Analysis

  • max time kernel
    120s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 12:52

General

  • Target

    dbabc231576ccb7c0b6ad0d335133aa7.exe

  • Size

    313KB

  • MD5

    dbabc231576ccb7c0b6ad0d335133aa7

  • SHA1

    94ee62a023f0027cfbfc8a38d0cebcc02a07627d

  • SHA256

    9be97149e812fa9082eb7362c8e7e45edf06170b73b0cd70042d13c469b6910a

  • SHA512

    e9fbbf542f9a33366d748d6c17909f6124ba8886f60a541f8e263597cd7f7c56f36f0484e5282a3d9f85976b4851a31e8f908a17504755df1b8e0547893f12ee

  • SSDEEP

    6144:91OgDPdkBAFZWjadD4sDO4m69lOIpF6BTB9qFUWEM2z7IEfSPpQh/jEpDH1p8R:91OgLdaA5xiDqF8z7I+iAjSDH1pq

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe
    "C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe
      .\setup.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • System policy modification
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Bcool\uninstall.exe

    Filesize

    46KB

    MD5

    2628f4240552cc3b2ba04ee51078ae0c

    SHA1

    5b0cca662149240d1fd4354beac1338e97e334ea

    SHA256

    03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

    SHA512

    6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\chrome.manifest

    Filesize

    114B

    MD5

    33c15c5d8645488247580f48553a4dac

    SHA1

    907d75117e012023484dd13d8292a8e2bfb9121d

    SHA256

    03cd4487c1972e7c93acab254c6153a09f014a8e6b45f206e20d4c0d3f9ecf97

    SHA512

    9cbc9901ad9e4ab3599eebfb664802bb12ba8c7fad6ad637f3b5f9c240ef3ebc691b297e1b2dfbce5a7abe221ea966c28517c27f487be88c64c13b8afc7bf749

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\indexeddb.js

    Filesize

    1KB

    MD5

    68a6bef08e9f274a00cf4955e995d4e1

    SHA1

    1bdba16ba99acee9985b31c1acd85bc76059a9af

    SHA256

    72a4ee736f80585f65c959388cbe930c2fde20e2536c78b357d05fc195567b1a

    SHA512

    ce4672506c7c64396bdba8d830cbf00122e76389fee64dc443633611fccfc7d6763cc9796981848da863bb700195c1b7e23fbc05ee641999f234385defa59430

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\jquery.js

    Filesize

    91KB

    MD5

    4bab8348a52d17428f684ad1ec3a427e

    SHA1

    56c912a8c8561070aee7b9808c5f3b2abec40063

    SHA256

    3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

    SHA512

    a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\jsext.js

    Filesize

    6KB

    MD5

    9b15c7c37e348d9e7bdbc3702ba5cd2d

    SHA1

    9c4d2f246d14d66c0f4bf13264b35feed1a2b70a

    SHA256

    95ae115a3d9d34ff9ded5c32b8a09db7ac0d91cf36aeb374c6b1262ebadb891d

    SHA512

    960d5e00f059f59c62bb7ca261299a6de54d4cc78a1b9c52ae77e5bbd36d987126f242719c5608131a65d11cdd7a555ca40a97718e331fb3f7954d09e07b8e51

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\lsdb.js

    Filesize

    1KB

    MD5

    b4e5037dbef3ca965343ee5cb81e8116

    SHA1

    64b4efdae708bf7935104184f912b9cebece0d27

    SHA256

    f38ea32b10393864f04312115fdde3c920f8ae5af5c9235b1bf344b8247404ff

    SHA512

    3f30146afa0d6e466f7b01b8d8a74bab6d9a33e5cc240e7457b29bc3f5d1dd2a552637ce7e6b3963d2d3aa027f7fd2697189e42c6655f7795b09545df981df03

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\prfdb.js

    Filesize

    1KB

    MD5

    8d9260f0dc3dd495c1ab2d2eb43e027b

    SHA1

    3b2f703a8b6467a5a4c3fb0724905da92b298e2a

    SHA256

    9d36809d4dc86118b057400083e6853c6c0e02c93236b11d4ba9f75bbd7ea344

    SHA512

    04028599c078f2a34a54e712d6551c7268e5d9089658178086202441a12539f238d9ac316162c038786439037312ce6e9ca0fd311ba3cc2d0ce99d34dd7532f9

