5009201f3a515a623b0b4386fa9ba326cb0967a9c65d889c314dd3def3854cb2

Analysis

max time kernel
214s
max time network
239s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5009201f3a515a623b0b4386fa9ba326cb0967a9c65d889c314dd3def3854cb2.exe
Size

924KB
MD5

a34cf4e24988acfc137cd8c03400b3aa
SHA1

f18bd872c263c28b802cee605fe37c16870b71cc
SHA256

5009201f3a515a623b0b4386fa9ba326cb0967a9c65d889c314dd3def3854cb2
SHA512

4fd6a1372776e2aea50b90e39f3aee8a4927a97466e1022612dd2d413a3af9002b5a9c08de40c1dd7cd0485b991658ab70db75c0374adcc030e24bea7f5edfc8
SSDEEP

24576:h1OYdaOxfC5S9N6w6EVX1Lh+mN5Z4E8IlIyYuXA:h1OsMMN6wdBh5N5Z4E8PuXA

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OK6NEwRQrg1PwTE.exe

pid process

1456 OK6NEwRQrg1PwTE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

OK6NEwRQrg1PwTE.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdegndnnmhecpajikllmccimgeihpkel\2.0\manifest.json	OK6NEwRQrg1PwTE.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdegndnnmhecpajikllmccimgeihpkel\2.0\manifest.json	OK6NEwRQrg1PwTE.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdegndnnmhecpajikllmccimgeihpkel\2.0\manifest.json	OK6NEwRQrg1PwTE.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdegndnnmhecpajikllmccimgeihpkel\2.0\manifest.json	OK6NEwRQrg1PwTE.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdegndnnmhecpajikllmccimgeihpkel\2.0\manifest.json	OK6NEwRQrg1PwTE.exe

Drops file in System32 directory 4 IoCs

Processes:

OK6NEwRQrg1PwTE.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	OK6NEwRQrg1PwTE.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	OK6NEwRQrg1PwTE.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	OK6NEwRQrg1PwTE.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	OK6NEwRQrg1PwTE.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

OK6NEwRQrg1PwTE.exe

pid	process
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe
1456	OK6NEwRQrg1PwTE.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

OK6NEwRQrg1PwTE.exe

description	pid	process
Token: SeDebugPrivilege	1456	OK6NEwRQrg1PwTE.exe
Token: SeDebugPrivilege	1456	OK6NEwRQrg1PwTE.exe
Token: SeDebugPrivilege	1456	OK6NEwRQrg1PwTE.exe
Token: SeDebugPrivilege	1456	OK6NEwRQrg1PwTE.exe
Token: SeDebugPrivilege	1456	OK6NEwRQrg1PwTE.exe
Token: SeDebugPrivilege	1456	OK6NEwRQrg1PwTE.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5009201f3a515a623b0b4386fa9ba326cb0967a9c65d889c314dd3def3854cb2.exe

description	pid	process	target process
PID 1920 wrote to memory of 1456	1920	5009201f3a515a623b0b4386fa9ba326cb0967a9c65d889c314dd3def3854cb2.exe	OK6NEwRQrg1PwTE.exe
PID 1920 wrote to memory of 1456	1920	5009201f3a515a623b0b4386fa9ba326cb0967a9c65d889c314dd3def3854cb2.exe	OK6NEwRQrg1PwTE.exe
PID 1920 wrote to memory of 1456	1920	5009201f3a515a623b0b4386fa9ba326cb0967a9c65d889c314dd3def3854cb2.exe	OK6NEwRQrg1PwTE.exe

C:\Users\Admin\AppData\Local\Temp\5009201f3a515a623b0b4386fa9ba326cb0967a9c65d889c314dd3def3854cb2.exe
"C:\Users\Admin\AppData\Local\Temp\5009201f3a515a623b0b4386fa9ba326cb0967a9c65d889c314dd3def3854cb2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\OK6NEwRQrg1PwTE.exe
.\OK6NEwRQrg1PwTE.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
59f6da7eb01386b6bfd5230c75bf1c9f

SHA1
2aeeba0918d06675e53b06ab4ffcbbc09563c0d3

SHA256
92e6d42826b4cc872b90ef5e0c18bb3bf56906ac5893c095d81e476bd532d360

SHA512
a72981a250d587a6b5cf270d48ce410fddd911b82dad6b1e1b0efbb229a19f0358f2cf3745f415cb276e844ca5b387f9c472ca6a320a7798f43340936e463e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
21678d99adf2bb3ec73a315d1e65378b

