fb82a42cb7c5ebc99d627636f357e6f9d1d396d1624a84f17b0cecd38ba527fe

Analysis

max time kernel
185s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb82a42cb7c5ebc99d627636f357e6f9d1d396d1624a84f17b0cecd38ba527fe.exe
Size

931KB
MD5

dd7b7771ce6835a80167ff152d1af216
SHA1

2f44b1fc7d6083e9269a9a5d4aecbe8cf6cdc48e
SHA256

fb82a42cb7c5ebc99d627636f357e6f9d1d396d1624a84f17b0cecd38ba527fe
SHA512

00417b7acaba11d3ab6801b693b57e7f99c9d2add8ead04224a52d7c03c28549cb49e5b949f3d1fbbc9e98fcab59370144950300f196647c70ffb18dcdc860c4
SSDEEP

24576:h1OYdaOGCZ/iWCvu/2sWsJA/jlt+DHhsk:h1OsgCpYO/dJJDHhsk

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

EyMKOFxg7oP3evP.exe

pid process

2280 EyMKOFxg7oP3evP.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

EyMKOFxg7oP3evP.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ddifijfkioggdbjlpeaogohakoepihei\2.0\manifest.json	EyMKOFxg7oP3evP.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ddifijfkioggdbjlpeaogohakoepihei\2.0\manifest.json	EyMKOFxg7oP3evP.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ddifijfkioggdbjlpeaogohakoepihei\2.0\manifest.json	EyMKOFxg7oP3evP.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ddifijfkioggdbjlpeaogohakoepihei\2.0\manifest.json	EyMKOFxg7oP3evP.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ddifijfkioggdbjlpeaogohakoepihei\2.0\manifest.json	EyMKOFxg7oP3evP.exe

Drops file in System32 directory 4 IoCs

Processes:

EyMKOFxg7oP3evP.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	EyMKOFxg7oP3evP.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	EyMKOFxg7oP3evP.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	EyMKOFxg7oP3evP.exe
File opened for modification	C:\Windows\System32\GroupPolicy	EyMKOFxg7oP3evP.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

EyMKOFxg7oP3evP.exe

pid	process
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe
2280	EyMKOFxg7oP3evP.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

EyMKOFxg7oP3evP.exe

description	pid	process
Token: SeDebugPrivilege	2280	EyMKOFxg7oP3evP.exe
Token: SeDebugPrivilege	2280	EyMKOFxg7oP3evP.exe
Token: SeDebugPrivilege	2280	EyMKOFxg7oP3evP.exe
Token: SeDebugPrivilege	2280	EyMKOFxg7oP3evP.exe
Token: SeDebugPrivilege	2280	EyMKOFxg7oP3evP.exe
Token: SeDebugPrivilege	2280	EyMKOFxg7oP3evP.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fb82a42cb7c5ebc99d627636f357e6f9d1d396d1624a84f17b0cecd38ba527fe.exe

description	pid	process	target process
PID 4380 wrote to memory of 2280	4380	fb82a42cb7c5ebc99d627636f357e6f9d1d396d1624a84f17b0cecd38ba527fe.exe	EyMKOFxg7oP3evP.exe
PID 4380 wrote to memory of 2280	4380	fb82a42cb7c5ebc99d627636f357e6f9d1d396d1624a84f17b0cecd38ba527fe.exe	EyMKOFxg7oP3evP.exe
PID 4380 wrote to memory of 2280	4380	fb82a42cb7c5ebc99d627636f357e6f9d1d396d1624a84f17b0cecd38ba527fe.exe	EyMKOFxg7oP3evP.exe

C:\Users\Admin\AppData\Local\Temp\fb82a42cb7c5ebc99d627636f357e6f9d1d396d1624a84f17b0cecd38ba527fe.exe
"C:\Users\Admin\AppData\Local\Temp\fb82a42cb7c5ebc99d627636f357e6f9d1d396d1624a84f17b0cecd38ba527fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\EyMKOFxg7oP3evP.exe
.\EyMKOFxg7oP3evP.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
79e993eb04c2726d103622ff9362bd5c

SHA1
edddda56b30ffff4fc383a26f9cb9ee65ba3cc8f

SHA256
6eb11b56103818aa17e9e49caf0eec164d72c8f346cdf7168410c6fbd6e8a5d7

SHA512
d31703aad5009755489b48d9b835eb83fb78278dd1651e843de17fe694193952e8e2de0f3ca30fe4eadb093d8acfc2af9f34402c1c7824081c6ba1dae4f14983

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
41e89a8246acb6078acdce42a34c7a94

SHA1
ace54dfb8ffbff01047b57afd3c4b3471aeb740e

SHA256
bc935d26213e0d10e6de19cc259cfaa023053e3a82dda4ba0afea291d0510a94

SHA512
3c4bafbc62f1ba0ed02762647e716b139bf2f72bdb23b2aee54cdea9f1eb079db5d9c39ffe390151b81b9034595fa954fb631b40cd233f6b6f6d1598e1f0d8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\[email protected]\install.rdf

Filesize
595B

MD5
69254983639ae58212c0eca904af5f42

SHA1
6a4ab3a5e2e765f0b8f53c71fb611afc4b1a417d

SHA256
f132a22ecc389c58ea9133a10a81ce1bcd90db44bbb6c7bddb466935de761f79

SHA512
bb058bb4daca40ff43ae0dcb3a34ac1572900b77f298655020cd974da6d13576f9e3cd22030685b423837d397e103c153517b14959e7cbb78f8e4559f00ad561

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\EyMKOFxg7oP3evP.dat

Filesize
1KB

MD5
54b15f23c4548d1369422aa9bfd7f86c

SHA1
6bba4eb63b512c9950f10d579f2043b21d2884ff

SHA256
e037876d7c8cd78df5392b3081bab100b2be5b8311262d19d25bf4b5e516a718

SHA512
1a7345615752b141088b897b1953309403ee4eb16adee0ff81a6d8d8c246bb9c0a5ae26e1ee98fa794085b4b540f816747f7cbe1db50a6592466854f1443b0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\EyMKOFxg7oP3evP.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\EyMKOFxg7oP3evP.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\ddifijfkioggdbjlpeaogohakoepihei\P2.js

Filesize
6KB

MD5
2867e825337b020afc48d8bda0d4d6b4

SHA1
aba94cfecedc0e787916cbf5c1c281d49391e4ae

SHA256
835c3dcb87f8fa668ce0af441fe8aff44496e55e3e23a395be5cfd47795c1cb5

SHA512
072d0823e2f12181261253b9b2c0f9a1d26bc6597cb1acb93f954ea1f4d8b482bb5a61edf067e750494d0f26ef537e4d608ba32d3e5e3b7965009242ee8741cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\ddifijfkioggdbjlpeaogohakoepihei\background.html

Filesize
139B

MD5
085711d410004255582190a15889ce91

SHA1
8a61d085f79d664c018a434dbb6b3482ba37156a

SHA256
38e6b8d1256e920e6040875324e54d66cdfc3da050fae61d96253df93b95ee9b

SHA512
c977bfb174e287fad7f0f0b542b896e24928eb90c3c61afbb13a944afbc90c161cbf60103778da6d766ecc002bad9e6bb39b270c1abf291c0e55429e31b8f6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\ddifijfkioggdbjlpeaogohakoepihei\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\ddifijfkioggdbjlpeaogohakoepihei\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7EF.tmp\ddifijfkioggdbjlpeaogohakoepihei\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/2280-132-0x0000000000000000-mapping.dmp

Download