cabf2356da2cb2e79eeee2be377f1edc6e9648be047213112d0289dca1ddfcd7

Analysis

max time kernel
204s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cabf2356da2cb2e79eeee2be377f1edc6e9648be047213112d0289dca1ddfcd7.exe
Size

924KB
MD5

6efc915696c3b52fd4f5c3981f191971
SHA1

129d54e7f7535b0e3d683b9ba69e4b3920cc695a
SHA256

cabf2356da2cb2e79eeee2be377f1edc6e9648be047213112d0289dca1ddfcd7
SHA512

261ca0b2aca2b48bebf1498543a4f2679dcea68e97244e0cd1d19a345bffb273ac3dd158096ebd65cdf6f7111e8621d9d88940a96bfebc7866f2a66c279974a5
SSDEEP

24576:h1OYdaOT4BQGx2jUReefMaGeOPw8Y7H3b+QW:h1Osd4BQ02o4efMz68Y/+QW

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

UZK9kB9RnZZw0Lf.exe

pid process

532 UZK9kB9RnZZw0Lf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

UZK9kB9RnZZw0Lf.exe

description	ioc	process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmjenbeddolhjdmjcgddicbajcambcm\1.3\manifest.json	UZK9kB9RnZZw0Lf.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmjenbeddolhjdmjcgddicbajcambcm\1.3\manifest.json	UZK9kB9RnZZw0Lf.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmjenbeddolhjdmjcgddicbajcambcm\1.3\manifest.json	UZK9kB9RnZZw0Lf.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmjenbeddolhjdmjcgddicbajcambcm\1.3\manifest.json	UZK9kB9RnZZw0Lf.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmjenbeddolhjdmjcgddicbajcambcm\1.3\manifest.json	UZK9kB9RnZZw0Lf.exe

Drops file in System32 directory 4 IoCs

Processes:

UZK9kB9RnZZw0Lf.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	UZK9kB9RnZZw0Lf.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	UZK9kB9RnZZw0Lf.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	UZK9kB9RnZZw0Lf.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	UZK9kB9RnZZw0Lf.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

UZK9kB9RnZZw0Lf.exe

pid	process
532	UZK9kB9RnZZw0Lf.exe
532	UZK9kB9RnZZw0Lf.exe
532	UZK9kB9RnZZw0Lf.exe
532	UZK9kB9RnZZw0Lf.exe
532	UZK9kB9RnZZw0Lf.exe
532	UZK9kB9RnZZw0Lf.exe
532	UZK9kB9RnZZw0Lf.exe
532	UZK9kB9RnZZw0Lf.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cabf2356da2cb2e79eeee2be377f1edc6e9648be047213112d0289dca1ddfcd7.exe

description	pid	process	target process
PID 456 wrote to memory of 532	456	cabf2356da2cb2e79eeee2be377f1edc6e9648be047213112d0289dca1ddfcd7.exe	UZK9kB9RnZZw0Lf.exe
PID 456 wrote to memory of 532	456	cabf2356da2cb2e79eeee2be377f1edc6e9648be047213112d0289dca1ddfcd7.exe	UZK9kB9RnZZw0Lf.exe
PID 456 wrote to memory of 532	456	cabf2356da2cb2e79eeee2be377f1edc6e9648be047213112d0289dca1ddfcd7.exe	UZK9kB9RnZZw0Lf.exe

C:\Users\Admin\AppData\Local\Temp\cabf2356da2cb2e79eeee2be377f1edc6e9648be047213112d0289dca1ddfcd7.exe
"C:\Users\Admin\AppData\Local\Temp\cabf2356da2cb2e79eeee2be377f1edc6e9648be047213112d0289dca1ddfcd7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\UZK9kB9RnZZw0Lf.exe
.\UZK9kB9RnZZw0Lf.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
af1d6305c4887fd4905867b5761f33c3

SHA1
4ef010a079c74a8b9bcdfdca83ba88095ea57ce1

SHA256
036849bcb93ad0ee741246783f4fa9a06c4b2f90f4528a3eb62b57bc6bfce20b

SHA512
b3d980b352646e637330fae200679534efe1b8d7e98916fa4e6cdf7d8c67ad48c363b12008a571cd63ff6d97cac0f15e0824004d79048bc188d804650b3038c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
ae096ec93cba5149360e1367866b9599