SHA1
c073f31b1a2196203f692c2681b0fc95976ae1b9

SHA256
f355f561ba39657c545c5780c427f1b0b2e35803bb36453caa0268c7ce1ea798

SHA512
02104cdc80948ddae08b8c677ec3ece359f14a57757fb11f523c3f9937f996b087d5a13353258ab3f8848b13319d368485de24a8971b9051d8aaa6e24cc740f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\[email protected]\install.rdf

Filesize
597B

MD5
4846dc115114ef233f4f84a7255b309f

SHA1
bdd5f04dfbdaddb84a14f41de58b89d9c8f8504e

SHA256
4f12247a10a3f124318f27c3e086266886af16572232c4e19fe5382437ee7088

SHA512
0925532da1560aff4793ac1a5c5cd38280eda9f966619a926af49c53b86f90bf8d13922b1ff1cddc47131430a972c3812948159eb0b50de283437816ff9ee357

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\OK6NEwRQrg1PwTE.dat

Filesize
1KB

MD5
acbdbf02ed085bf4ab68fa8c71d355d8

SHA1
916e926c09ff8a89c3fb9f5c9ab78a8b89e32587

SHA256
ed302a819cc76dae6d3af50ceff1f5c95a9e852cdb3874e35dcd672132258399

SHA512
6fa696a349b4256df5689061033dd6679f8dad8389ebc9f4840b5e97a9b3799a2cb068c3b008187f502fd6835b5a8ecb5df668113213064c45daa4f0e3bf4b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\OK6NEwRQrg1PwTE.exe

Filesize
765KB

MD5
21c7e6ab35acdb8d15ac0590900c5206

SHA1
bd696ab0d1806c5492b4444d96fe272f217f4058

SHA256
314c44ac357c692c66516271e02fe280e9fc6d030a7172f2379c81fa383d44ec

SHA512
775636d7ec02398e32463ceaa7e1b18fe20689ed75d9c731b37b83f4c3ce828d2d2274d2f75d4f2c25133775969864467eff69b5fbf40e286fbfca6bdee1d3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\OK6NEwRQrg1PwTE.exe

Filesize
765KB

MD5
21c7e6ab35acdb8d15ac0590900c5206

SHA1
bd696ab0d1806c5492b4444d96fe272f217f4058

SHA256
314c44ac357c692c66516271e02fe280e9fc6d030a7172f2379c81fa383d44ec

SHA512
775636d7ec02398e32463ceaa7e1b18fe20689ed75d9c731b37b83f4c3ce828d2d2274d2f75d4f2c25133775969864467eff69b5fbf40e286fbfca6bdee1d3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\gdegndnnmhecpajikllmccimgeihpkel\background.html

Filesize
147B

MD5
a03bf8f24eedbcc3fe943e8fa446e261

SHA1
7ea63c3ea95ef3e9e879a41d7b09b7fc7bb7c290

SHA256
748962e935d890f5c2cd64faf5b14eb085d6bcb28a15458b65dff443e1887590

SHA512
c70010a8f1d88fb685d4ffb9d9fbc3b805c21cd2a7fc96788464e66c5369e267d319f674bda3696b21a0119fb4986d51417985545874278854aad7c4b9938b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\gdegndnnmhecpajikllmccimgeihpkel\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\gdegndnnmhecpajikllmccimgeihpkel\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\gdegndnnmhecpajikllmccimgeihpkel\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB8D.tmp\gdegndnnmhecpajikllmccimgeihpkel\x55a7vMFVI.js

Filesize
6KB

MD5
72c6acca777d9ce8c328765edfe4588d

SHA1
294e4d09a68d065b0da8dbdde41792ae754473cd

SHA256
0a909156477b7a7affc8ca47fea566c838d37d26ace57fe4104907677dfc5262

SHA512
4dc425d220febe52bb05034a752d68cf1435045b75364f7f1264fe0983d387368e64eae8d08afff49a1c9591cb227ebb7c60963eff0dac52b2a0b56970d3fb1d

Download Submit
memory/1456-132-0x0000000000000000-mapping.dmp

Download