fa80d059c165e5ea1af84ead1df4e744e1cc5b26c1e3ac2a2426ae5ec4e65f14

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa80d059c165e5ea1af84ead1df4e744e1cc5b26c1e3ac2a2426ae5ec4e65f14.exe
Size

931KB
MD5

138cecf3019c670344043d3a9b3a468f
SHA1

c894bbae2d5cf1f4ac9d0a5f5e9f10c697918f0c
SHA256

fa80d059c165e5ea1af84ead1df4e744e1cc5b26c1e3ac2a2426ae5ec4e65f14
SHA512

01d0ab3a50cdeb0eab66c5448ae1ffe24dcf0612a4b3fc1b18c54a74315d7bebfe9a6e7c4867b3c3b163815375c62e00ad1e1664238a312fdc97dcb39f094f08
SSDEEP

24576:h1OYdaORCZ/iWCvu/2sWsJA/jlt+DHhsu:h1OsrCpYO/dJJDHhsu

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

7UMex3ES5hgyKxX.exe

pid process

3020 7UMex3ES5hgyKxX.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

7UMex3ES5hgyKxX.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfelciodkdeobbppjneelijlbdhkkep\2.0\manifest.json	7UMex3ES5hgyKxX.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfelciodkdeobbppjneelijlbdhkkep\2.0\manifest.json	7UMex3ES5hgyKxX.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfelciodkdeobbppjneelijlbdhkkep\2.0\manifest.json	7UMex3ES5hgyKxX.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfelciodkdeobbppjneelijlbdhkkep\2.0\manifest.json	7UMex3ES5hgyKxX.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfelciodkdeobbppjneelijlbdhkkep\2.0\manifest.json	7UMex3ES5hgyKxX.exe

Drops file in System32 directory 4 IoCs

Processes:

7UMex3ES5hgyKxX.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	7UMex3ES5hgyKxX.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	7UMex3ES5hgyKxX.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	7UMex3ES5hgyKxX.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	7UMex3ES5hgyKxX.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

7UMex3ES5hgyKxX.exe

pid	process
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe
3020	7UMex3ES5hgyKxX.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7UMex3ES5hgyKxX.exe

description	pid	process
Token: SeDebugPrivilege	3020	7UMex3ES5hgyKxX.exe
Token: SeDebugPrivilege	3020	7UMex3ES5hgyKxX.exe
Token: SeDebugPrivilege	3020	7UMex3ES5hgyKxX.exe
Token: SeDebugPrivilege	3020	7UMex3ES5hgyKxX.exe
Token: SeDebugPrivilege	3020	7UMex3ES5hgyKxX.exe
Token: SeDebugPrivilege	3020	7UMex3ES5hgyKxX.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fa80d059c165e5ea1af84ead1df4e744e1cc5b26c1e3ac2a2426ae5ec4e65f14.exe

description	pid	process	target process
PID 2088 wrote to memory of 3020	2088	fa80d059c165e5ea1af84ead1df4e744e1cc5b26c1e3ac2a2426ae5ec4e65f14.exe	7UMex3ES5hgyKxX.exe
PID 2088 wrote to memory of 3020	2088	fa80d059c165e5ea1af84ead1df4e744e1cc5b26c1e3ac2a2426ae5ec4e65f14.exe	7UMex3ES5hgyKxX.exe
PID 2088 wrote to memory of 3020	2088	fa80d059c165e5ea1af84ead1df4e744e1cc5b26c1e3ac2a2426ae5ec4e65f14.exe	7UMex3ES5hgyKxX.exe

C:\Users\Admin\AppData\Local\Temp\fa80d059c165e5ea1af84ead1df4e744e1cc5b26c1e3ac2a2426ae5ec4e65f14.exe
"C:\Users\Admin\AppData\Local\Temp\fa80d059c165e5ea1af84ead1df4e744e1cc5b26c1e3ac2a2426ae5ec4e65f14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\7UMex3ES5hgyKxX.exe
.\7UMex3ES5hgyKxX.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\7UMex3ES5hgyKxX.dat

Filesize
1KB

MD5
0620e1669c39717e659c93b1fcab553c

SHA1
20da2f91ee49cbcfc8f70fde37f01c457f4c40b2

SHA256
7efe4d4ee1ec69274b12a75c325f302c427382bd98c10cf7ca4f4907a8e60cf7

SHA512
a2eafebc1b2fb7aa6a53efc8915c9200c31bd91565abd139c138fddc9369a6276afc9f168e25ae78fc3ab7a0791f260b12c649229ec11ff078db717fd63161e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\7UMex3ES5hgyKxX.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\7UMex3ES5hgyKxX.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
ddeb4276f794489bc1aed44a6a64eef2

SHA1
71a4bce5d6e8a72b4def285590f3da00861729e6

SHA256
100527f16c1240fb65e990b99ed3f98ba26661dfd647655d68e229dd11cd520f

SHA512
2ef7079a67def657e11db52ad977bc855e5700e963852dcb7e8c2ea8b89dcb4d46ba9be1805d376ca375d5ebba9786f8f7e420c164cd16d179b9ffe0e14b7db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
8c987314d70b8584303cd3dc27c1aca1

SHA1
7c2a6c12ca920035c6417bf9f826232783f0d4bc

SHA256
5b51f90321ec816849ac7ac3e136d85880f7cd59b3cc8df65e14b823295e83a1

SHA512
5c5a66ecd0948080848b3b09369bc3a377f38a72e0a77938eee0cb9d2f6ad201ce28d1fe01145bfed389543671db00e7a20c19adaeefcb578afdb15145ce8a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\[email protected]\install.rdf

Filesize
596B

MD5
a237bf869d59875eb1549fc34f70c4dd

SHA1
9b3b42f244fef221fb1ec94de2ec282d3654b4ec

SHA256
881a5e21da9cc6b787b0c983d790f4933bc755e4958a68efe14610408007efd5

SHA512
1adf43faa6d458cca68f0ec2c8fa3a5adead0f949ac8c61149896b88597a1fa81e68a2ba433cbdc044044819ce1308171946f437cae9a6e94220295eaba24dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\ocfelciodkdeobbppjneelijlbdhkkep\background.html

Filesize
144B

MD5
7a656d9b6389ae0c8ac3f1dc8f85db20

SHA1
30456c7cbd88fb9daebda865a14968f1e68cad2c

SHA256
694c1f388434acb829392ab9b6486a6660139b52acc4361ad58b321d2b0020fb

SHA512
9e9cae5c1ea3fde2f99eaddedaa46e47e71c93651e1c4eae299642cdabbf150c8bfb9a54b8ad4044334cc51f5c7c9ff30b3cc4a5be3f390bdeaadbd17b6a9a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\ocfelciodkdeobbppjneelijlbdhkkep\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\ocfelciodkdeobbppjneelijlbdhkkep\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\ocfelciodkdeobbppjneelijlbdhkkep\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B0E.tmp\ocfelciodkdeobbppjneelijlbdhkkep\onVHUhq.js

Filesize
6KB

MD5
b8e84a2b731117dc65f18849961b33cc

SHA1
dfa88823f24c9730456d213c4e7b58515863de4e

SHA256
7d2c01b01bf23fa261199204041b6d2c7632407e8579b1d4401a7800354497ad

SHA512
3fa8e0088a87a8ef74948477ff1d8ef94f1fe199cabd2dd9a2346c1628d9e10f2d1302fa0fde2ce9dfca8ab3243064e8055a7ec647ae0a304d38dfe743ae2c3f

Download Submit
memory/3020-132-0x0000000000000000-mapping.dmp

Download