5821f2110486cb73960961b8e403e5dfd2541566c32c3ef8b4bf12bbaabcd902

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5821f2110486cb73960961b8e403e5dfd2541566c32c3ef8b4bf12bbaabcd902.exe
Size

956KB
MD5

2b7aaa2df66ccec1f3cb192e362d5aad
SHA1

3eab777d27cea4f2489fcafcb5b0eb087cc10de4
SHA256

5821f2110486cb73960961b8e403e5dfd2541566c32c3ef8b4bf12bbaabcd902
SHA512

ed3c48be86cd593d57007d8e53a41cd29eb06091badd291356bb722ed08a7a55e5319d961c5f90e6754726b0a28b5623a1e48aff5736b0c91709c225b9657a73
SSDEEP

24576:tbDrkJXOH6iiRsUiSf7jturZ/THLJ7zcMNwh:EXOzSsCfN6Z/TrJ7zmh

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

iLB0wHJ0y2MmxrV.exe

pid process

2728 iLB0wHJ0y2MmxrV.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2728	iLB0wHJ0y2MmxrV.exe

Drops Chrome extension 5 IoCs

Processes:

iLB0wHJ0y2MmxrV.exe

description	ioc	process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjinnciiaifjiapddjhcobmoafjaefmh\2.0\manifest.json	iLB0wHJ0y2MmxrV.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjinnciiaifjiapddjhcobmoafjaefmh\2.0\manifest.json	iLB0wHJ0y2MmxrV.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjinnciiaifjiapddjhcobmoafjaefmh\2.0\manifest.json	iLB0wHJ0y2MmxrV.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjinnciiaifjiapddjhcobmoafjaefmh\2.0\manifest.json	iLB0wHJ0y2MmxrV.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjinnciiaifjiapddjhcobmoafjaefmh\2.0\manifest.json	iLB0wHJ0y2MmxrV.exe

Drops file in System32 directory 4 IoCs

Processes:

iLB0wHJ0y2MmxrV.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	iLB0wHJ0y2MmxrV.exe
File opened for modification	C:\Windows\System32\GroupPolicy	iLB0wHJ0y2MmxrV.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	iLB0wHJ0y2MmxrV.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	iLB0wHJ0y2MmxrV.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

iLB0wHJ0y2MmxrV.exe

pid process

2728 iLB0wHJ0y2MmxrV.exe
2728 iLB0wHJ0y2MmxrV.exe
2728 iLB0wHJ0y2MmxrV.exe
2728 iLB0wHJ0y2MmxrV.exe

pid	process
2728	iLB0wHJ0y2MmxrV.exe
2728	iLB0wHJ0y2MmxrV.exe
2728	iLB0wHJ0y2MmxrV.exe
2728	iLB0wHJ0y2MmxrV.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5821f2110486cb73960961b8e403e5dfd2541566c32c3ef8b4bf12bbaabcd902.exe

description	pid	process	target process
PID 2248 wrote to memory of 2728	2248	5821f2110486cb73960961b8e403e5dfd2541566c32c3ef8b4bf12bbaabcd902.exe	iLB0wHJ0y2MmxrV.exe
PID 2248 wrote to memory of 2728	2248	5821f2110486cb73960961b8e403e5dfd2541566c32c3ef8b4bf12bbaabcd902.exe	iLB0wHJ0y2MmxrV.exe
PID 2248 wrote to memory of 2728	2248	5821f2110486cb73960961b8e403e5dfd2541566c32c3ef8b4bf12bbaabcd902.exe	iLB0wHJ0y2MmxrV.exe

C:\Users\Admin\AppData\Local\Temp\5821f2110486cb73960961b8e403e5dfd2541566c32c3ef8b4bf12bbaabcd902.exe
"C:\Users\Admin\AppData\Local\Temp\5821f2110486cb73960961b8e403e5dfd2541566c32c3ef8b4bf12bbaabcd902.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\573a447f\iLB0wHJ0y2MmxrV.exe
"C:\Users\Admin\AppData\Local\Temp/573a447f/iLB0wHJ0y2MmxrV.exe"
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\573a447f\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\[email protected]\chrome.manifest

Filesize
35B

MD5
ca33d8b941564e4df39118b7b8c5d14a

SHA1
263066299a1dd9a4644026fb9963355905da093f

SHA256
185298615cc199968ee93fd3a82f26a1c8665ae1d1860a277487a92348f7c905

SHA512
0ca0b21878fc19381c75201f688c05f74b15498c9c83b723a48a7e184e679d1b88987a46768c7b5da1477d875c80614857f999857c3113a8f5523a8611cc5fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\[email protected]\content\bg.js

