2f2300ae5a3da27d7e94a52d2afc54fac0da91278d7921dd60dd3e0afc2b7555

General

Target

6687fd6f434c565df6fad94e532a1851.dll
Size

11KB
MD5

6687fd6f434c565df6fad94e532a1851
SHA1

e6c9a7caad603aeed21f94ef7654070d5c6a9955
SHA256

2f2300ae5a3da27d7e94a52d2afc54fac0da91278d7921dd60dd3e0afc2b7555
SHA512

8e0148be80f755a84baa9946cb2837f48dabc5769cd0696e48533986c915b3e1a799a2c8874eb572b789f73e72826a6927f72d662bf045e85494dbb533f54c6c
SSDEEP

192:EUBxvSu/lAnOx0qi6i18veWDWU4UeqLKGl78SfdE3UIPNyb:nvSu98Ox0hj8vrt4ZGlYsdE3UIPAb

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2584 chrome.exe
2584 chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exechrome.exe

description	pid	process	target process
PID 1860 wrote to memory of 2088	1860	rundll32.exe	rundll32.exe
PID 1860 wrote to memory of 2088	1860	rundll32.exe	rundll32.exe
PID 1860 wrote to memory of 2088	1860	rundll32.exe	rundll32.exe
PID 1860 wrote to memory of 2088	1860	rundll32.exe	rundll32.exe
PID 1860 wrote to memory of 2088	1860	rundll32.exe	rundll32.exe
PID 1860 wrote to memory of 2088	1860	rundll32.exe	rundll32.exe
PID 1860 wrote to memory of 2088	1860	rundll32.exe	rundll32.exe
PID 2584 wrote to memory of 2648	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2648	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2648	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2464	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2576	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2576	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2576	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 2520	2584	chrome.exe	chrome.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6687fd6f434c565df6fad94e532a1851.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6687fd6f434c565df6fad94e532a1851.dll,#1
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef78f9758,0x7fef78f9768,0x7fef78f9778
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:2
2⤵
PID:2464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
2⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
2⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:1
2⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2188 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:1
2⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1588 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:2
2⤵
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3336 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:1
2⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
2⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3424 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
2⤵
PID:984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
2⤵
PID:1484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1172

C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
1⤵
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\32d60380-f337-41a0-85ad-8a73b83c7af6.tmp
Filesize
282KB

MD5
286a49db67aa87fe385e6c69240d2dc2

SHA1
88c92657eb2d32c724bf7bbdf9fb162a26854170

SHA256
ff3d4f536160887029ad25463ad5c3f645d3160f37932c2337e9a0c1adec5ecb

SHA512
6a440a7629ce2ffc57049222c3cd69725eb0c73b7e8e86b2f65a48cd90f8d975071cc5d15c616e02fa34cfa6ca79a75d6b5096564b3bea543774884bd50b2b3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
416edaf3462a4361de33403e20cb5e44

SHA1
89dff018208aaf3c7c5fdac4ca4fc100da012330

SHA256
20f148bf193817f89ddfabd6f7323aa133864d97994c6f0318b5396627e0a0ad

SHA512
cb39c3ff182a02784574deae6695cec4465f99f733054a03cd425665361d801563b1411e23ff3cfb922b9a993efafd809b91ccf8d28def5d0e9728fdb74e7b1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
a575209e0ff3bd84d8a9cb601c6658b8

SHA1
c8c38d8e755c7414fe2b6a20a8ad4278c30fcdcc

SHA256
1e84e42308bbf24f907f83eabb8fc87093d560414509270fdd4a31462c57e7b4

SHA512
c35c8187af4e3ea97e0db52109bfed8771c2cdd591413359153195fbb60a5e3685affb7686f88c20d219ad25e03e361684c5c26418475c6542a386f23d81e1c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
e3512e5b544c0c7d5f3a4331289ce08f

SHA1
725a4af3d32c0d6cebdfbfe7a2fd8b29ff0496d4

SHA256
b03c194ac23211ece33f94911db58e0c7c99f1bf30264169a3062c2996eead76

SHA512
0b7b72f463c818f7b6e0fdbc6d8570fbe1fb73360f7df17b8d01ea7135e3634bf7bcdf175a482823f6b1d8fdb91e20c744f51c3661b062824ba011c2459009c5

Download Submit
\??\pipe\crashpad_2584_FYJEOIYAQFAXVQMO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2248-71-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads