b7a261543c2aa43c18f99ff4a3dad4ff2a8055aa8e304b1d671738d81e46d5da

Analysis

max time kernel
180s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7a261543c2aa43c18f99ff4a3dad4ff2a8055aa8e304b1d671738d81e46d5da.exe
Size

931KB
MD5

e3b23581b988c98baf50069c705c7798
SHA1

ba5273e113ac2abf179d34d0243a6ffb7651e465
SHA256

b7a261543c2aa43c18f99ff4a3dad4ff2a8055aa8e304b1d671738d81e46d5da
SHA512

59c61020dfe3108d154671ca8cac0de07dbd09de4e82324616ff324d5dba5212136fc163813e8d0e2cdb35492d1de056abf571aa0120ad5b6ad472e63533f6e9
SSDEEP

24576:h1OYdaOcfzeSfzeVMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfr:h1OsBMWyUQ+GUVFIcHPvpfr

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Wmxjy8rDu5cJVQW.exe

pid process

2416 Wmxjy8rDu5cJVQW.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

Wmxjy8rDu5cJVQW.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahmmabpecjcbbfjeoapcnoglpfjeomle\2.0\manifest.json	Wmxjy8rDu5cJVQW.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahmmabpecjcbbfjeoapcnoglpfjeomle\2.0\manifest.json	Wmxjy8rDu5cJVQW.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahmmabpecjcbbfjeoapcnoglpfjeomle\2.0\manifest.json	Wmxjy8rDu5cJVQW.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahmmabpecjcbbfjeoapcnoglpfjeomle\2.0\manifest.json	Wmxjy8rDu5cJVQW.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahmmabpecjcbbfjeoapcnoglpfjeomle\2.0\manifest.json	Wmxjy8rDu5cJVQW.exe

Drops file in System32 directory 4 IoCs

Processes:

Wmxjy8rDu5cJVQW.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	Wmxjy8rDu5cJVQW.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Wmxjy8rDu5cJVQW.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Wmxjy8rDu5cJVQW.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Wmxjy8rDu5cJVQW.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Wmxjy8rDu5cJVQW.exe

pid	process
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe
2416	Wmxjy8rDu5cJVQW.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Wmxjy8rDu5cJVQW.exe

description	pid	process
Token: SeDebugPrivilege	2416	Wmxjy8rDu5cJVQW.exe
Token: SeDebugPrivilege	2416	Wmxjy8rDu5cJVQW.exe
Token: SeDebugPrivilege	2416	Wmxjy8rDu5cJVQW.exe
Token: SeDebugPrivilege	2416	Wmxjy8rDu5cJVQW.exe
Token: SeDebugPrivilege	2416	Wmxjy8rDu5cJVQW.exe
Token: SeDebugPrivilege	2416	Wmxjy8rDu5cJVQW.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b7a261543c2aa43c18f99ff4a3dad4ff2a8055aa8e304b1d671738d81e46d5da.exe

description	pid	process	target process
PID 1684 wrote to memory of 2416	1684	b7a261543c2aa43c18f99ff4a3dad4ff2a8055aa8e304b1d671738d81e46d5da.exe	Wmxjy8rDu5cJVQW.exe
PID 1684 wrote to memory of 2416	1684	b7a261543c2aa43c18f99ff4a3dad4ff2a8055aa8e304b1d671738d81e46d5da.exe	Wmxjy8rDu5cJVQW.exe
PID 1684 wrote to memory of 2416	1684	b7a261543c2aa43c18f99ff4a3dad4ff2a8055aa8e304b1d671738d81e46d5da.exe	Wmxjy8rDu5cJVQW.exe

C:\Users\Admin\AppData\Local\Temp\b7a261543c2aa43c18f99ff4a3dad4ff2a8055aa8e304b1d671738d81e46d5da.exe
"C:\Users\Admin\AppData\Local\Temp\b7a261543c2aa43c18f99ff4a3dad4ff2a8055aa8e304b1d671738d81e46d5da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\Wmxjy8rDu5cJVQW.exe
.\Wmxjy8rDu5cJVQW.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\Wmxjy8rDu5cJVQW.dat

