fadb9a4e3c7149db4408678e29b1262879e3620121710bf2e1174013081fff8a

Analysis

max time kernel
185s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fadb9a4e3c7149db4408678e29b1262879e3620121710bf2e1174013081fff8a.exe
Size

920KB
MD5

3f6f0ae468622ea8b6869f862ca8bfe6
SHA1

48dadf6a57a5fb5152f56cc86fbb38ac7d3b388b
SHA256

fadb9a4e3c7149db4408678e29b1262879e3620121710bf2e1174013081fff8a
SHA512

b78ac66aee223e6ada3b7c25d9ecd7a0ee951d37c66c17a57f8914fccbe2bcb7949eb31651474bf274d4fa57accd0c7fd190de189c6701c0c147de814c208d0a
SSDEEP

12288:h1OgLdaOEBJac3ZWRLTFh4kEsaGutVjLJSYo4F9p0yyo6VicP1GAR9qR:h1OYdaOuJac30xFj9a1Y9CeVJP1bR9qR

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NOFjlEZ0lbiKxle.exe

pid process

3260 NOFjlEZ0lbiKxle.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

NOFjlEZ0lbiKxle.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\njkendmbjdogmjfghnepgiinmmbchhbk\2.0\manifest.json	NOFjlEZ0lbiKxle.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\njkendmbjdogmjfghnepgiinmmbchhbk\2.0\manifest.json	NOFjlEZ0lbiKxle.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\njkendmbjdogmjfghnepgiinmmbchhbk\2.0\manifest.json	NOFjlEZ0lbiKxle.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\njkendmbjdogmjfghnepgiinmmbchhbk\2.0\manifest.json	NOFjlEZ0lbiKxle.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\njkendmbjdogmjfghnepgiinmmbchhbk\2.0\manifest.json	NOFjlEZ0lbiKxle.exe

Drops file in System32 directory 4 IoCs

Processes:

NOFjlEZ0lbiKxle.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	NOFjlEZ0lbiKxle.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	NOFjlEZ0lbiKxle.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	NOFjlEZ0lbiKxle.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	NOFjlEZ0lbiKxle.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

NOFjlEZ0lbiKxle.exe

pid	process
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe
3260	NOFjlEZ0lbiKxle.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

NOFjlEZ0lbiKxle.exe

description	pid	process
Token: SeDebugPrivilege	3260	NOFjlEZ0lbiKxle.exe
Token: SeDebugPrivilege	3260	NOFjlEZ0lbiKxle.exe
Token: SeDebugPrivilege	3260	NOFjlEZ0lbiKxle.exe
Token: SeDebugPrivilege	3260	NOFjlEZ0lbiKxle.exe
Token: SeDebugPrivilege	3260	NOFjlEZ0lbiKxle.exe
Token: SeDebugPrivilege	3260	NOFjlEZ0lbiKxle.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fadb9a4e3c7149db4408678e29b1262879e3620121710bf2e1174013081fff8a.exe

description	pid	process	target process
PID 4652 wrote to memory of 3260	4652	fadb9a4e3c7149db4408678e29b1262879e3620121710bf2e1174013081fff8a.exe	NOFjlEZ0lbiKxle.exe
PID 4652 wrote to memory of 3260	4652	fadb9a4e3c7149db4408678e29b1262879e3620121710bf2e1174013081fff8a.exe	NOFjlEZ0lbiKxle.exe
PID 4652 wrote to memory of 3260	4652	fadb9a4e3c7149db4408678e29b1262879e3620121710bf2e1174013081fff8a.exe	NOFjlEZ0lbiKxle.exe

C:\Users\Admin\AppData\Local\Temp\fadb9a4e3c7149db4408678e29b1262879e3620121710bf2e1174013081fff8a.exe
"C:\Users\Admin\AppData\Local\Temp\fadb9a4e3c7149db4408678e29b1262879e3620121710bf2e1174013081fff8a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\NOFjlEZ0lbiKxle.exe
.\NOFjlEZ0lbiKxle.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
8f0d8aab1dfd0b5b32bbf00d96446efb

SHA1
b5dddf26dcf09a962bcbcb7c216e3ef35b1ccdc6

SHA256
fa4b5f5b0147cc52dd53244d03111520be8a796a98a9de13172614d99ca1feec

SHA512
ea4f2f567d4e48298b2b7f21b2d2b321287d0b3643203da596003ca9afac33277a10098329dba3b39007230acef1153f3ceee2ef64bdcdf56d4b7cfef30994cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
b4a0dd0780edf6dfd2cdfa60b67999cb

