d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2

Analysis

max time kernel
30s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2.exe
Size

931KB
MD5

d9dcaa0656c4097ca1e7240b97a86b9b
SHA1

2e7440e24d762d45e48fc8f7bd08809e9619375a
SHA256

d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2
SHA512

df180f6606c3950e39ddf129900d6f870d104715ff1f0e59d821bc82ea321a7602862303bb4f96085efa6fc74aba11786cf7d7500e4277e8cbd8c63c3c33d3f7
SSDEEP

24576:h1OYdaOpMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfZ:h1OsXMWyUQ+GUVFIcHPvpfZ

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1212	P7J53mPx9PnD3Yy.exe

Loads dropped DLL 1 IoCs

pid	Process
1468	d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpanemgihboojdfnmmddlebdbfihhgbd\2.0\manifest.json	P7J53mPx9PnD3Yy.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpanemgihboojdfnmmddlebdbfihhgbd\2.0\manifest.json	P7J53mPx9PnD3Yy.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpanemgihboojdfnmmddlebdbfihhgbd\2.0\manifest.json	P7J53mPx9PnD3Yy.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	P7J53mPx9PnD3Yy.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	P7J53mPx9PnD3Yy.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	P7J53mPx9PnD3Yy.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	P7J53mPx9PnD3Yy.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1212	P7J53mPx9PnD3Yy.exe
1212	P7J53mPx9PnD3Yy.exe
1212	P7J53mPx9PnD3Yy.exe
1212	P7J53mPx9PnD3Yy.exe
1212	P7J53mPx9PnD3Yy.exe
1212	P7J53mPx9PnD3Yy.exe
1212	P7J53mPx9PnD3Yy.exe
1212	P7J53mPx9PnD3Yy.exe
1212	P7J53mPx9PnD3Yy.exe
1212	P7J53mPx9PnD3Yy.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	P7J53mPx9PnD3Yy.exe
Token: SeDebugPrivilege	1212	P7J53mPx9PnD3Yy.exe
Token: SeDebugPrivilege	1212	P7J53mPx9PnD3Yy.exe
Token: SeDebugPrivilege	1212	P7J53mPx9PnD3Yy.exe
Token: SeDebugPrivilege	1212	P7J53mPx9PnD3Yy.exe
Token: SeDebugPrivilege	1212	P7J53mPx9PnD3Yy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1212	1468	d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2.exe	28
PID 1468 wrote to memory of 1212	1468	d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2.exe	28
PID 1468 wrote to memory of 1212	1468	d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2.exe	28
PID 1468 wrote to memory of 1212	1468	d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2.exe	28

C:\Users\Admin\AppData\Local\Temp\d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2.exe
"C:\Users\Admin\AppData\Local\Temp\d5c010fcb95ae9ae8bcf1789f7e426c8f85e941561e28dc1f4618ff0d9df45f2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\P7J53mPx9PnD3Yy.exe
  .\P7J53mPx9PnD3Yy.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\P7J53mPx9PnD3Yy.dat

Filesize
1KB

MD5
4a8ca8f7df92c46698e372b382b786e9

SHA1
bc01643598579c5dea722577294c51fe740179ea

SHA256
e4f7a624f294b85a5c7ab2ad36978dcfcbb45b4d05ca8225d835129a5be15215

SHA512
9e1d68d82a038702d83e50a0edc50bb0c5ad03b8d0daac9b3927840b150a985abd27013a2d211c220deacf4ffb5cf563aec2d8ba88d2ee8aef0026470555d1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\P7J53mPx9PnD3Yy.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
43aa583e8adc205d4f25b8660ef165ae

SHA1
330352e21ff31097e6a05aae7845a8d748440689

SHA256
b150095d66ba4840df806f5b4bed2e888469c7808972e55cc9db1f5e1026aee2

SHA512
453c6706873afb87c92a3ff5b96c51d68ef1e43fa2db9d1db81b63f42d6cc50b7d17491dfd1c72f549e5348a7c03ca9c64e3f7282232d2d8fd6287c5e47657d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
a2679dfb8ecfcad5aa1ee8b1a13b02b3

SHA1
928469e15b6c229ee5df27f9704f3c4fa051e255

SHA256
2cd3bc1098c22fec74182186e2deb191753154950b49e758b9089b9d258ea5db

SHA512
c4baf1014633bc72c3057475bafa6b50fb3d3a2522caf52353193e965e8c59c651b4f77b320210e0413815f79b63d17c735badffee01ddc41abd90a99d3abcec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\[email protected]\install.rdf

Filesize
598B

MD5
ac1f8cc9f64c4fbb2f7be381baf89528

SHA1
88202a83fa09e834038bc1c25ade6104e6ed6984

SHA256
903809c5ffb7e05852272afbbaf1460568f56ef3adf2ab8c044849c82ca64e63

SHA512
aea47a73d5b2181f76f025ab6780212c5a1b033ba366d748d442485430c186fcde015858eef9bb8f9fcbb8fc0c3809e7d6db52c45c387db50987aeb60abd2773

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\cpanemgihboojdfnmmddlebdbfihhgbd\Pitgn513.js

Filesize
6KB

MD5
ca414bccc069ce0f0624da79c18e70a1

SHA1
ceb39ec918da8c321a31825c7cae82867fc9de2c

SHA256
b2cead13405ddb366aa7a8095d684e2e06e26b6b13d4c96fd49470e5c0daac80

SHA512
e52a4f2b0ce5926d1d0ee24945303fe5047c1d92a1eebe9623a370ec402a296b5c4954022d3d336119660cb2d632c54fabb87ec016db22860186d303693a182b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\cpanemgihboojdfnmmddlebdbfihhgbd\background.html

Filesize
145B

MD5
4e12d465b542d908ccb10794827aeddf

SHA1
8ac8f00dfd26fcd79d4ed2d7f4b55858f051185f

SHA256
372dd4586612a852f65f9135e6e7f3a5efb61fc4fb694ee8047d6ee001406576

SHA512
17445e4b769beeb2f91505980b2a51b3d2130e3ba217f166a815e5ad1baf7cb3b74778c5121f142a43a8f7d19fc0d08835a577b6febf4290febb57d1e270ec56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\cpanemgihboojdfnmmddlebdbfihhgbd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\cpanemgihboojdfnmmddlebdbfihhgbd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\cpanemgihboojdfnmmddlebdbfihhgbd\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS18BF.tmp\P7J53mPx9PnD3Yy.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
memory/1468-54-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download