4408aef10e65ae89f2b28ee85635ee48fde9206ee5c23f59464a1a85b82014a1

Analysis

max time kernel
165s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4408aef10e65ae89f2b28ee85635ee48fde9206ee5c23f59464a1a85b82014a1.exe
Size

924KB
MD5

035000b397f3d3f9797a4ccfa4589468
SHA1

809500daddec2033d323aa2b749070ea2f228fc2
SHA256

4408aef10e65ae89f2b28ee85635ee48fde9206ee5c23f59464a1a85b82014a1
SHA512

5c26e9fe6bd5cc5fd14cced6db605dafd0ac529768f81224f8f1b47a515116b0e7450d45fa4df90f9c6603c8dbb76cd112e1f5fbc005b614b874c056af48780c
SSDEEP

24576:h1OYdaOFfC5S9N6w6EVX1Lh+mN5Z4E8IlIyYuXF:h1OsEMN6wdBh5N5Z4E8PuXF

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

8ZRHjvevlprUkBK.exe

pid process

1548 8ZRHjvevlprUkBK.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

8ZRHjvevlprUkBK.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\doifenhkjhcobmkdjhcdnljenldcllgn\2.0\manifest.json	8ZRHjvevlprUkBK.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\doifenhkjhcobmkdjhcdnljenldcllgn\2.0\manifest.json	8ZRHjvevlprUkBK.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\doifenhkjhcobmkdjhcdnljenldcllgn\2.0\manifest.json	8ZRHjvevlprUkBK.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\doifenhkjhcobmkdjhcdnljenldcllgn\2.0\manifest.json	8ZRHjvevlprUkBK.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\doifenhkjhcobmkdjhcdnljenldcllgn\2.0\manifest.json	8ZRHjvevlprUkBK.exe

Drops file in System32 directory 4 IoCs

Processes:

8ZRHjvevlprUkBK.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	8ZRHjvevlprUkBK.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	8ZRHjvevlprUkBK.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	8ZRHjvevlprUkBK.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	8ZRHjvevlprUkBK.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

8ZRHjvevlprUkBK.exe

pid	process
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe
1548	8ZRHjvevlprUkBK.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

8ZRHjvevlprUkBK.exe

description	pid	process
Token: SeDebugPrivilege	1548	8ZRHjvevlprUkBK.exe
Token: SeDebugPrivilege	1548	8ZRHjvevlprUkBK.exe
Token: SeDebugPrivilege	1548	8ZRHjvevlprUkBK.exe
Token: SeDebugPrivilege	1548	8ZRHjvevlprUkBK.exe
Token: SeDebugPrivilege	1548	8ZRHjvevlprUkBK.exe
Token: SeDebugPrivilege	1548	8ZRHjvevlprUkBK.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4408aef10e65ae89f2b28ee85635ee48fde9206ee5c23f59464a1a85b82014a1.exe

description	pid	process	target process
PID 2144 wrote to memory of 1548	2144	4408aef10e65ae89f2b28ee85635ee48fde9206ee5c23f59464a1a85b82014a1.exe	8ZRHjvevlprUkBK.exe
PID 2144 wrote to memory of 1548	2144	4408aef10e65ae89f2b28ee85635ee48fde9206ee5c23f59464a1a85b82014a1.exe	8ZRHjvevlprUkBK.exe
PID 2144 wrote to memory of 1548	2144	4408aef10e65ae89f2b28ee85635ee48fde9206ee5c23f59464a1a85b82014a1.exe	8ZRHjvevlprUkBK.exe

C:\Users\Admin\AppData\Local\Temp\4408aef10e65ae89f2b28ee85635ee48fde9206ee5c23f59464a1a85b82014a1.exe
"C:\Users\Admin\AppData\Local\Temp\4408aef10e65ae89f2b28ee85635ee48fde9206ee5c23f59464a1a85b82014a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\8ZRHjvevlprUkBK.exe
.\8ZRHjvevlprUkBK.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\8ZRHjvevlprUkBK.dat

Filesize
1KB

MD5
523f8e06a55e288241641b5830cb7e60

SHA1
d7bf80e5389ba04b6b561b7714aca04c3fead6a1

SHA256
9dcbcf86659ce027b4bcc0034510be662fb61936791e83590ff5a3f3f4c2889a

SHA512
9a033759fb07bb7cd82603ce9c27b81572de1e33cc5c20e63c6b01f73dcc374aa3fcf5f9f2cbb492e8682c176ef8c12b0dde5bdeff68ec6d05ab9d69b337d14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\8ZRHjvevlprUkBK.exe