SHA1
8e9d0f68431528cd85863d6f55d054c24046826a

SHA256
3bf02364e7dd8a6438ae5fb728e79aedb937000151f035469cd8f627928731b5

SHA512
bb149a9e0518f832808e3c2980a06fb3669dc774473e07db561edb554168a65e4422e4ddcb43f6f1090a8ce49b1291d40433bda3595d9745e0c72dc8ea49daef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\[email protected]\install.rdf

Filesize
591B

MD5
108d8a46691f627f610193c0570e082d

SHA1
f5968a3e0942a793a002ad6a5f2175dca134e11e

SHA256
77bb4b0aab256836f5e549a48ab844ae416d1f2dd9e58d13dd98018c641e0b29

SHA512
9df8efbdf48af3a4320d57d6b25812bf349d12c05bbd2236769a31053503a0719321365b27b439f27f534210fd029ce33aa232b04d1773ff177867fa422a92b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\NOFjlEZ0lbiKxle.dat

Filesize
1KB

MD5
704e1a8944affefd05f16ad4b3f27489

SHA1
d9ec4d0eec657f443884899c08d8e23a72cc9e1d

SHA256
75ee828b06a33de1f5529a8fe355a865ee86338ac724606d84f6d790524d3620

SHA512
324471a33bd44480bfe57793e58ca215625808e71cdb4e6cae3a336d9fded5b599add5c2c29bfe2ed1f5ff871eb75729c3f546b89b8e92c6501c704d8d2bf453

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\NOFjlEZ0lbiKxle.exe

Filesize
762KB

MD5
468f56fce4a9413059464fa7c9c3cc5f

SHA1
99dde68e6dca34b5787c1e2faeab1716f443e462

SHA256
1b0cefe330725f38dd592a9900eeca832124643d3a170805ad7cd988dc312841

SHA512
11bf2744d92faaa1e13bb316d3d56555fd5bb8a8248fde6bbca1f692cc55928ec901cc1cc79c09f236273e25712526dd629fd97aec4f062d469c9714d1a6a7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\NOFjlEZ0lbiKxle.exe

Filesize
762KB

MD5
468f56fce4a9413059464fa7c9c3cc5f

SHA1
99dde68e6dca34b5787c1e2faeab1716f443e462

SHA256
1b0cefe330725f38dd592a9900eeca832124643d3a170805ad7cd988dc312841

SHA512
11bf2744d92faaa1e13bb316d3d56555fd5bb8a8248fde6bbca1f692cc55928ec901cc1cc79c09f236273e25712526dd629fd97aec4f062d469c9714d1a6a7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\njkendmbjdogmjfghnepgiinmmbchhbk\background.html

Filesize
140B

MD5
927246ab7df407ea28b8be0a1f2e4869

SHA1
f87d995bd66b016f2f8f19ba7ed03fea33aaad2d

SHA256
9e3698003c0606e70859126f9bcd9086c557d9c595de0346facb9502c4ccc1d6

SHA512
ee7a959c37b1d279cbc580a47633f8dbddc1648360302735739c8cb44688dc69cdf9dddc6e73cab3f4a34075c5c0753afcf4e52ce326856989fc8ac8599d0a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\njkendmbjdogmjfghnepgiinmmbchhbk\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\njkendmbjdogmjfghnepgiinmmbchhbk\ktI.js

Filesize
5KB

MD5
004177feef33f0189f162c37a9373269

SHA1
8e28253889bf5ba26c72ebe275d5b1378b4d18c6

SHA256
094df3278cdf2bbf6b4b8b8387a17f77eb1a5de2915494a4f5dbe09917bebd2b

SHA512
fa2ee8b9fdc1eeaa5f7222073c156473709de790fd0ee4d1b06e2385e487187c80fbe37ac91710bb9ce3aa15e3150840b733e62a5caf6cb099e60bc4f0040540

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\njkendmbjdogmjfghnepgiinmmbchhbk\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS255A.tmp\njkendmbjdogmjfghnepgiinmmbchhbk\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/3260-132-0x0000000000000000-mapping.dmp

Download