30f03371758b8156e15f62884995590ef5c742577744a8ab8c9fe68ce305407e

Analysis

max time kernel
183s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30f03371758b8156e15f62884995590ef5c742577744a8ab8c9fe68ce305407e.exe
Size

781KB
MD5

f0003d75d6830d3d99b06a06d9bf0f36
SHA1

a0c2a44e9c486c3e3e9d1ff7e00cba6c44a1d0ce
SHA256

30f03371758b8156e15f62884995590ef5c742577744a8ab8c9fe68ce305407e
SHA512

39d3f33326a344e9075fac1f6a423ccb918def91cb6f95ad673a44ebd85a4c31ba37eb5da957f44558d3aef94b02d255d4c15437fcf6fe47093255966443ddf5
SSDEEP

24576:h1OYdaOxGiAEAd/KjjBKyu73i8mxcmMMV6zs+G/7:h1OsiMAd/OxfV6zZGT

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	6JzbDiOm9Gy1m2z.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\aekgjolfdpoeodmgmjoakpcocigednmp\2.0\manifest.json	6JzbDiOm9Gy1m2z.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aekgjolfdpoeodmgmjoakpcocigednmp\2.0\manifest.json	6JzbDiOm9Gy1m2z.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aekgjolfdpoeodmgmjoakpcocigednmp\2.0\manifest.json	6JzbDiOm9Gy1m2z.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\aekgjolfdpoeodmgmjoakpcocigednmp\2.0\manifest.json	6JzbDiOm9Gy1m2z.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\aekgjolfdpoeodmgmjoakpcocigednmp\2.0\manifest.json	6JzbDiOm9Gy1m2z.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	6JzbDiOm9Gy1m2z.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	6JzbDiOm9Gy1m2z.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	6JzbDiOm9Gy1m2z.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	6JzbDiOm9Gy1m2z.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2720	6JzbDiOm9Gy1m2z.exe
2720	6JzbDiOm9Gy1m2z.exe
2720	6JzbDiOm9Gy1m2z.exe
2720	6JzbDiOm9Gy1m2z.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2720	1740	30f03371758b8156e15f62884995590ef5c742577744a8ab8c9fe68ce305407e.exe	83
PID 1740 wrote to memory of 2720	1740	30f03371758b8156e15f62884995590ef5c742577744a8ab8c9fe68ce305407e.exe	83
PID 1740 wrote to memory of 2720	1740	30f03371758b8156e15f62884995590ef5c742577744a8ab8c9fe68ce305407e.exe	83

C:\Users\Admin\AppData\Local\Temp\30f03371758b8156e15f62884995590ef5c742577744a8ab8c9fe68ce305407e.exe
"C:\Users\Admin\AppData\Local\Temp\30f03371758b8156e15f62884995590ef5c742577744a8ab8c9fe68ce305407e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\6JzbDiOm9Gy1m2z.exe
  .\6JzbDiOm9Gy1m2z.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\6JzbDiOm9Gy1m2z.dat

Filesize
1KB

MD5
2d0e995f5b777438d9613cece1a28f2b

SHA1
fe898c1129550d6612273433c92c705438f46912

SHA256
ec5638efc7981ea6910c8d7f5b3749c8ed177c30fced112b9b97b9c9fbd6c219

SHA512
c2862587e9a8dbcbb167f7b38435a11b84ecc5229ac80349a9dc18fadde2979c212c5dd234369edb50cc171a72e54043e34c5d3aaeee97b8893526ad2662d590

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\6JzbDiOm9Gy1m2z.exe

Filesize
623KB

MD5
cd6bf363f5af45a16926343310023db4

SHA1
e5bcbe9735e5a8d6243af1c2a4593784e8e63aa6

SHA256
bfa98e4e677c8bcb7348aed64d51915e3bacb05925d0234e646e2bb7cc3cdd06

SHA512
3ccb2c4ea143ac58d4df43751bf1c8781795b2321f3acb5d85a0249e4b43c1bf3f93c41c0c59cc2933b923069340a3f7425e9ddce1d7355e60eec843d9158ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\6JzbDiOm9Gy1m2z.exe

