3b418f94acd5a0d01d477060f8b6e2c8017aa4ee5772ac2ceb4039fbe09a26e2

Analysis

max time kernel
154s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b418f94acd5a0d01d477060f8b6e2c8017aa4ee5772ac2ceb4039fbe09a26e2.exe
Size

931KB
MD5

6a3486669841ba38dfa688fa253d33f0
SHA1

d5605d5806edf39c740a34814b6d4bc2d59d5c36
SHA256

3b418f94acd5a0d01d477060f8b6e2c8017aa4ee5772ac2ceb4039fbe09a26e2
SHA512

c96c843524e1e9f823eb3e04644710fddffbeb6cbbcbf05b89d77ab1ec1e31a9cd60a62211b93befcd80f0b08581406ffc36255296bba3195b17db8a335b48a8
SSDEEP

24576:h1OYdaOBMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfk:h1OsTMWyUQ+GUVFIcHPvpfk

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4676	lQIogHHVJmiGx21.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbddlgenmocogohdbcelkondnaohpcph\2.0\manifest.json	lQIogHHVJmiGx21.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbddlgenmocogohdbcelkondnaohpcph\2.0\manifest.json	lQIogHHVJmiGx21.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbddlgenmocogohdbcelkondnaohpcph\2.0\manifest.json	lQIogHHVJmiGx21.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbddlgenmocogohdbcelkondnaohpcph\2.0\manifest.json	lQIogHHVJmiGx21.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbddlgenmocogohdbcelkondnaohpcph\2.0\manifest.json	lQIogHHVJmiGx21.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	lQIogHHVJmiGx21.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	lQIogHHVJmiGx21.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	lQIogHHVJmiGx21.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	lQIogHHVJmiGx21.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe
4676	lQIogHHVJmiGx21.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	lQIogHHVJmiGx21.exe
Token: SeDebugPrivilege	4676	lQIogHHVJmiGx21.exe
Token: SeDebugPrivilege	4676	lQIogHHVJmiGx21.exe
Token: SeDebugPrivilege	4676	lQIogHHVJmiGx21.exe
Token: SeDebugPrivilege	4676	lQIogHHVJmiGx21.exe
Token: SeDebugPrivilege	4676	lQIogHHVJmiGx21.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4676	2836	3b418f94acd5a0d01d477060f8b6e2c8017aa4ee5772ac2ceb4039fbe09a26e2.exe	79
PID 2836 wrote to memory of 4676	2836	3b418f94acd5a0d01d477060f8b6e2c8017aa4ee5772ac2ceb4039fbe09a26e2.exe	79
PID 2836 wrote to memory of 4676	2836	3b418f94acd5a0d01d477060f8b6e2c8017aa4ee5772ac2ceb4039fbe09a26e2.exe	79

C:\Users\Admin\AppData\Local\Temp\3b418f94acd5a0d01d477060f8b6e2c8017aa4ee5772ac2ceb4039fbe09a26e2.exe
"C:\Users\Admin\AppData\Local\Temp\3b418f94acd5a0d01d477060f8b6e2c8017aa4ee5772ac2ceb4039fbe09a26e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\lQIogHHVJmiGx21.exe
  .\lQIogHHVJmiGx21.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
3a48d102cceb5d591adba9b349aa8cf7

SHA1
7f13dea584b689aa42ab924c01c33ae95c734688

SHA256
645d340500b8f28405f90a234818cf44f7bd655b14e5bf5a94adcba6a43a06d7

SHA512
0569c13c53bcd56820ecb6a9b5427d8d583e23558c5b1f71b587c654219a0beaa2d396a8d58a6c3766b5ef64a48bb8cb6bf9846b4e84ead10f140ed58de23468

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
ad3a733218aa0eb531b12e24b7a8210e

SHA1
72786931cd4ebfe08e1c03322b89e1d02eca9f75

SHA256
cc76ca4585edfae3389ff57e7c1376086f180d3ae142924dbb77f5ee72cc0483

SHA512
1a50327fd678b6ee8979dc4de4bd41ec095c91ead7a305c5b7c67825af03159e28300af721675cd36208e9a45b9d4c7bab0648cec5022ece9aea2d59981bd9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\[email protected]\install.rdf

Filesize
597B

MD5
6015bad642b25f96cb97726992a3ba58

SHA1
3e89876560f65ec299f52daa924028733a46a502

SHA256
d24ea8ea27528468d729112b16239fbfd38778b4f927d52f01c266384d88bc6f

SHA512
b2f5fb997a769fc72d6271d897828b0963ed34878d68e75bc33c3ab66c275499ecacb8424f4ded88045b8f5109a8ace14135b76425d4b2861e1153d2a4eb15af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\dbddlgenmocogohdbcelkondnaohpcph\background.html

Filesize
147B

MD5
4c5fcf8239ead6d3de58ffe44faaa4d8

SHA1
33284e0c51365b5180f28870eddf1b41c58a5a09

SHA256
a8e3b69fad556d26dc221e1b4c345cc7f737e0945d0af0987667010e462d4ccd

SHA512
310f9c156100a3892acb63e24399727efdd9ea2785958a7fbb75babaecbbe5ffc8a3e3adca92be5d6aaa114f02ec6e78385d531074f0b5a36051264f242cc1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\dbddlgenmocogohdbcelkondnaohpcph\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\dbddlgenmocogohdbcelkondnaohpcph\fQ0b3Oe5EX.js

Filesize
6KB

MD5
098dccd8c7b70be05ffeed3f092ae098

SHA1
b40561653192ffd807ca7e541c98fdd194ad89bc

SHA256
10510bbf2d29ea2116bf0ade66c8cd040d0545804be07113c343a5eb03e47e1b

SHA512
6d7f18a6e832cdb86efda70be171538df07df360613b813c51e4c7b061fc572161ee90b2a6e179aeb0fe1fb4245223ac3fe530093a7116c9c03f0868bfe37ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\dbddlgenmocogohdbcelkondnaohpcph\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\dbddlgenmocogohdbcelkondnaohpcph\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\lQIogHHVJmiGx21.dat

Filesize
1KB

MD5
d1120f7281aa91ce922d5a07dccb31c4

SHA1
6c3f2064efc51eb638b1fb3a673703f57ad16c33

SHA256
1e03f42f4050ba782fc657d59148a1d410be0f8a8c42ef13a33e27f4798b717a

SHA512
48b6d0515e2e5fafce94322d93c5457cf53664c1f191bf6d4159a26b999539bbb6885a46c7ea014424c7eb10a85b10773ee00c55f896418d999ecbf249381db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\lQIogHHVJmiGx21.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS799A.tmp\lQIogHHVJmiGx21.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
memory/4676-132-0x0000000000000000-mapping.dmp

Download