71a0f5f54b486a7f61dbbc8250d2301e9977e811f793550ea7b396aebcfb9f28

Analysis

max time kernel
152s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71a0f5f54b486a7f61dbbc8250d2301e9977e811f793550ea7b396aebcfb9f28.exe
Size

931KB
MD5

dbbc6a15d07fc1f6eda34b5899f7890e
SHA1

dbca96a51191f58b834cdb9cadfe5697746cc45f
SHA256

71a0f5f54b486a7f61dbbc8250d2301e9977e811f793550ea7b396aebcfb9f28
SHA512

b3191419f56239ac577fb7198496702f1b2a494ae39c3bb1d9bc244bf8d578792b2ba010bfb94191f2e917ebbedf9346f26bbfa783948314bbe16d7a5e7d1457
SSDEEP

24576:h1OYdaOXMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpf8:h1OstMWyUQ+GUVFIcHPvpf8

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2000	BXyGnby6fpTqABl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\khlaialggpcmamkpfahfgdbdagepedjd\2.0\manifest.json	BXyGnby6fpTqABl.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\khlaialggpcmamkpfahfgdbdagepedjd\2.0\manifest.json	BXyGnby6fpTqABl.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\khlaialggpcmamkpfahfgdbdagepedjd\2.0\manifest.json	BXyGnby6fpTqABl.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\khlaialggpcmamkpfahfgdbdagepedjd\2.0\manifest.json	BXyGnby6fpTqABl.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\khlaialggpcmamkpfahfgdbdagepedjd\2.0\manifest.json	BXyGnby6fpTqABl.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	BXyGnby6fpTqABl.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	BXyGnby6fpTqABl.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	BXyGnby6fpTqABl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	BXyGnby6fpTqABl.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe
2000	BXyGnby6fpTqABl.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	BXyGnby6fpTqABl.exe
Token: SeDebugPrivilege	2000	BXyGnby6fpTqABl.exe
Token: SeDebugPrivilege	2000	BXyGnby6fpTqABl.exe
Token: SeDebugPrivilege	2000	BXyGnby6fpTqABl.exe
Token: SeDebugPrivilege	2000	BXyGnby6fpTqABl.exe
Token: SeDebugPrivilege	2000	BXyGnby6fpTqABl.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 2000	4748	71a0f5f54b486a7f61dbbc8250d2301e9977e811f793550ea7b396aebcfb9f28.exe	83
PID 4748 wrote to memory of 2000	4748	71a0f5f54b486a7f61dbbc8250d2301e9977e811f793550ea7b396aebcfb9f28.exe	83
PID 4748 wrote to memory of 2000	4748	71a0f5f54b486a7f61dbbc8250d2301e9977e811f793550ea7b396aebcfb9f28.exe	83

C:\Users\Admin\AppData\Local\Temp\71a0f5f54b486a7f61dbbc8250d2301e9977e811f793550ea7b396aebcfb9f28.exe
"C:\Users\Admin\AppData\Local\Temp\71a0f5f54b486a7f61dbbc8250d2301e9977e811f793550ea7b396aebcfb9f28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\BXyGnby6fpTqABl.exe
  .\BXyGnby6fpTqABl.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\BXyGnby6fpTqABl.dat

Filesize
1KB

MD5
116b4cf22dc0393d3169b8ba4e438360

SHA1
44a2b11faeb5b77170423515e1e26e67028890ff

SHA256
57ab787abdaef73e86be16a8e9b109ce42991d0bde61e9ad82cf206a201e6cb9

SHA512
81396012ccb3dad95294ae7ae4bae655b42e41db0671436991ba127e73b9374fcacc4224e61a2c102f2509f44b52b561c5ad5a6a34de6d6d700ff5682fcc5ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\BXyGnby6fpTqABl.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\BXyGnby6fpTqABl.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\khlaialggpcmamkpfahfgdbdagepedjd\HkUD.js

Filesize
6KB

MD5
526e84f93fc0aa66aad31ff195928194

SHA1
bae53344e7faa70ecdc8b5a111ef66e4dcf96906

SHA256
dd6918bdf1dd74047819670d4c97c841bb3db594c380d5009cf5ae0d7a1a6139

SHA512
d94c36e102aa0505ad24c35d1deb05149acfd6c76e14fe227c948af21584114866360e2185c68a43ef3eb4bb169194900421230df35a1b5de07cf52b6bb2a65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\khlaialggpcmamkpfahfgdbdagepedjd\background.html

Filesize
141B

MD5
c039eb4a4c0825fa6204991ce133befc

SHA1
079ba1807a3b5fc584a432e9f2463c687c3b34f3

SHA256
f540391efef7b4e3ed547d45ef484926b6ea943f3b5a3c2447e20582f07449eb

SHA512
f54f73ae9c148945a1bb15e5c2d8a1faee419cb7ac0327833fbd2cb6708ff43b6c28c2f1a7a7b58092ce7563a4299ad31cdadb70430178db4036493d32c7e15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\khlaialggpcmamkpfahfgdbdagepedjd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\khlaialggpcmamkpfahfgdbdagepedjd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\khlaialggpcmamkpfahfgdbdagepedjd\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
ce1069faa6447046807f118a151085ad

SHA1
a142bca5f7c608321b3437b94e6f57080d6516da

SHA256
103774e935e2dfcdc89a8f4172cae681421d8301f0a5b45f88e15033afbbb488

SHA512
1f87445873eb948583f77054fc681705aefef329d614b974e2aca6ebe6806d77441c0dcd2d13a4e609147e546b72fcbfc8e97bf74719188aa69e00915b118ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
47a4cce1d17439f56ea1941ba70e3748

SHA1
00c6741f2bc58e9835b123a0d73ad51efa0516b8

SHA256
541a0d2d25ab7e1b01b12d1c8bb59a7e423490cc2f63187f7e8f53aba0b911b6

SHA512
1cf0c8821f7ce37642fff2a84cc929e704fb43fe32bf9c3b82938c52493e5566c3abca06af68783c55957c0569f5186c7440e19d8cfa49a748f8e61a88bcaf49

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS97E0.tmp\[email protected]\install.rdf

Filesize
591B

MD5
002ded30add4d1accfbbffab78aeb51b

SHA1
b683feb2a486c07e242231498740cfaac3888f3a

SHA256
f5ac9cf646930781beb12da508d32e212aa802fa744035bbd1d4a498e4efbbdf

SHA512
40ce8459b73696308eeae8f4de59f14882eacc595d945ad000cc7702a9829ca9d6ec002767dadd6dee26059fbd60719799826c4ae9def8c9d763026e1af5ed2b

Download Submit
memory/2000-132-0x0000000000000000-mapping.dmp

Download