Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 17:22
Static task
static1
Behavioral task
behavioral1
Sample
4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe
Resource
win7-20220901-en
General
-
Target
4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe
-
Size
2.9MB
-
MD5
117ba2f469f0c4feab67d8b2886323bb
-
SHA1
bad70a8154341282155b1aecdb3d104bcae0d32c
-
SHA256
4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4
-
SHA512
6df3f1560505cd1251db8a95a0e274e5727eb41957bd7fa3ff4d3257e9fd17e2afadc5e93f39f61b73d7e25861fb72a4a1976acd101ffed72ab981a4a7e05e37
-
SSDEEP
49152:IftpvLKKYt6Vdiipi6+P0bZuKHkL552ypX+rrWuxopkcoCEvf:ALLDxiZP0bkuKGypX+rrP
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exedescription ioc process File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngjfjcbmkmjigpjeaanjkkonhikcedop\2.0\manifest.json 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngjfjcbmkmjigpjeaanjkkonhikcedop\2.0\manifest.json 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngjfjcbmkmjigpjeaanjkkonhikcedop\2.0\manifest.json 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngjfjcbmkmjigpjeaanjkkonhikcedop\2.0\manifest.json 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngjfjcbmkmjigpjeaanjkkonhikcedop\2.0\manifest.json 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe -
Drops file in System32 directory 4 IoCs
Processes:
4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exepid process 4808 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe 4808 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe 4808 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe 4808 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe 4808 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe 4808 4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe"C:\Users\Admin\AppData\Local\Temp\4437c6446fc8441204fcc5c3692b5c45499a6ff6558ef38b195c07044cdfb9a4.exe"1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3544