2cbfe952e0c9a9b1d7095c1910cfffc18f11622472ac339eef16b35c7b969ad8

Analysis

max time kernel
183s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cbfe952e0c9a9b1d7095c1910cfffc18f11622472ac339eef16b35c7b969ad8.exe
Size

923KB
MD5

a101c2e52fd6947020d10470819057f8
SHA1

08ef994891cca47be0da02ffe4dbc89c28d9ce45
SHA256

2cbfe952e0c9a9b1d7095c1910cfffc18f11622472ac339eef16b35c7b969ad8
SHA512

89c268872ad04d6dfb0e260bbbdade5467dff4426870e063cbca184047b05ec6b19216e110458f4e2ac240b92de22aba8d449ab3fcb27360e04a70812bd9bd0e
SSDEEP

24576:h1OYdaOC4BQGx2jUReefMaGeOPw8Y7H3b+QG:h1Osc4BQ02o4efMz68Y/+QG

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2016	X3f7Kn9AN4mzDv1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\maillinjiepnbbkmllbpmhjfaobjiida\2.0\manifest.json	X3f7Kn9AN4mzDv1.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\maillinjiepnbbkmllbpmhjfaobjiida\2.0\manifest.json	X3f7Kn9AN4mzDv1.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\maillinjiepnbbkmllbpmhjfaobjiida\2.0\manifest.json	X3f7Kn9AN4mzDv1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\maillinjiepnbbkmllbpmhjfaobjiida\2.0\manifest.json	X3f7Kn9AN4mzDv1.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\maillinjiepnbbkmllbpmhjfaobjiida\2.0\manifest.json	X3f7Kn9AN4mzDv1.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	X3f7Kn9AN4mzDv1.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	X3f7Kn9AN4mzDv1.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	X3f7Kn9AN4mzDv1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	X3f7Kn9AN4mzDv1.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe
2016	X3f7Kn9AN4mzDv1.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	X3f7Kn9AN4mzDv1.exe
Token: SeDebugPrivilege	2016	X3f7Kn9AN4mzDv1.exe
Token: SeDebugPrivilege	2016	X3f7Kn9AN4mzDv1.exe
Token: SeDebugPrivilege	2016	X3f7Kn9AN4mzDv1.exe
Token: SeDebugPrivilege	2016	X3f7Kn9AN4mzDv1.exe
Token: SeDebugPrivilege	2016	X3f7Kn9AN4mzDv1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2016	1220	2cbfe952e0c9a9b1d7095c1910cfffc18f11622472ac339eef16b35c7b969ad8.exe	83
PID 1220 wrote to memory of 2016	1220	2cbfe952e0c9a9b1d7095c1910cfffc18f11622472ac339eef16b35c7b969ad8.exe	83
PID 1220 wrote to memory of 2016	1220	2cbfe952e0c9a9b1d7095c1910cfffc18f11622472ac339eef16b35c7b969ad8.exe	83

C:\Users\Admin\AppData\Local\Temp\2cbfe952e0c9a9b1d7095c1910cfffc18f11622472ac339eef16b35c7b969ad8.exe
"C:\Users\Admin\AppData\Local\Temp\2cbfe952e0c9a9b1d7095c1910cfffc18f11622472ac339eef16b35c7b969ad8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\X3f7Kn9AN4mzDv1.exe
  .\X3f7Kn9AN4mzDv1.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\X3f7Kn9AN4mzDv1.dat

Filesize
1KB

MD5
b6bb964d290b1bfe995b2437dbd45580

SHA1
7861f65caa95d04e1b899e6781f3947d5b1f28ab

SHA256
fc88e0d0a02d2c90b649913e11abc7d9d93f21697848ce3eddbcfb446986c7a1

SHA512
5a5b635c45bf5eb637199dfad3092fe6cad5283878c13f6b46fabde6fb5dc0d46e034156710d961a43bd77175ee814c37af8609329708eeca08d421be09052be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\X3f7Kn9AN4mzDv1.exe