Filesize
8KB

MD5
f2a1137a369e98c4b29f93faddaa6d3d

SHA1
daa9a41bcaced59763b1a53d2347510b19dbe0b3

SHA256
fd0d59c6e3788cb25c5af66cdcd047f955b0e1754fe78bd01f2b276f36ab5351

SHA512
1d9cdc2468c76454ba8a20a296427939d9d97c4a687f6f4996bb2e2d06aed9b0a2d6471350629993c0d54f8468a04ec07a258518e90fbfb3b42dd4a145637c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\[email protected]\install.rdf

Filesize
599B

MD5
24c88c4d63b81da3a172f5690a9d18c7

SHA1
57560a1be891d894113f31ab48b97bf1c10e77f6

SHA256
a8bc98bb81015fdcc14eb3b7d03786a9df81f81b3229a81be0230aecb0828d3b

SHA512
79ad62ffd7dbbb435cd6d7ff07ffd603eb51b2e77f04755b60769c628706b7d85b9d934fa949986f3dc278ece707d382fe44da686d6c2e43158f0a0f62ed00c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\hjinnciiaifjiapddjhcobmoafjaefmh\background.html

Filesize
147B

MD5
7ba59199c49548fe62b6a8d11a6467db

SHA1
18491b7b3c33e488faffd8907ec5fd3ded00f1b5

SHA256
7c0f101ce17a4952c061cccd8298c2eccb9c7ae17de2c88ffa74ebd37b0052fc

SHA512
2efb30850108c2361e88aa6659fa80d77a216269fd5a2f453661402d9c91a518b333de6ebf1e9ed8978a2811f3510cf0e72379577a44f9e7acc99505701e56a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\hjinnciiaifjiapddjhcobmoafjaefmh\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\hjinnciiaifjiapddjhcobmoafjaefmh\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\hjinnciiaifjiapddjhcobmoafjaefmh\manifest.json

Filesize
499B

MD5
4bc128fd57cdeb210670ce2e4e1d3e8d

SHA1
5b3c0df10db3dd0aa59659d1fc4f9bcba86188b5

SHA256
d23eb5ab231858616151cd0396a9e3be7cb5ff1124564ed9f9fcd20010e81136

SHA512
41fe2601e98f2bd1b9d8cb635d5cfcec8a3845de79e63b7686c35e3ed6c953f7abf23475c71ef64579164ae82dd95af9ba09b585c5333f995f7de25a56e76759

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\hjinnciiaifjiapddjhcobmoafjaefmh\xD5SMtLirt.js

Filesize
6KB

MD5
7e2cab2bbbb91477fc12d588feb327a8

SHA1
055a30445bb3c31403f8be416445c1d0c49939e7

SHA256
7cfacfd67a73288ebf2b58a73dc9c423a0079f4b0298a583b91f45f76c1891e3

SHA512
b51aa340dd2c62e2944aae1c21097945e7b718c424e5dec84884ebade224f2fbc6a4caddeca4cf07bc79d3a335d8e2b5a2873bb84e450f4363c798b991f81c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\iLB0wHJ0y2MmxrV.dat

Filesize
1KB

MD5
11eeeb4b1e94904f19a9bf8afe07d406

SHA1
729f3e077241b39b2551b94967570a3bdae345aa

SHA256
5f8146c9a5857a858ae1026b4a73942bf10907c4fdc4bb7e3127289f7bf8e73f

SHA512
65519670bc2c22cd1cb5fb3ebaca08432c90a3773bbc6f48524bdc8821a8d8c8da62b2db1a0e7f7ed9d8fa71a2a744318f6c5f9da78ba5467a5f5835b327a318

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\iLB0wHJ0y2MmxrV.exe

Filesize
625KB

MD5
04cf637cf931223b102ecfbd3683a084

SHA1
6fdd13e9a652418123b81edfd721e92495c3ee33

SHA256
a4e7bac2d8ef25b8185a5e6a436126a805f55c3d4299e847eb5a8ad20877ed88

SHA512
44a7306ffaac172c73575aca5ed4edd5e09887123eb25725722227f86c432a76cabfb350506c4e495c5df93c928d81883519889f46c3e9ac098fb4024b306007

Download Submit
C:\Users\Admin\AppData\Local\Temp\573a447f\iLB0wHJ0y2MmxrV.exe

Filesize
625KB

MD5
04cf637cf931223b102ecfbd3683a084

SHA1
6fdd13e9a652418123b81edfd721e92495c3ee33

SHA256
a4e7bac2d8ef25b8185a5e6a436126a805f55c3d4299e847eb5a8ad20877ed88

SHA512
44a7306ffaac172c73575aca5ed4edd5e09887123eb25725722227f86c432a76cabfb350506c4e495c5df93c928d81883519889f46c3e9ac098fb4024b306007

Download Submit
memory/2728-132-0x0000000000000000-mapping.dmp

Download