fc8bac0c53923d80122d70f26fc52e8256573199fbc337dd992cc976a968216f

Analysis

max time kernel
168s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc8bac0c53923d80122d70f26fc52e8256573199fbc337dd992cc976a968216f.exe
Size

932KB
MD5

5441702551a8705ad42a5db146e9c013
SHA1

38f53a028300de8a7afb2cecaad093243a668e92
SHA256

fc8bac0c53923d80122d70f26fc52e8256573199fbc337dd992cc976a968216f
SHA512

324831a3e7a6f1ee2d06a8d91e3c7f2de81c9a872426a5c0d88029d2b5a5732694e6dafc3b18c9cd6b94b337adafed53592cdb36e22a86517b8510b894d5f15f
SSDEEP

24576:h1OYdaOGCZ/iWCvu/2sWsJA/jlt+DHhsO:h1OsgCpYO/dJJDHhsO

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

3G1ZgrpeodCjrF7.exe

pid process

4908 3G1ZgrpeodCjrF7.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

3G1ZgrpeodCjrF7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmlckgeejednhnmloncmdnpnlhnolboh\2.0\manifest.json	3G1ZgrpeodCjrF7.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmlckgeejednhnmloncmdnpnlhnolboh\2.0\manifest.json	3G1ZgrpeodCjrF7.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmlckgeejednhnmloncmdnpnlhnolboh\2.0\manifest.json	3G1ZgrpeodCjrF7.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmlckgeejednhnmloncmdnpnlhnolboh\2.0\manifest.json	3G1ZgrpeodCjrF7.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmlckgeejednhnmloncmdnpnlhnolboh\2.0\manifest.json	3G1ZgrpeodCjrF7.exe

Drops file in System32 directory 4 IoCs

Processes:

3G1ZgrpeodCjrF7.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	3G1ZgrpeodCjrF7.exe
File opened for modification	C:\Windows\System32\GroupPolicy	3G1ZgrpeodCjrF7.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	3G1ZgrpeodCjrF7.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	3G1ZgrpeodCjrF7.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

3G1ZgrpeodCjrF7.exe

pid	process
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe
4908	3G1ZgrpeodCjrF7.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

3G1ZgrpeodCjrF7.exe

description	pid	process
Token: SeDebugPrivilege	4908	3G1ZgrpeodCjrF7.exe
Token: SeDebugPrivilege	4908	3G1ZgrpeodCjrF7.exe
Token: SeDebugPrivilege	4908	3G1ZgrpeodCjrF7.exe
Token: SeDebugPrivilege	4908	3G1ZgrpeodCjrF7.exe
Token: SeDebugPrivilege	4908	3G1ZgrpeodCjrF7.exe
Token: SeDebugPrivilege	4908	3G1ZgrpeodCjrF7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fc8bac0c53923d80122d70f26fc52e8256573199fbc337dd992cc976a968216f.exe

description	pid	process	target process
PID 2612 wrote to memory of 4908	2612	fc8bac0c53923d80122d70f26fc52e8256573199fbc337dd992cc976a968216f.exe	3G1ZgrpeodCjrF7.exe
PID 2612 wrote to memory of 4908	2612	fc8bac0c53923d80122d70f26fc52e8256573199fbc337dd992cc976a968216f.exe	3G1ZgrpeodCjrF7.exe
PID 2612 wrote to memory of 4908	2612	fc8bac0c53923d80122d70f26fc52e8256573199fbc337dd992cc976a968216f.exe	3G1ZgrpeodCjrF7.exe

C:\Users\Admin\AppData\Local\Temp\fc8bac0c53923d80122d70f26fc52e8256573199fbc337dd992cc976a968216f.exe
"C:\Users\Admin\AppData\Local\Temp\fc8bac0c53923d80122d70f26fc52e8256573199fbc337dd992cc976a968216f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\3G1ZgrpeodCjrF7.exe
.\3G1ZgrpeodCjrF7.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\3G1ZgrpeodCjrF7.dat

Filesize
1KB

MD5
e223dd6ff19375a3741a12151cfea135

SHA1
eee55cc409f4c3e3a013ac536a691301faac54c7

SHA256
f264d83f4afc0ae2f40e798e1ac6db9b553d576ba42ced0c7ef389bc3ca8c19a

SHA512
e74ce94e0a2b9cf9a70be0533719b0efe520eab596f00d998f856844f9b473cc689829e9db2911b6459b6d579413177ce175e7ba6a3b9ded23b705598cbc803e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\3G1ZgrpeodCjrF7.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\3G1ZgrpeodCjrF7.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
539f798921576d9d064bdc540fb54ac8

SHA1
ddc693240747def9519f654e3062575e3eddd339

SHA256
ceb6e9caf13de4faa178e4e1a3a952e5a2551a41d5c36a128f2ecaf76bc17f9c

SHA512
d348f6adaacf67918d8322d763dffe0198cd9af1049f2d769a9c18ce872e2c09a616c94367e87ef78e481fb1c979eb02867b6ce1d98ae40bd5838608e2c62f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
8152a86736c962369235caf140b9ba63

SHA1
0b0564b5cfc039ed8bdaad7d9de828431d132a84

SHA256
81f7a2a0cdb7c1e72b528c2a7aadd2144d919a904e1a12d33806425f7fc5db59

SHA512
2ba3b7cdf05d73c98b253707aa448c04aec98ee975b1ca59b765b1222958353d19cbc86cb3a2961aab4d426011417c3763a899b0109d67fb4d2f540af3c96c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\[email protected]\install.rdf

Filesize
592B

MD5
088b5c8db320ce13cf51215fe3053d7e

SHA1
adefa5a2705bcca81d7b33cad563e5691dc021e6

SHA256
b3e017a821e997cfbf4d7293efda758cd9a82e3691bd7a4f4cf01f4996cdf463

SHA512
b960d5c7b251b6c3ee7e8b6ff91d6c107b78ed3ece0a930af684c1b95cac613d2404853e1e47556356fdc79f0338457d5372feca2a849f8d4346f8965f5121a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\pmlckgeejednhnmloncmdnpnlhnolboh\Mwl7F2fi.js

Filesize
6KB

MD5
2e69618b08ee8f8efc53ef38e380d41e

SHA1
dc784eca3a8f323eca26611e719a9bf61babc332

SHA256
88827a9cc6211f568abd1ea0e20566fc8529c1fe63fbf77f351243a084bdcfca

SHA512
4aaf7ac928120b5a28d2ddce7a2cfd93438f1106c488d4364e95b6349150aefd4d110862bc86299ede48fca76ba3da11b79ac588daf6e010a2b0afab5727c446

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\pmlckgeejednhnmloncmdnpnlhnolboh\background.html

Filesize
145B

MD5
53c331ec42e867a8413257dfbe479cdd

SHA1
0990fee603857f8a6f844f21d1c40d8b42fb7ac6

SHA256
973af1f6f20d9ec669d9e8d38201538b8a131d912db876da1738df57ecaa7a26

SHA512
3dc275df701410334f4c7a27126dc74791d6fdadf3da070f394f9c3b7b37d38d2cb46c7e339e274fc82437c01cc260e5558c4ec1cd80cec297b9a7c407f0b345

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\pmlckgeejednhnmloncmdnpnlhnolboh\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\pmlckgeejednhnmloncmdnpnlhnolboh\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS213.tmp\pmlckgeejednhnmloncmdnpnlhnolboh\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/4908-132-0x0000000000000000-mapping.dmp

Download