SHA1
b7ce283bcc5af8d5c0644f26af72a1b2ddda0da5

SHA256
018a7c70121dd463e046ef8025633f9705e6845a17dcd62ada18ae41d059b1cb

SHA512
d93db25c645517d5e196970eb557383f60e2eaad4006c65e962adfed5feb54e1f133b0570317837470e7ab6d62b38046a0fc19749ebb79dd20d5c435421c2017

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\[email protected]\install.rdf

Filesize
591B

MD5
e7370f4bbe1e3fab6c1aab56673fb151

SHA1
1e762f0fe5c6a02c7d20fce386d0edc4ac470283

SHA256
6eff217e2e63613c9f8e6d9d414a5a072997c9bb7664b190f562c2fb50881c8d

SHA512
3f5a050b44c172de377c66f86cf07c17de6497e326382e6b9d8e73c6ad2e6a2223077a3ccf54fa3e949be0a7a6b11b8d5f01977592dddb7e4b15196bf03c53c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\UZK9kB9RnZZw0Lf.dat

Filesize
1KB

MD5
a05022976aa24e1fbd117262dd48f69e

SHA1
ce9235fa76d7b920f80d09d8bc9fb39154f25a19

SHA256
35e032a546a75a8ad70af5b33d2e73b6fb4af9e61f21767a9fcdbc7d1b1f7aa4

SHA512
3fa35e6df2502d899feae448c399650ca4661191923657a44049847c57bf56546e4ccfd9719f7eb801436945d9ac75a040ec9fbb536a74029cfb3db4665e8384

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\UZK9kB9RnZZw0Lf.exe

Filesize
766KB

MD5
98bb6d71947f05029c05bf6475839ce5

SHA1
9caad62d2dcb2f3d72e068643b4266cae20e2870

SHA256
0455048865ea330b772bf2586abc91f7ddeda4f7d6ef9f2de89576554fa7b3c1

SHA512
0ec35056c52cca408bfb5024226194f9727eaba5c415c3ccbe6acb0785774e43d4ddf65818c127a8770c9b05d40658479b34ffab4e4a475ed8ad142bc61bbaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\UZK9kB9RnZZw0Lf.exe

Filesize
766KB

MD5
98bb6d71947f05029c05bf6475839ce5

SHA1
9caad62d2dcb2f3d72e068643b4266cae20e2870

SHA256
0455048865ea330b772bf2586abc91f7ddeda4f7d6ef9f2de89576554fa7b3c1

SHA512
0ec35056c52cca408bfb5024226194f9727eaba5c415c3ccbe6acb0785774e43d4ddf65818c127a8770c9b05d40658479b34ffab4e4a475ed8ad142bc61bbaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\blmjenbeddolhjdmjcgddicbajcambcm\N5F4V.js

Filesize
6KB

MD5
9570438b049e166b9bc3ec2fe51c4083

SHA1
0d9c2db87cfb59895696338d7bbb3477d0ed5c76

SHA256
c767d531270997cb80f2a137ce251ea5da91803640f9de9ea188cf50faa6764f

SHA512
22e994e57bde08faaa54ca692e26079d268a36bc8998d1db069a7bfb2b6cb11541b558ff3bd8590c00ed538316b050b2a52384e113e2b50a5d9ac099dff6182c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\blmjenbeddolhjdmjcgddicbajcambcm\background.html

Filesize
142B

MD5
8c2f49fbaca90159e036e5a2c9a8dcf4

SHA1
bac6f83ffe033bad615153b184be0cb9d1a053c3

SHA256
7e5f016fc52fcabb29f75d72ec5fd757602ecb5dd05f02394b22882af37b193b

SHA512
d8b9e823fb761331801a4af6814cad10b2677dfcc356b9b500f9096a60182173684134ff1c12bc4245a6c91902d41d74f1a83c98f29ee575f56b70b6faabcab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\blmjenbeddolhjdmjcgddicbajcambcm\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\blmjenbeddolhjdmjcgddicbajcambcm\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D60.tmp\blmjenbeddolhjdmjcgddicbajcambcm\manifest.json

Filesize
498B

MD5
664e2884e17f23553a19eee317642194

SHA1
a28ccc088d6b6692646150f3e8f111e568723fb4

SHA256
ee4ef853224cde2aa7e54351c02bc811af939202b82e19cbd1cc011fc3565191

SHA512
b2cef8c4dfb6a0648f21c53393b982c9171d8a0344a94970c13866ebd2870de2cd99dab5984000b10802c54a748230104c7997c3d2cd3ac5e97c9355a4cb7ecb

Download Submit
memory/532-132-0x0000000000000000-mapping.dmp

Download