Filesize
1KB

MD5
179ff09bbf1348fcf9a3e0b8acf57ef4

SHA1
fd02c597c6820f9e3e19cd67db3ecdbb7cd04b9f

SHA256
fec8add1db9af821a97dc33e0e92edf2878e5343c8a86882a22b452b4ba79281

SHA512
2c5c3f29f353b667c02d99a212c30e6bb7c8ab092a2281b81eb6b0cba8c3290c007771ac9392d18b6815cde291f8cb86eb38552bad7cbea3490f70400bee9f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\Wmxjy8rDu5cJVQW.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\Wmxjy8rDu5cJVQW.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\ahmmabpecjcbbfjeoapcnoglpfjeomle\T9HcKP9.js

Filesize
6KB

MD5
c6a57edf4e4ae674faec9541270b2e16

SHA1
41437078cbbdd83034f05b8223242c99376171fb

SHA256
2730e2d8491987aeb27722b72fbea61022aec9e09c303531ce51c9895a224bff

SHA512
7bc92a0164f39d0644646de39c996f84d3a65ea195e45720f9fbbf7c98ca49faa40a795c549fb482d7adc1085c2d704779dcce0087e7a63022c03814e0f71cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\ahmmabpecjcbbfjeoapcnoglpfjeomle\background.html

Filesize
144B

MD5
8530fde42aa017bc4c0dae7575183843

SHA1
a1fe968906447a9bf8bec85392ee935d7230bc55

SHA256
c5b655b23bb5ce0fc099aa50002f8180cea25dc2eb5ced0d5586d8f3d7c7744c

SHA512
d7db7063f6ebf1a13f7b7603f8af71ef5b8d77f315ee0eba16f5556c394be92da05c8f634e908b085a9e3bd9669426b190e7ecadc11b3cd4e5bb609a27e80459

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\ahmmabpecjcbbfjeoapcnoglpfjeomle\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\ahmmabpecjcbbfjeoapcnoglpfjeomle\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\ahmmabpecjcbbfjeoapcnoglpfjeomle\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
422b54eca8fecca7936e3f5c2178ee2b

SHA1
bfdc80e152cdbca96d228242bd9a54ec7c272ccd

SHA256
3b42de89a1a84bd67daf9b54b8392d750efe668240647f1bd819677ae8e70aa5

SHA512
ab6119d0f1e2dfcb9b605a9a831a667bbac5eedbf4a5c4ddd5ce0571c102e846bdbdde5782cab4ecff52a1418727b3750e5447c60c2e145089d0fa91e04d73bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
95046bc47ef82a6f246ad64ca94121d2

SHA1
2fe60c2628c6eadf11babf238db4d89bba59f9c5

SHA256
9576371c8b46b335bf07935e01a65c5f0787019c9f9c57c22051b0066dc8b99c

SHA512
43d8df202352ad08a074e1628e7085ee1d65855b6744afd94349282349afc8194537f5c148ba9423537f187836a9e26eeec518f922b177369019e3aefb4cc32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS703E.tmp\[email protected]\install.rdf

Filesize
592B

MD5
49b14dded12a5c56ffa4d9d9872a4b96

SHA1
2d3703582abc4f14518c628e2cce77dc3ba8e410

SHA256
6332650688500154a6dbd6f317978015144dec0b17c0bc9d33b69009a5e16862

SHA512
115eb2495dfbc8da14122e1e3e4b03f7a1c1db666a66e772e2e9d72b28470bdf0bab66123dd21c9ccfaba2e31cf24a95ca559032422658bd1315ac001a420501

Download Submit
memory/2416-133-0x0000000000000000-mapping.dmp

Download