Analysis
-
max time kernel
187s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 08:05
Static task
static1
Behavioral task
behavioral1
Sample
666f6cb1c311854cb4c79868c00c80e928ebdc982fcdc299b45c247df41115ed.exe
Resource
win7-20220812-en
General
-
Target
666f6cb1c311854cb4c79868c00c80e928ebdc982fcdc299b45c247df41115ed.exe
-
Size
931KB
-
MD5
2f7d8266e1889a45af6041b1026cf842
-
SHA1
7cfbda1a9dbc3ddee3d47f49e3d72df1d2064f03
-
SHA256
666f6cb1c311854cb4c79868c00c80e928ebdc982fcdc299b45c247df41115ed
-
SHA512
0ed18e46767e1f17403e90aa39188a9d730ecc531172eb87ba4cfe79ed6bd808b24e557928f18b1adb6ee7157f22bb0597625e49bbe96355259165a03e898258
-
SSDEEP
24576:h1OYdaO6MWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfQ:h1OsYMWyUQ+GUVFIcHPvpfQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
m2MbkZgyEYOzm5n.exepid process 1372 m2MbkZgyEYOzm5n.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
m2MbkZgyEYOzm5n.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfoaahgmgoagdnmckgnfhmibfpgncjck\2.0\manifest.json m2MbkZgyEYOzm5n.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfoaahgmgoagdnmckgnfhmibfpgncjck\2.0\manifest.json m2MbkZgyEYOzm5n.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfoaahgmgoagdnmckgnfhmibfpgncjck\2.0\manifest.json m2MbkZgyEYOzm5n.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfoaahgmgoagdnmckgnfhmibfpgncjck\2.0\manifest.json m2MbkZgyEYOzm5n.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfoaahgmgoagdnmckgnfhmibfpgncjck\2.0\manifest.json m2MbkZgyEYOzm5n.exe -
Drops file in System32 directory 4 IoCs
Processes:
m2MbkZgyEYOzm5n.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy m2MbkZgyEYOzm5n.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini m2MbkZgyEYOzm5n.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol m2MbkZgyEYOzm5n.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI m2MbkZgyEYOzm5n.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
m2MbkZgyEYOzm5n.exepid process 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe 1372 m2MbkZgyEYOzm5n.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
m2MbkZgyEYOzm5n.exedescription pid process Token: SeDebugPrivilege 1372 m2MbkZgyEYOzm5n.exe Token: SeDebugPrivilege 1372 m2MbkZgyEYOzm5n.exe Token: SeDebugPrivilege 1372 m2MbkZgyEYOzm5n.exe Token: SeDebugPrivilege 1372 m2MbkZgyEYOzm5n.exe Token: SeDebugPrivilege 1372 m2MbkZgyEYOzm5n.exe Token: SeDebugPrivilege 1372 m2MbkZgyEYOzm5n.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
666f6cb1c311854cb4c79868c00c80e928ebdc982fcdc299b45c247df41115ed.exedescription pid process target process PID 1380 wrote to memory of 1372 1380 666f6cb1c311854cb4c79868c00c80e928ebdc982fcdc299b45c247df41115ed.exe m2MbkZgyEYOzm5n.exe PID 1380 wrote to memory of 1372 1380 666f6cb1c311854cb4c79868c00c80e928ebdc982fcdc299b45c247df41115ed.exe m2MbkZgyEYOzm5n.exe PID 1380 wrote to memory of 1372 1380 666f6cb1c311854cb4c79868c00c80e928ebdc982fcdc299b45c247df41115ed.exe m2MbkZgyEYOzm5n.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\666f6cb1c311854cb4c79868c00c80e928ebdc982fcdc299b45c247df41115ed.exe"C:\Users\Admin\AppData\Local\Temp\666f6cb1c311854cb4c79868c00c80e928ebdc982fcdc299b45c247df41115ed.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\m2MbkZgyEYOzm5n.exe.\m2MbkZgyEYOzm5n.exe2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\[email protected]\chrome.manifestFilesize
