4766a6153b032fe9818e9a255952adcad2f18a96f0332774bab9e43ee885c5e4

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4766a6153b032fe9818e9a255952adcad2f18a96f0332774bab9e43ee885c5e4.exe
Size

931KB
MD5

34a8bd4e5b5642581d5cbb29a3022032
SHA1

49b3ad7dad22da8b7637d27c749d3408a8a83a72
SHA256

4766a6153b032fe9818e9a255952adcad2f18a96f0332774bab9e43ee885c5e4
SHA512

0402be1ca9736498cd44ba5c0b1d65780bdaa71c5efafb120560f04175ebc5202740862011a63073d5871fb537349379c8652aaf5d0232706ddd1a49f16ddfb6
SSDEEP

24576:h1OYdaOFMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfL:h1OsPMWyUQ+GUVFIcHPvpfL

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

z3BH0PctMVSafHO.exe

pid process

4028 z3BH0PctMVSafHO.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

z3BH0PctMVSafHO.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiaghdpnogpaddmbkljmlbdfpbjmdnan\2.0\manifest.json	z3BH0PctMVSafHO.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiaghdpnogpaddmbkljmlbdfpbjmdnan\2.0\manifest.json	z3BH0PctMVSafHO.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiaghdpnogpaddmbkljmlbdfpbjmdnan\2.0\manifest.json	z3BH0PctMVSafHO.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiaghdpnogpaddmbkljmlbdfpbjmdnan\2.0\manifest.json	z3BH0PctMVSafHO.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiaghdpnogpaddmbkljmlbdfpbjmdnan\2.0\manifest.json	z3BH0PctMVSafHO.exe

Drops file in System32 directory 4 IoCs

Processes:

z3BH0PctMVSafHO.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	z3BH0PctMVSafHO.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	z3BH0PctMVSafHO.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	z3BH0PctMVSafHO.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	z3BH0PctMVSafHO.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

z3BH0PctMVSafHO.exe

pid	process
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe
4028	z3BH0PctMVSafHO.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

z3BH0PctMVSafHO.exe

description	pid	process
Token: SeDebugPrivilege	4028	z3BH0PctMVSafHO.exe
Token: SeDebugPrivilege	4028	z3BH0PctMVSafHO.exe
Token: SeDebugPrivilege	4028	z3BH0PctMVSafHO.exe
Token: SeDebugPrivilege	4028	z3BH0PctMVSafHO.exe
Token: SeDebugPrivilege	4028	z3BH0PctMVSafHO.exe
Token: SeDebugPrivilege	4028	z3BH0PctMVSafHO.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4766a6153b032fe9818e9a255952adcad2f18a96f0332774bab9e43ee885c5e4.exe

description	pid	process	target process
PID 1948 wrote to memory of 4028	1948	4766a6153b032fe9818e9a255952adcad2f18a96f0332774bab9e43ee885c5e4.exe	z3BH0PctMVSafHO.exe
PID 1948 wrote to memory of 4028	1948	4766a6153b032fe9818e9a255952adcad2f18a96f0332774bab9e43ee885c5e4.exe	z3BH0PctMVSafHO.exe
PID 1948 wrote to memory of 4028	1948	4766a6153b032fe9818e9a255952adcad2f18a96f0332774bab9e43ee885c5e4.exe	z3BH0PctMVSafHO.exe

C:\Users\Admin\AppData\Local\Temp\4766a6153b032fe9818e9a255952adcad2f18a96f0332774bab9e43ee885c5e4.exe
"C:\Users\Admin\AppData\Local\Temp\4766a6153b032fe9818e9a255952adcad2f18a96f0332774bab9e43ee885c5e4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\z3BH0PctMVSafHO.exe
.\z3BH0PctMVSafHO.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
3b2c3762c403f6ee93d6157d069bf45b

SHA1
1dda9135736986338ad449470a6f6fd6c29f8b40

SHA256
6960c31b8e0cd3f5ed66ab08f943ddd30c8f482400dce1a64cea7d947a8640bf

SHA512
2f4c76c018cb7657881756ccd268a78c50d9d85548eb04e52e207dc6027e7e571d415f3b1761c0b9dc20a9a536e256bda0b417a9045d712144633ed2976ac2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\[email protected]\content\bg.js
Filesize
9KB

MD5
64e73f71db316cd2ad040745a632db30

SHA1
604156c2bc7462af9c861a1da6f1b861685f4e6a

SHA256
4493b8b8009251da9a9532918224b8912a944ad6cc0a3ac86ac23ce1c461005e

SHA512
66f59ca4b24c2e061fc7f21e4e3a1e2c8e1826e2766240ef11f7bb79678520566815399f7f0eb076c4d7f2456175fcefc6742f023c5640723632c4322db33751

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\[email protected]\install.rdf
Filesize
590B

MD5
14d8e8eeafded91e954ab6ddbb0474b3

SHA1
58b94c28b7986953d629b84915938eccac750ac2

SHA256
d8043f9040810a27b6346ebe8a270c7f73495badc26bd1db289b4a66517f618f

SHA512
1ed150ed7e68ea35e582a785bb0d363f04efd9e2efa9b955311073f08639b0f4fa435a0b2466c077c15e08575582c12e2de2a526fcf878ccf7595c0d35c4dcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\oiaghdpnogpaddmbkljmlbdfpbjmdnan\background.html
Filesize
140B

MD5
5c45fc6ef902a9885b7e00e6e2ac6e8f

SHA1
359735eaaa88dcc5dc44410509343a8691e34e38

SHA256
1fbd825dcd8c6cfa05dddfa546622ebbdc006c69bfc29c7e5c00194a978add61

SHA512
1d3e4f9f14ec13ae81835a8d33628835d2990f702cd4aee18594c3ed184a03ed1f2b0e61a1bb50c527eecf51e85c52210055d693a79f00e513dfe0355749e4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\oiaghdpnogpaddmbkljmlbdfpbjmdnan\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\oiaghdpnogpaddmbkljmlbdfpbjmdnan\kpR.js
Filesize
6KB

MD5
de026d029faa52291d3e53e74312920b

SHA1
7b9eb762866dc7e2c27f47a54864a188c01d09ec

SHA256
ab4788e5bad918cf5df65d46527f826a66305bf3bac78fa3b88ab0748905284d

SHA512
4a3cfd2722fd63b31b123a1ff4bad28eb3a56c0e8694b1fd300198bee0aa1b61c6d833fe047d0597213d73c046a040cbd712db22e3c6603e8216fe2665aa0469

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\oiaghdpnogpaddmbkljmlbdfpbjmdnan\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\oiaghdpnogpaddmbkljmlbdfpbjmdnan\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\z3BH0PctMVSafHO.dat
Filesize
1KB

MD5
ceacf797c826abb9090301c023c199d7

SHA1
62c570147e1e90b6aaa770649163edc3d3ae5c1c

SHA256
19194e4a61c8c5a2c43ec3450e664bfc8b8a17553ecc72ac1492af026eaaddf3

SHA512
83836e20d74a3981bee9b713f844c5ae13f3d0d4b7e4b4e04edc4724f4667edf881b0e04f82b49706aa4d8774594d7175a6505ec55ecc90416abd1e5b910abc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\z3BH0PctMVSafHO.exe
Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8EC7.tmp\z3BH0PctMVSafHO.exe
Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
memory/4028-132-0x0000000000000000-mapping.dmp

Download