee1e2a75244d514f227294069a93a60f499fd
SSDEEP

6144:91OgDPdkBAFZWjadD4su0j3pUR42+G8OGU8Pw+0pwcp2mh0iEq:91OgLdaj+3Clr8Pw+0D2mhHEq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2180	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023202-32.dat	nsis_installer_1
behavioral2/files/0x0006000000023202-32.dat	nsis_installer_2
behavioral2/files/0x000600000002321c-100.dat	nsis_installer_1
behavioral2/files/0x000600000002321c-100.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 2180	3792	4a22ce6eb27c5858957506cad4f0fa35.exe	20
PID 3792 wrote to memory of 2180	3792	4a22ce6eb27c5858957506cad4f0fa35.exe	20
PID 3792 wrote to memory of 2180	3792	4a22ce6eb27c5858957506cad4f0fa35.exe	20

C:\Users\Admin\AppData\Local\Temp\4a22ce6eb27c5858957506cad4f0fa35.exe
"C:\Users\Admin\AppData\Local\Temp\4a22ce6eb27c5858957506cad4f0fa35.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bcool\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\ProgramData\Bcool\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
5470f00d83d6c0f8edd6edc363999f00

SHA1
6670ed252755662c0e9af7c5c6d98fdb2e8743c1

SHA256
b384f3cc28a552348f0263248cb71bb98baf76131e3777b7b1d713a32ff6cc0d

SHA512
520fb6db02a22c22a7d9b2d198ac72a1504a2e0662cea8b78b16883597e45b573ffae81fe175331e694ab030df6223336b6ed01e6a8a4f9e0f9f41eeb4da2cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
cd4930346ad42bf002475ec8e7a69203

SHA1
cd0124808ad8ea1adcc9409f16774dda5a3df2a1

SHA256
d2736e6fea81efb2d896f84b1c1cc1092dd5e2eb67f4ba5b98e5ec378ac7e221

SHA512
fd97ce630ce723c7e2afe6f4fc5eabafa7bbf7595e0097f2b424ce9de0501be59f9155c63b764354f7476a883504fb8fea8ab853f37b388afa409b7aeb95d841

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
db55bf859862d52b3ba024d9aaa0b29e

SHA1
786d5bbbc3d81e7665191dfd12288a831079c61c

SHA256
e1207eae523b813030bf4afa8fad675eda6a58baca737574e07bd1287220ee41

SHA512
86ef2d34298a3ef5dfe191e4d616a8dca0591054800d4935cf8645b0a36c58304ec14cb84ed0a22c1e8b41f7823be871d53629d9fce0ed296d5a47ea23bf6ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
6b57c0385950e2962c0b51df642fac70

SHA1
832b69d4c7f63c708bd684be3a308502a49f9701

SHA256
bad6863455048641b5ba0fb580f06dc70db4bd50043cc188018cdb55309e86df

SHA512
2891f4fdd8c3fdf94611a20b32ca3885fd2fdb47fc4af206ee1267eb0df246f7876e99894d739cb6a5c6d29b3f6f0d477c9afd92c200d3100a648632120f6ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
1c60a86f70a27801c3ecbee58e2cf7b1

SHA1
ed9f1392baeefb8c279b416c3fcd2e62cfd6da5d

SHA256
bd953f2fcd830381ddc4d16498eb2c365f40c5add7375d499b8f8e64229e62e5

SHA512
52d4eb435e9c2fea11a7b7aeacfe2f69dd860da3f4b8ecb12cf826dd9244511402962d04765ca35fa70c4e0a57b1df027310fa1b98967ba00137b9755c8ea9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
f5fc01e3076744eb620036c4678730e0

SHA1
7eb7824ed1442dc57a410025c3b4d04e4504ff8d

SHA256
df4aa639086f79af3f88c20c158e12146028c5849dd43eec4554c703ed6f0a06

SHA512
0f77344dc06bc046af383eeab57e5a97456653ccad2aca366b5e6dea0b5beb9c5f1ffdae369d29cf420a8a5ecd7eb581aada7372d9c9dfd04bb9a377702247ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
d515037265ca4c3c07e0610b3568302f

SHA1
b664714d9d7a58fac2ad36547a42637a6472bef8

SHA256
05be6241e2c37878ef5225ea5eb4ec7ca72debc1ea6d5fe4fdf73e42a6d73c59

SHA512
654afff0fa8cacde7dc2d61c4cc1c087f8781120e1ddf19c0cd387b40f4eb228469466fc4b624ce67e50a3a2fd6ebdc5671898a8fb6d5f082849ea2382fd8bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\[email protected]\install.rdf

Filesize
668B

MD5
86bb564ef5e6c555f150defac2eb8440

SHA1
8c8dc21dd02d9b401729d0115fb593be127868d1

SHA256
a744de657aee92427cb9a1580235d91aee89b48e5c2ed48ace970a02ee774833

SHA512
3c0712e2966be90c9e0157ec9bd444d01126572c4eec0028545a5497051153b41a4c9a1136868206466a0d03fc68552494b5f6f234c63f04a3e0e58baab02dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\background.html

Filesize
5KB

MD5
57f750caa62507a48e21599c6e4f120c

SHA1
be380e4bda9409c3c63aeb09b4f66ab540228fb3

SHA256
c59d1dcd5a380022097d8f42ccecc599fa0efe242ba8dfc4024e282806bf0938

SHA512
862eb52d243921924911bcdd823a4c9aec1dd50b197292d319b574300d8160fff46c82fa44053e5fa7139833985dd2d1406dcf2f1efeb316ded088e5ca20c813

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\content.js

Filesize
387B

MD5
2d417efeeb78afb62c729c09a1f3a11c

SHA1
c9fef955794643c04d3c57c8d9ca8cfc67c89b64

SHA256
50d0bd5b027fdc11b1cf446ef1152f787d55d37e3ef65cc6b9b4b3ed3ce38df0

SHA512
236af4a634a381e386a22bd4496dd2547e0e97a1c48858f1083c75fcfafb241f3a62fcb620bc5cad0d115f77088de9f6aa7b2218d730abd19933717f2fac74f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\nogeckoakbncljfiibemkjopnpdlmncp.crx

Filesize
37KB

MD5
029f2888b63e082083360395f96ae8b6

SHA1
aba87dfcdd89efa2d8ffe09850d2baf04cf33a94

SHA256
1e284b98accb94fadb5911454ff9d32228934648666b59d0898e5b5a1e2a6964

SHA512
cdd60778a55973d60bff1180ae336aea86ecf9d1c2ae71c92585ceff844425f26d02371c908ea7fdff11adebaae51eca3ff46fc5b76239eeda0f13a2faaed62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\settings.ini

Filesize
593B

MD5
8a2efdf211effd966ad1edf6760778ae

SHA1
168c6d3e7ae825dda845fbdf731a016128a9469d

SHA256
96bdb7c4bddde9ca3927001ce5d009f709df5549e7768af375fa8cda6a9bb964

SHA512
e42919647bcaadf728e07244d0a1b6b78a24253128791f03ddb342f833670c760a7e32c2aa40f8ef77f6136ed77a2ed94f5526f76165d0d713a4142a90502c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS45D3.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit