5f5fd5a497cd14ac5f8b519816c0a239120d0cc3b338e3ce39c53f0e7d4a4c03

Analysis

max time kernel
176s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f5fd5a497cd14ac5f8b519816c0a239120d0cc3b338e3ce39c53f0e7d4a4c03.exe
Size

931KB
MD5

187359eb208e008f9c896d87e85b4972
SHA1

a1b1c9751d664cbee01142484b740d2038ebb69e
SHA256

5f5fd5a497cd14ac5f8b519816c0a239120d0cc3b338e3ce39c53f0e7d4a4c03
SHA512

bc3ee363e8efa97c7dc0317a9290b9155525b76389bcdf9d9eaedaf8940f5ff4caca9981e32a52cd8b9e20dfd96887135f831dc076f6034b0d0d8fd61a021d1c
SSDEEP

24576:h1OYdaOaMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfs:h1OsQMWyUQ+GUVFIcHPvpfs

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

iyUv5lPzxDAuJTq.exe

pid process

3964 iyUv5lPzxDAuJTq.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

iyUv5lPzxDAuJTq.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\chogfbadnkencecajmbmnpnbifakjlob\2.0\manifest.json	iyUv5lPzxDAuJTq.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\chogfbadnkencecajmbmnpnbifakjlob\2.0\manifest.json	iyUv5lPzxDAuJTq.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\chogfbadnkencecajmbmnpnbifakjlob\2.0\manifest.json	iyUv5lPzxDAuJTq.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\chogfbadnkencecajmbmnpnbifakjlob\2.0\manifest.json	iyUv5lPzxDAuJTq.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\chogfbadnkencecajmbmnpnbifakjlob\2.0\manifest.json	iyUv5lPzxDAuJTq.exe

Drops file in System32 directory 4 IoCs

Processes:

iyUv5lPzxDAuJTq.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	iyUv5lPzxDAuJTq.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	iyUv5lPzxDAuJTq.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	iyUv5lPzxDAuJTq.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	iyUv5lPzxDAuJTq.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

iyUv5lPzxDAuJTq.exe

pid	process
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe
3964	iyUv5lPzxDAuJTq.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

iyUv5lPzxDAuJTq.exe

description	pid	process
Token: SeDebugPrivilege	3964	iyUv5lPzxDAuJTq.exe
Token: SeDebugPrivilege	3964	iyUv5lPzxDAuJTq.exe
Token: SeDebugPrivilege	3964	iyUv5lPzxDAuJTq.exe
Token: SeDebugPrivilege	3964	iyUv5lPzxDAuJTq.exe
Token: SeDebugPrivilege	3964	iyUv5lPzxDAuJTq.exe
Token: SeDebugPrivilege	3964	iyUv5lPzxDAuJTq.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5f5fd5a497cd14ac5f8b519816c0a239120d0cc3b338e3ce39c53f0e7d4a4c03.exe

description	pid	process	target process
PID 4728 wrote to memory of 3964	4728	5f5fd5a497cd14ac5f8b519816c0a239120d0cc3b338e3ce39c53f0e7d4a4c03.exe	iyUv5lPzxDAuJTq.exe
PID 4728 wrote to memory of 3964	4728	5f5fd5a497cd14ac5f8b519816c0a239120d0cc3b338e3ce39c53f0e7d4a4c03.exe	iyUv5lPzxDAuJTq.exe
PID 4728 wrote to memory of 3964	4728	5f5fd5a497cd14ac5f8b519816c0a239120d0cc3b338e3ce39c53f0e7d4a4c03.exe	iyUv5lPzxDAuJTq.exe

C:\Users\Admin\AppData\Local\Temp\5f5fd5a497cd14ac5f8b519816c0a239120d0cc3b338e3ce39c53f0e7d4a4c03.exe
"C:\Users\Admin\AppData\Local\Temp\5f5fd5a497cd14ac5f8b519816c0a239120d0cc3b338e3ce39c53f0e7d4a4c03.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\iyUv5lPzxDAuJTq.exe
.\iyUv5lPzxDAuJTq.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\chogfbadnkencecajmbmnpnbifakjlob\Hlbj47MKTn.js

Filesize
6KB

MD5
6800a037dad132a943b15999142ea2d2

SHA1
6d7c1ab5856af983ee83cac2192e1cc6e23ecab6

SHA256
20278204645a2ba9e2992cb705b3fa9f637846453e91b224c83b2b4bc7188033

SHA512
cb3b378dc8e20447e70a2e446993e44b367c79cc5c4ebb512eb68f13e05e194b220f64e3e17aaaa48feeb38db45e3682ae42d15e9f33de12ee73f6eed3b9485d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\chogfbadnkencecajmbmnpnbifakjlob\background.html

Filesize
147B

MD5
c962f56dfd79dd3cee1f7d8b3e19b7fe

SHA1
2cc96fec0984410b83193170156c9eee1965a09e

SHA256
d9e8a03fb297493c62059870b4cc0351f5b4bc2d784b719f8a0bf555165d57bc

SHA512
150f3a88d5120e77866fd867a1a997953d5b348a601c55577ba71e44dd01c3f11e10bb7691aff24fe1ecd0760de8a30c6d2d5942a44605cb80a0a938bdc2a2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\chogfbadnkencecajmbmnpnbifakjlob\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\chogfbadnkencecajmbmnpnbifakjlob\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\chogfbadnkencecajmbmnpnbifakjlob\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\iyUv5lPzxDAuJTq.dat

Filesize
1KB

MD5
76d33aa9b66521fac5a5bea28d5694e9

SHA1
cd1ef14a874a7aa8766cfd77fc4ca905a7c186b6

SHA256
0000d903bc6d7e802ba3ea8919a61c6bdaee005c6b84413bbaddf3e4204e30e8

SHA512
b4443740df74f09873537407bea7cc39df4523fae1b402b11aa5121d701876e76d4a63975d7a7bf154b1bceefe4843a315ed828feeadf4338bfed9b7b471c62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\iyUv5lPzxDAuJTq.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\iyUv5lPzxDAuJTq.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
cdfebf33df6cc406f75d97eb7841130b

SHA1
66427d2337da0910dd840c59b03f0fe13bfaccca

SHA256
05c45b7a1cd5394b3a76515af07672b79f50475120a2935c46097a5aabd5581f

SHA512
fa94fa857a54b1aae0af733ce2305877c71216e2391784cbf43a0e4e7049f9d5fb9b282e098262d58aa088314a40b35993e4f0a13b8245870a3b35d68a5500d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
ee860fedbc2c5b43ec9355b36af8f010

SHA1
42de034da2d290a8e9db0e8e83460e027ecff23a

SHA256
28258c9a331c4fe466726010ef138d99c5f43650134d5affc1e628dcf0e9ebdc

SHA512
ad228aa93b462ac5327a5d39239f2fb7924dfd08f22f2f2c348d9728b5085a4b9aab6fd11f549db17c88960562a873ae42ed7f022f7f0b1b4760d0351966b7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47A8.tmp\[email protected]\install.rdf

Filesize
592B

MD5
d4b973edad65fef657be9977d65ccb52

SHA1
3972f72fbed52c5224d0b00cbac5a798b30f977a

SHA256
1eced0f38fdd559ace0320eb4fab509bf3cf605769e8b2b75efca24752d19ae7

SHA512
85f212b8686791715eb8aceb24b031d8a22eef591cb5311849d7be389de4bf51828823334ec030632f82999aa01fb0e1bdf340c21f420e29440b6351de595c20

Download Submit
memory/3964-132-0x0000000000000000-mapping.dmp

Download