Analysis
-
max time kernel
184s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:00
Static task
static1
Behavioral task
behavioral1
Sample
d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
Resource
win7-20221111-en
General
-
Target
d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
-
Size
1.6MB
-
MD5
34391bc02afb14842325b2c6f65ce7a9
-
SHA1
bce4c65f2dce6b8a20d9622a268e655ce582e83e
-
SHA256
d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39
-
SHA512
dad94fe0264f23a406fbd1c2d23f492ad04b0660f5cb7321b326e44a84b950c83ac1baa7900c3776d259595494043425c23f7edde8ceb1cd820362632dbb149a
-
SSDEEP
24576:d8KxJKb+XyQZ3jrEc0+q4Kim2kvzcmIFK3LX7LaBrQ2R9sjeQgrKYk1eTF1dOJRH:Qb0xE4tmLXniQW97QPYk19vFR
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exedescription ioc process File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieohfihhmkkibpcjnafnimenhdafegel\2.0\manifest.json d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieohfihhmkkibpcjnafnimenhdafegel\2.0\manifest.json d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieohfihhmkkibpcjnafnimenhdafegel\2.0\manifest.json d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieohfihhmkkibpcjnafnimenhdafegel\2.0\manifest.json d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieohfihhmkkibpcjnafnimenhdafegel\2.0\manifest.json d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe -
Drops file in System32 directory 4 IoCs
Processes:
d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe File opened for modification C:\Windows\System32\GroupPolicy d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exepid process 3184 d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe 3184 d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe 3184 d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe 3184 d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe"C:\Users\Admin\AppData\Local\Temp\d48e9bec9842e7ab2ad0fe5b9d47e85fb9c9349f40813c16bf59a16ac4267f39.exe"1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1852