Filesize
765KB

MD5
21c7e6ab35acdb8d15ac0590900c5206

SHA1
bd696ab0d1806c5492b4444d96fe272f217f4058

SHA256
314c44ac357c692c66516271e02fe280e9fc6d030a7172f2379c81fa383d44ec

SHA512
775636d7ec02398e32463ceaa7e1b18fe20689ed75d9c731b37b83f4c3ce828d2d2274d2f75d4f2c25133775969864467eff69b5fbf40e286fbfca6bdee1d3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\8ZRHjvevlprUkBK.exe

Filesize
765KB

MD5
21c7e6ab35acdb8d15ac0590900c5206

SHA1
bd696ab0d1806c5492b4444d96fe272f217f4058

SHA256
314c44ac357c692c66516271e02fe280e9fc6d030a7172f2379c81fa383d44ec

SHA512
775636d7ec02398e32463ceaa7e1b18fe20689ed75d9c731b37b83f4c3ce828d2d2274d2f75d4f2c25133775969864467eff69b5fbf40e286fbfca6bdee1d3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
8aebe9732a26296f03eab9ba0a1e2391

SHA1
e8396c9fc2f62b9ac3f883788159b102fed1b77c

SHA256
89cb6da8c06fa794c161e5414f08910dd8af6cbd68cc1eac1e3fe512fe81afd8

SHA512
ca98a02d904544fa4b739b485c128b36570c85e35b6c4060189b51553309563ec59ffe8be89e3aa3b825b51f35a078b8cd8d2c15b0a7c9d78ad0537bd4945144

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
a2952dc33fc21ea4d03bfb557e1121e3

SHA1
98144ee5898b2798e6a36c5afda38c74184184a2

SHA256
9cb24cd3ea29bb72d419875f4c59142178a96d88540d1834e478a058b1ad7021

SHA512
1afa59c875b9cd0429cd76b97bb21eef99dfadee12b56f903f0aed87243407830f640abf8071648c211415bb2c8dbfbf72fa6d0695a5da22ac4157bbf1d02049

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\[email protected]\install.rdf

Filesize
592B

MD5
32c1ccabf5b71bf34e549b0c2134ce51

SHA1
5e4d8ee91187baa50b8bfb5782601b2d10415330

SHA256
0bf6e2b5403e8b7e9d9000cb2ef8db312fdb3bf81162faf57602c5adf7902d9d

SHA512
ab738488fd25e02120cee92b060b7d5163d8b378e00629926f9f4db78571b237e6419a0d2cbc02051ee93d037439b93eb8c418137bb80808a8a02323157cc623

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\doifenhkjhcobmkdjhcdnljenldcllgn\OsxDNamLzO.js

Filesize
6KB

MD5
58f2bde209e8a9e54ef522676dc4768d

SHA1
afd5671d4cef5e3cda208c64f9ce054d281ad1be

SHA256
ed35827bd7e39829d4cd58562b48a030ad0c5186ad1380d4fa79f837314e6da7

SHA512
67815ff5490ee7a71714efd11121398f3104eaa4e16b1d2cd6391819af3f4bc53c62c3cd144af95d833b8bb0cf4adc2b54202cec5ecbf9c45c466f998c98ec80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\doifenhkjhcobmkdjhcdnljenldcllgn\background.html

Filesize
147B

MD5
37b8f9c934c48f2936a3d4ee6e4ed55b

SHA1
f479bd2d5e0b4c5953f761b3ac67b28697548371

SHA256
3bbb5b69e0a301f2c972f8478741e666b3a8541d7a47d6fc6ad908a15672437c

SHA512
61fb0feb61bdd986262998a1faa08b231a1c42987b5bb0001fe59b0b65729632865e25b0d6bcc51ce74ecc007554034cc3a631f44d1ad76a1ac4de9636200f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\doifenhkjhcobmkdjhcdnljenldcllgn\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\doifenhkjhcobmkdjhcdnljenldcllgn\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC8C.tmp\doifenhkjhcobmkdjhcdnljenldcllgn\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/1548-132-0x0000000000000000-mapping.dmp

Download