Filesize
623KB

MD5
cd6bf363f5af45a16926343310023db4

SHA1
e5bcbe9735e5a8d6243af1c2a4593784e8e63aa6

SHA256
bfa98e4e677c8bcb7348aed64d51915e3bacb05925d0234e646e2bb7cc3cdd06

SHA512
3ccb2c4ea143ac58d4df43751bf1c8781795b2321f3acb5d85a0249e4b43c1bf3f93c41c0c59cc2933b923069340a3f7425e9ddce1d7355e60eec843d9158ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
826f9302045f140f9ed24ec83b55edf7

SHA1
87a77f0ca0dc7acda139975cd5dc0e75322b9acc

SHA256
82e1fa28937a1f594efc6503c5a611b8942d3d60e7eb72c548aec9697fadefef

SHA512
2142eb484639c74ccd950dfe0fdeb61201e664d527298429a1b886a8f998e7330e5bb4837e76c4b3d097809b37b088497d16f6087bf12f5184b7688988d1bd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
be80134ee07603e86ca8d3a4b955fdda

SHA1
96c3362c9f5e374cb3ee2646e4cd94c6a4ad5906

SHA256
1c2d5dccec3671c7863e61323d312d87a3fcf5e33423a9de89fed4648db1fc2a

SHA512
c4118d1515ef9df85d4aa1cb265f2683b259152a21a25309642013ff0f34da26f76bdc72f05a04d1f7677c5276cba1be8a7f35e90e8e05d6ee9a529b4fc66ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\[email protected]\install.rdf

Filesize
599B

MD5
7ca7acb648f596ea8f4768d2d1622ffd

SHA1
19b79c028a96dba059b5268e35bbc9993659ce13

SHA256
31602ee8a382cb0b66ac220466e8507069e8493d5fa2c6fd999ffbd60f6a45c8

SHA512
dbfb348796218214bc1758722ae99f304e0e77bd6c408f961ec4b1abbbc9a39d2ae1fd546ff7877f176a70837c483014923cff3929d571faa4e00eb22d09bc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\aekgjolfdpoeodmgmjoakpcocigednmp\background.html

Filesize
144B

MD5
67e54cadc7fffe24ab58ce7c6a121301

SHA1
30550ab712b277cf6e8af28f23cbc78c48806fa1

SHA256
f8e70a6ebff71f8e1fbe7365d85cda66469e607b3a2e9b9bae87f6caad250af4

SHA512
4b97a67eefaec52d065cd44c64d8bc48a1f2320b48337daace90b1ab9bae2a7ad3377e39146b2f3a0cf55bcf2d6c74d9d5b0026be3f54793ec7aac0ef0ed129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\aekgjolfdpoeodmgmjoakpcocigednmp\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\aekgjolfdpoeodmgmjoakpcocigednmp\ecusL7x.js

Filesize
6KB

MD5
01475dc5bca97c6a04b19aafb431dfd0

SHA1
f6e5e1e86441ab87cb1e25513e331e306a1df10a

SHA256
22ca51a392b0937ecf06290e4e2123bb61ff0d844e2a5a7e52988fa4ddc36035

SHA512
4ebeb662520c24cccc2084b4a4b2aaf42bdd023ac8ac11dd39d8a135042138bf55b5ce734232b5688775101517c72e85eda57be2d43e8d39e9a68fe917a2e3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\aekgjolfdpoeodmgmjoakpcocigednmp\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS35B.tmp\aekgjolfdpoeodmgmjoakpcocigednmp\manifest.json

Filesize
500B

MD5
b5ad13f072e3324becd0d65522f43f09

SHA1
29d748d4a778757a9606ba52024dbb8b35c32dac

SHA256
7dcbcec4f884de9efca4bdae65fac50591879102488afe00ea0d809307cb902b

SHA512
a2e00b94cc43d1363c33cda311f96fad4a768100ce5bbb87da5b27a7a55d7e2fe1b64a77448fb8d0503b359de08ff28aeaa0db4b050f4b93bdf936f7965fab07

Download Submit