2f2300ae5a3da27d7e94a52d2afc54fac0da91278d7921dd60dd3e0afc2b7555

Analysis

max time kernel
644s
max time network
616s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6687fd6f434c565df6fad94e532a1851.dll
Size

11KB
MD5

6687fd6f434c565df6fad94e532a1851
SHA1

e6c9a7caad603aeed21f94ef7654070d5c6a9955
SHA256

2f2300ae5a3da27d7e94a52d2afc54fac0da91278d7921dd60dd3e0afc2b7555
SHA512

8e0148be80f755a84baa9946cb2837f48dabc5769cd0696e48533986c915b3e1a799a2c8874eb572b789f73e72826a6927f72d662bf045e85494dbb533f54c6c
SSDEEP

192:EUBxvSu/lAnOx0qi6i18veWDWU4UeqLKGl78SfdE3UIPNyb:nvSu98Ox0hj8vrt4ZGlYsdE3UIPAb

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2584	chrome.exe
2584	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2088	1860	rundll32.exe	28
PID 1860 wrote to memory of 2088	1860	rundll32.exe	28
PID 1860 wrote to memory of 2088	1860	rundll32.exe	28
PID 1860 wrote to memory of 2088	1860	rundll32.exe	28
PID 1860 wrote to memory of 2088	1860	rundll32.exe	28
PID 1860 wrote to memory of 2088	1860	rundll32.exe	28
PID 1860 wrote to memory of 2088	1860	rundll32.exe	28
PID 2584 wrote to memory of 2648	2584	chrome.exe	30
PID 2584 wrote to memory of 2648	2584	chrome.exe	30
PID 2584 wrote to memory of 2648	2584	chrome.exe	30
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2464	2584	chrome.exe	32
PID 2584 wrote to memory of 2576	2584	chrome.exe	33
PID 2584 wrote to memory of 2576	2584	chrome.exe	33
PID 2584 wrote to memory of 2576	2584	chrome.exe	33
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34
PID 2584 wrote to memory of 2520	2584	chrome.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6687fd6f434c565df6fad94e532a1851.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6687fd6f434c565df6fad94e532a1851.dll,#1
  2⤵
  PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef78f9758,0x7fef78f9768,0x7fef78f9778
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:2
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2188 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1588 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:2
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3336 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3424 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1380,i,3682723390402861158,18197320562466297147,131072 /prefetch:8
  2⤵
  PID:1484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1172

C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\32d60380-f337-41a0-85ad-8a73b83c7af6.tmp

Filesize
282KB

MD5
286a49db67aa87fe385e6c69240d2dc2

SHA1
88c92657eb2d32c724bf7bbdf9fb162a26854170

SHA256
ff3d4f536160887029ad25463ad5c3f645d3160f37932c2337e9a0c1adec5ecb

SHA512
6a440a7629ce2ffc57049222c3cd69725eb0c73b7e8e86b2f65a48cd90f8d975071cc5d15c616e02fa34cfa6ca79a75d6b5096564b3bea543774884bd50b2b3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
416edaf3462a4361de33403e20cb5e44

SHA1
89dff018208aaf3c7c5fdac4ca4fc100da012330

SHA256
20f148bf193817f89ddfabd6f7323aa133864d97994c6f0318b5396627e0a0ad

SHA512
cb39c3ff182a02784574deae6695cec4465f99f733054a03cd425665361d801563b1411e23ff3cfb922b9a993efafd809b91ccf8d28def5d0e9728fdb74e7b1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
a575209e0ff3bd84d8a9cb601c6658b8

SHA1
c8c38d8e755c7414fe2b6a20a8ad4278c30fcdcc

SHA256
1e84e42308bbf24f907f83eabb8fc87093d560414509270fdd4a31462c57e7b4

SHA512
c35c8187af4e3ea97e0db52109bfed8771c2cdd591413359153195fbb60a5e3685affb7686f88c20d219ad25e03e361684c5c26418475c6542a386f23d81e1c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
e3512e5b544c0c7d5f3a4331289ce08f

SHA1
725a4af3d32c0d6cebdfbfe7a2fd8b29ff0496d4

SHA256
b03c194ac23211ece33f94911db58e0c7c99f1bf30264169a3062c2996eead76

SHA512
0b7b72f463c818f7b6e0fdbc6d8570fbe1fb73360f7df17b8d01ea7135e3634bf7bcdf175a482823f6b1d8fdb91e20c744f51c3661b062824ba011c2459009c5

Download Submit
memory/2248-71-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download