fb635af89aba7dc0d1c15037498fe5af5529537d77d84b71dc39d58867aff606

Analysis

max time kernel
139s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb635af89aba7dc0d1c15037498fe5af5529537d77d84b71dc39d58867aff606.exe
Size

920KB
MD5

5880ed6533665fbca7536c889d118d54
SHA1

de6564ecf224c8f4248b22df1465ea8a4e8995f7
SHA256

fb635af89aba7dc0d1c15037498fe5af5529537d77d84b71dc39d58867aff606
SHA512

cec5b9313869a92cda05fd59c6b6139a825fb600a5ed9ba83ed8a55fe59545b1dbeef01b9d11d2d515a524493b4f01852fd4eaa5f08a274f082bde8dd910da20
SSDEEP

24576:h1OYdaOIMtdHAqcdDVhYwiei7+EpFAh/kKy:h1Os9PHVmVhYwiLtKkKy

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

gZDdFJLNcxqXj4w.exe

pid process

4956 gZDdFJLNcxqXj4w.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

gZDdFJLNcxqXj4w.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccmkcbnmoikoefmmjgceaeeomaiimnmn\2.0\manifest.json	gZDdFJLNcxqXj4w.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccmkcbnmoikoefmmjgceaeeomaiimnmn\2.0\manifest.json	gZDdFJLNcxqXj4w.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccmkcbnmoikoefmmjgceaeeomaiimnmn\2.0\manifest.json	gZDdFJLNcxqXj4w.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccmkcbnmoikoefmmjgceaeeomaiimnmn\2.0\manifest.json	gZDdFJLNcxqXj4w.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccmkcbnmoikoefmmjgceaeeomaiimnmn\2.0\manifest.json	gZDdFJLNcxqXj4w.exe

Drops file in System32 directory 4 IoCs

Processes:

gZDdFJLNcxqXj4w.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	gZDdFJLNcxqXj4w.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	gZDdFJLNcxqXj4w.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	gZDdFJLNcxqXj4w.exe
File opened for modification	C:\Windows\System32\GroupPolicy	gZDdFJLNcxqXj4w.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

gZDdFJLNcxqXj4w.exe

pid	process
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe
4956	gZDdFJLNcxqXj4w.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

gZDdFJLNcxqXj4w.exe

description	pid	process
Token: SeDebugPrivilege	4956	gZDdFJLNcxqXj4w.exe
Token: SeDebugPrivilege	4956	gZDdFJLNcxqXj4w.exe
Token: SeDebugPrivilege	4956	gZDdFJLNcxqXj4w.exe
Token: SeDebugPrivilege	4956	gZDdFJLNcxqXj4w.exe
Token: SeDebugPrivilege	4956	gZDdFJLNcxqXj4w.exe
Token: SeDebugPrivilege	4956	gZDdFJLNcxqXj4w.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fb635af89aba7dc0d1c15037498fe5af5529537d77d84b71dc39d58867aff606.exe

description	pid	process	target process
PID 1484 wrote to memory of 4956	1484	fb635af89aba7dc0d1c15037498fe5af5529537d77d84b71dc39d58867aff606.exe	gZDdFJLNcxqXj4w.exe
PID 1484 wrote to memory of 4956	1484	fb635af89aba7dc0d1c15037498fe5af5529537d77d84b71dc39d58867aff606.exe	gZDdFJLNcxqXj4w.exe
PID 1484 wrote to memory of 4956	1484	fb635af89aba7dc0d1c15037498fe5af5529537d77d84b71dc39d58867aff606.exe	gZDdFJLNcxqXj4w.exe

C:\Users\Admin\AppData\Local\Temp\fb635af89aba7dc0d1c15037498fe5af5529537d77d84b71dc39d58867aff606.exe
"C:\Users\Admin\AppData\Local\Temp\fb635af89aba7dc0d1c15037498fe5af5529537d77d84b71dc39d58867aff606.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\gZDdFJLNcxqXj4w.exe
.\gZDdFJLNcxqXj4w.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
2361645e2af2ca8a88dea690bc981aa2

SHA1
ed7b6be43b9e623d8d351e11564e2db28561605c

SHA256
ea49819c7426fec4d5011eb6708f81a8b10acbc1af0da6851fbc5ed41a9b5b73

SHA512
4e4ecd51936c609eb1a4b9b857ab7139fee88378c585644a7817c9173a9e30d1cb601e309feaade2e4a07db6d1f210daf28e95e7ebcbf5f78718f1924249adf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
269ac47abd2a1ba589a31488e4361e42

SHA1
bac6bf73c4fca592f2a9203daf0275389e560739

SHA256
1872640efcfeef7acae09688eb6a7da5153f260456654d17880eba57b7f1369a

SHA512
25919025becc2089ffdbc61db6a61a383147518772d7102a7e6cd028fcfcc2f366ad74488f2b749ac86305b352e2e6eddd921260b5e5f875116b0561a749ee2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\[email protected]\install.rdf

Filesize
598B

MD5
3d930377cdc436acd30df1178bc2ff5a

SHA1
64eaf1a0397861a6ec4ef731516b80fb26a2cc1f

SHA256
3c4af38809e042683d513807d007f904ef3c09c9abefde7ed7e90b9a90dbde0f

SHA512
0d6f7468c36ca0ecf136064ec703bf5d830ed0e7f090a96344b80d45895b2c505e82fc1984a6d66976a063d66ceeb4dc6e482bbadfe89aa88d71244db3b62bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\ccmkcbnmoikoefmmjgceaeeomaiimnmn\background.html

Filesize
146B

MD5
8ac3c7030402f098e4a09b907f989071

SHA1
8f330bc4f6f46ab88b640e5377be7d5337d1eaad

SHA256
011cd7786b5371a1f5def2bd4b0b1ec345334138cea05fd42f28e21dfc312b8c

SHA512
393449a5350dc453c3aa998218c4a60a7f4696dd34cdf3284b9e891d0e8450ec8b84785609abdac25299475c57790a55721b3f61627567fa3ecb5fbbe197aac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\ccmkcbnmoikoefmmjgceaeeomaiimnmn\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\ccmkcbnmoikoefmmjgceaeeomaiimnmn\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\ccmkcbnmoikoefmmjgceaeeomaiimnmn\mNatytGKd.js

Filesize
6KB

MD5
7df98446896d7cd7939da153599e1d80

SHA1
e047f6d6cc2f3d9867d0f2d59ddcb1c71c6a0b20

SHA256
c49127cc552d4bd3d1ef080c679a5a226c190650ef49753694906a01aa32ffb0

SHA512
01927d317b4f09b38c1aacebd960b71448725fa3c1b461ce54932451e0e17dc6243179025422d2df1887a6ff755a73e29604d7be523dfd41a3bda89c7af340bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\ccmkcbnmoikoefmmjgceaeeomaiimnmn\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\gZDdFJLNcxqXj4w.dat

Filesize
1KB

MD5
061fe7776a540730a3c486a0ca986c03

SHA1
3e1fc6cc605d86e1e5d451ad21e4d4cad09d5533

SHA256
9f72cb7e667f9fcab9f7d679b34bb2cefcc155781b72bfb2f25a5188f7a8c71d

SHA512
26f441e925ee8b410db60b242a7b61ddc79fdeef6005770398722955622fbbe06157a0a04760482469a8bc791394d2dd2d444b66ce5fb2eaa7b2d77eaa455bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\gZDdFJLNcxqXj4w.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD258.tmp\gZDdFJLNcxqXj4w.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
memory/4956-132-0x0000000000000000-mapping.dmp

Download