35B
MD5fc41ab710d668e9fab625a0708a9403a
SHA1969c1ad001f5afd6ae441d7353a784b37a0b7c45
SHA2565674a69e718b9fddba0de371c928acb0aed8fba6672ca0927f34ce207bdd6d7a
SHA51279c515cb8f8478d24d381a6c560b556991dbe698983babfc5fd67242084b11376fde23e5866cb061fa5fb5ae74323aaec4a37d56255b04a01173242076edfe56
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\[email protected]\content\bg.jsFilesize
9KB
MD52e582ead6db7359401f19a55730e6a3b
SHA1228a629079693a7c6f0c83f3c530a5e0a4972b09
SHA256f8984098148b60ce82559a083ac3003f0d0e461db5eff9fc5c73a29df1016f04
SHA512d1a3148cd6078a0412183401288704fd9546395187a24078c6a8f15e5bdfbf738fa639e87df5072d936dee7c2536a5cd1d1dd7cfa884cd9e3e0473506522a045
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\[email protected]\install.rdfFilesize
598B
MD5c74b527b40dccfbb176eba3cace18541
SHA1522d26651aefb90aa19e72d86fa0089fdb9497f9
SHA2564f0d84b4a07810fece1ad1926c9674f52abe51f84f59728daaf9334504758430
SHA512153aa159f7223fa1bbe8798c146396f881ee1fe70632e40376514de18bc791756a98f806692f7f82f8cc4490a946dca0f4633668d18d2106b7a708c93bce4cd5
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\m2MbkZgyEYOzm5n.datFilesize
1KB
MD5fadf2dfae7da2f7ac0763f3dbdb758d4
SHA1e856984dc8eeefd0c50d2094f00af95261e7ca7e
SHA25630b91ef2ea053cdefe4f8e2f425da0cc25c830e689f87c4d16b6faff19dff2c4
SHA5127cf43a5b57c36c80639e6a5c93a3f553123dc7c49e383e31514db72966922d6465f782bddf1851c0cbf9baa38a8d4516eb435fe6e11b91abe05d6c9a431d2d1e
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\m2MbkZgyEYOzm5n.exeFilesize
771KB
MD5e8ef8ed232808bfa240b33b376bb74a8
SHA1b7ebfbda42fb24594210d3f97921c5b33b88585d
SHA256a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9
SHA51224a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\m2MbkZgyEYOzm5n.exeFilesize
771KB
MD5e8ef8ed232808bfa240b33b376bb74a8
SHA1b7ebfbda42fb24594210d3f97921c5b33b88585d
SHA256a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9
SHA51224a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\nfoaahgmgoagdnmckgnfhmibfpgncjck\Qqhiu5Ix1.jsFilesize
6KB
MD53cbc5005d0a690acbc1801f1761be952
SHA1ed56c45ed31ca1ec1cd7190347f3d6f657f43630
SHA2561bbc44e3a8fa125e63619a6c8b06670db045faffb4cf513d14d64091d94cefa9
SHA512df9bd6ae5a2aae767a6eb52e9595b45818f7981669736579227ebdcccc9716da46cf17b126877956d0ef93bd151ba530741d3d23c1b179d5e3dbcbbf26333af8
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\nfoaahgmgoagdnmckgnfhmibfpgncjck\background.htmlFilesize
146B
MD54d65a837395344cf0cf25a73d80dea78
SHA1fe07574aed6d9e626abbefb61b314f024145a02e
SHA2566bd49d1bc7b9ad36aca8bf3d8e11245dc02aa9c2469e49e5cf227cac78da6706
SHA512b793da88b5183d7358c5bd9ac9ab2635cb88a2334cb96ef86f5b94ac4e285da7f4208a3aa71a92dbd329269625d11cb1ac334e7b07c6b978c59462437e0e2dc8
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\nfoaahgmgoagdnmckgnfhmibfpgncjck\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\nfoaahgmgoagdnmckgnfhmibfpgncjck\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS106B.tmp\nfoaahgmgoagdnmckgnfhmibfpgncjck\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
memory/1372-132-0x0000000000000000-mapping.dmp