Filesize
766KB

MD5
98bb6d71947f05029c05bf6475839ce5

SHA1
9caad62d2dcb2f3d72e068643b4266cae20e2870

SHA256
0455048865ea330b772bf2586abc91f7ddeda4f7d6ef9f2de89576554fa7b3c1

SHA512
0ec35056c52cca408bfb5024226194f9727eaba5c415c3ccbe6acb0785774e43d4ddf65818c127a8770c9b05d40658479b34ffab4e4a475ed8ad142bc61bbaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\X3f7Kn9AN4mzDv1.exe

Filesize
766KB

MD5
98bb6d71947f05029c05bf6475839ce5

SHA1
9caad62d2dcb2f3d72e068643b4266cae20e2870

SHA256
0455048865ea330b772bf2586abc91f7ddeda4f7d6ef9f2de89576554fa7b3c1

SHA512
0ec35056c52cca408bfb5024226194f9727eaba5c415c3ccbe6acb0785774e43d4ddf65818c127a8770c9b05d40658479b34ffab4e4a475ed8ad142bc61bbaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\maillinjiepnbbkmllbpmhjfaobjiida\background.html

Filesize
147B

MD5
bc2839a1787a2b357a86bd2a5aa62242

SHA1
fe7f2422512e54c29a37bbae68038b0a48237ca3

SHA256
18196c46a4e62377e4f6c8993bcf296c2119e1e12029170aeafbccd6e3888f4c

SHA512
150941174da8c4a6376993820b8d15dd8bcc92185321cf15c92f74cd00cc6de5dd03533ae996ad45ab0ad35cceaa0bbd097f3149eacca467191b65db69173735

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\maillinjiepnbbkmllbpmhjfaobjiida\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\maillinjiepnbbkmllbpmhjfaobjiida\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\maillinjiepnbbkmllbpmhjfaobjiida\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\maillinjiepnbbkmllbpmhjfaobjiida\xTG7qOb7IM.js

Filesize
5KB

MD5
3663968143f2ec0a5115346da9b3a727

SHA1
b9211ca0ebc39793de3ba1bfd3d0ced480d3f4a2

SHA256
6bd307afc6362d3280add32584e2ecb2699ddfaab4ee406bde099b8ae8d324fd

SHA512
4099df422ac3041fc8a6801e2a6b71d3545e0e51ee678ab7579870e3cb17ffddff51b7742e40a00b063dab9f7677f7ae01cbd5971bc2bf3a63949d0053ba70a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
d7b5701c85ca0a7aa79ab0f4678b4ea9

SHA1
5c17ced925c67797c5fb1207c86429c0e90e25b1

SHA256
1f0e4ab7af18dfc8206b7b4d4d2d3884a5c5826f57ac1dfe1596ff223d433d11

SHA512
4bac87e07f2ba4c42dcbe3e4e7088d36fe0199e64a0bb2c3dc802749102daa87de87da0a51115c82b5a8ca52c2840b81c973f820300819a54dc3ce03eaa88d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
3d2638f57ba38ce1285a38994efb5c30

SHA1
0ac4c3a111cb16054fd09b3f1718d7cac431c536

SHA256
088556557091cff24db1d5b8d78dd50052b3c5b3eef89c8326bf3ede37ddc37b

SHA512
1d28e10568413ddbfc4fa0a2fda66e98cb47d9edbd19e025c6393ca7544a374037685e87196511bc65777b9ca03f2cacc955e115472f197b74baa1e00db7be6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\[email protected]\install.rdf

Filesize
591B

MD5
90aee233dc3c2275d1da4302b4cac7c3

SHA1
178eb5fbb4ea5385bb7b86c6a29a78c46d084ba1

SHA256
f4388f8058f71246d14b947af9c1975f41332829f790ca8df4f4ad57e102f3bd

SHA512
a4ab0f6b061e2e711a2ba7880cfcc0238d09e5c02f2c29d3048ed501f843cc41832b3b2a9ad39cb190d5431f3cdebddf75a3fb7c39facd700eccae7d5a1c26d8

Download Submit