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\sqlite.js

    Filesize

    1KB

    MD5

    c192f40af50a3a07469c2cccbde6180a

    SHA1

    220121844988f76bce87af423cf3ca0998d0f046

    SHA256

    3b2c991174fc1b490659011cadd4ab21f11c7ba8b18908ba4b47ce116b8c7645

    SHA512

    1a84152644c824814ad8b759fcdf3b7b00cb47de1f9c1a35111c75fa9de99253da9dee538de72e6d07ed3a38ee424eb438adf4fc0adb35b3213166fa7afb5753

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\wx.xul

    Filesize

    228B

    MD5

    4953546eed26c1f4b3254e4aa461aa37

    SHA1

    cb86024826493c26e2a1befc87d1eaa36848bc96

    SHA256

    92de0bb720f8110cfb1ce49af09dd958959714d4919e3b557095ce8bb1d94707

    SHA512

    b9b99a64f7fd63c0cc31e8e1e6f83e32291dff700b1c4af33193d837d9c56e3af2246f5566328bdc14c9dcbf1d510bdfdd78c266749675d92d3f836337fe7cc2

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\install.rdf

    Filesize

    668B

    MD5

    682e5d5db010d2d653f7e9e7911460a0

    SHA1

    6e1f504a6d31ddbc7a88e4c8b372d9c431b80a37

    SHA256

    d0c1c270a6716d8eaccedb9718fef081e43aab6119617c86576240586d037e1b

    SHA512

    e7f5df7b07b3054f2e7b44e686a7a70ad990211b49efad6ca21c4e21817c17f5b61b187a56f5f2562d49969fcb4fd87102b718e06f5042b5cc01259a084fd397

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\background.html

    Filesize

    5KB

    MD5

    70ef0a59208f4ef1f444211a777f0796

    SHA1

    990f3523c128a6cc131c98259da419d4ede630bf

    SHA256

    362efc2bf7093153dbc6dade8f4ec3d33afc179080882e81d5a6743867c3fa73

    SHA512

    3953fb52096dfe8b7db2794c8d08564b02d20a4c37af74f9b365a9dd21a0e0902c5005a1a40360dae9df41046eccfe2938effee31b24e7dbb00cdbcb29972d2f

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\bhoclass.dll

    Filesize

    137KB

    MD5

    ac13c733379328f86568f6e514c2f7f8

    SHA1

    338901240fedcef4e3892fd4c723c89154f4de05

    SHA256

    7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

    SHA512

    35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\content.js

    Filesize

    387B

    MD5

    73ca4184cdd270c4c19ced2a26b0d799

    SHA1

    1d20d3c360760d75ed3e5d88f1dedcbc08cc28e0

    SHA256

    fed1184e04312ea495103c7c5b17c55da205609899239249f36dd3923230578f

    SHA512

    a829d71c37d402db8400d23330234ea71a0af5ce1960a069588c4aaff25398cf98e8ea8ff84d84004cfaba31716006ada70869d45e969084738c59a54bc71968

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\mhmiflodoaengponimbfgoaklodmlmdg.crx

    Filesize

    37KB

    MD5

    07bf88469c9e5a3f16bf7005d5360693

    SHA1

    60cd4ae64028de0662da3b92e56836124ad15801

    SHA256

    27c33e2e0414f1b1dcec831edee5445c756df5f924a3c9cae4e007d97ce42f0e

    SHA512

    8f498b2c9140ca9539f8ff743390c87fab7c0607532a0a5bca8c853adb76c5ba62ac7c5229aa4ea96ffd9a203683b289a051090cdd45e5fe6d7c0f355272beab

  • C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\settings.ini

    Filesize

    593B

    MD5

    77a81c0d5a6a48d0eab6368ae62e8424

    SHA1

    1ccf201d4adde8fa4c0dcb6283740cd211396615

    SHA256

    4b525d1fdb106f603369d0c4f30097f7dbddd568963928587bdfbf4cad2166ac

    SHA512

    2b8f77947c2da820191076f49aff93c11fbef182e1a0a8ce32a91f062243f2cddfd90a62989b3c1856fc7e5cea86c760948c5a890363bc764fba6e11a8ac8523

  • \Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe

    Filesize

    61KB

    MD5

    201d2311011ffdf6c762fd46cdeb52ab

    SHA1

    65c474ca42a337745e288be0e21f43ceaafd5efe

    SHA256

    15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

    SHA512

    235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b