f9164a6fe06808ad03ec566eb5c658c08f2d78f9573ea03d122c9d6cf8bc5fc2

Analysis

max time kernel
176s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9164a6fe06808ad03ec566eb5c658c08f2d78f9573ea03d122c9d6cf8bc5fc2.exe
Size

931KB
MD5

5a468ba8bdb30501f234cc0bca634ed4
SHA1

ab3f845c5de175db6cd8c487f162a0b780926ae7
SHA256

f9164a6fe06808ad03ec566eb5c658c08f2d78f9573ea03d122c9d6cf8bc5fc2
SHA512

cb3bf909d82c3cece2ed694bedeaade1fd9cb7359c224eb25eb5fcbb5a5fbf6f4ccb3072efbba16e5954114493c26508df2d6c2aba83232d77d75df5e0280266
SSDEEP

24576:h1OYdaOnCZ/iWCvu/2sWsJA/jlt+DHhsd:h1OstCpYO/dJJDHhsd

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

eHnuAP3dJnE6ZcR.exe

pid process

1276 eHnuAP3dJnE6ZcR.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

eHnuAP3dJnE6ZcR.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\phdablgkchhlcfhlmjfhlcdkabdejjab\2.0\manifest.json	eHnuAP3dJnE6ZcR.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\phdablgkchhlcfhlmjfhlcdkabdejjab\2.0\manifest.json	eHnuAP3dJnE6ZcR.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\phdablgkchhlcfhlmjfhlcdkabdejjab\2.0\manifest.json	eHnuAP3dJnE6ZcR.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\phdablgkchhlcfhlmjfhlcdkabdejjab\2.0\manifest.json	eHnuAP3dJnE6ZcR.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\phdablgkchhlcfhlmjfhlcdkabdejjab\2.0\manifest.json	eHnuAP3dJnE6ZcR.exe

Drops file in System32 directory 4 IoCs

Processes:

eHnuAP3dJnE6ZcR.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	eHnuAP3dJnE6ZcR.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	eHnuAP3dJnE6ZcR.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	eHnuAP3dJnE6ZcR.exe
File opened for modification	C:\Windows\System32\GroupPolicy	eHnuAP3dJnE6ZcR.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

eHnuAP3dJnE6ZcR.exe

pid	process
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe
1276	eHnuAP3dJnE6ZcR.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

eHnuAP3dJnE6ZcR.exe

description	pid	process
Token: SeDebugPrivilege	1276	eHnuAP3dJnE6ZcR.exe
Token: SeDebugPrivilege	1276	eHnuAP3dJnE6ZcR.exe
Token: SeDebugPrivilege	1276	eHnuAP3dJnE6ZcR.exe
Token: SeDebugPrivilege	1276	eHnuAP3dJnE6ZcR.exe
Token: SeDebugPrivilege	1276	eHnuAP3dJnE6ZcR.exe
Token: SeDebugPrivilege	1276	eHnuAP3dJnE6ZcR.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f9164a6fe06808ad03ec566eb5c658c08f2d78f9573ea03d122c9d6cf8bc5fc2.exe

description	pid	process	target process
PID 4336 wrote to memory of 1276	4336	f9164a6fe06808ad03ec566eb5c658c08f2d78f9573ea03d122c9d6cf8bc5fc2.exe	eHnuAP3dJnE6ZcR.exe
PID 4336 wrote to memory of 1276	4336	f9164a6fe06808ad03ec566eb5c658c08f2d78f9573ea03d122c9d6cf8bc5fc2.exe	eHnuAP3dJnE6ZcR.exe
PID 4336 wrote to memory of 1276	4336	f9164a6fe06808ad03ec566eb5c658c08f2d78f9573ea03d122c9d6cf8bc5fc2.exe	eHnuAP3dJnE6ZcR.exe

C:\Users\Admin\AppData\Local\Temp\f9164a6fe06808ad03ec566eb5c658c08f2d78f9573ea03d122c9d6cf8bc5fc2.exe
"C:\Users\Admin\AppData\Local\Temp\f9164a6fe06808ad03ec566eb5c658c08f2d78f9573ea03d122c9d6cf8bc5fc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\eHnuAP3dJnE6ZcR.exe
.\eHnuAP3dJnE6ZcR.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
3254a03757ba7065f4225cdbe1415586

SHA1
c00c94b9889c2f2a4f0acffc6a7e86d593158221

SHA256
19119ca698bb65ebc2c7ec4c4c1f89968710493ee9de9a08d6ee81519a9a1aa6

SHA512
340b0dbb5ab908c3e739665794d5762dcfc8cb25e4185eb5ab04fd9e5b1fce547544003e0723ab43816b1ec2823537d74a6dd3fd04fffd7e14aee20982b4594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
6c5268c2b0c3b684a9fe1ed54ff6a7bb

SHA1
e08be9f8ed2f88678cd60bf9818a33c168810337

SHA256
26fe0505c93ac0511213d27531b8ed277e16e5532f7a8bfb069f9b43202e5a46

SHA512
c8965bfbfa32ade0fea1253087e6f2f33684c0d76065f3b866c6b1c5d85bf3352320b460dc7490e53791ad84ec9bb498dd6366381f68d59c3635435f4d2d8a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\[email protected]\install.rdf

Filesize
597B

MD5
ce8084236564585574b84119bbdb114b

SHA1
be74514a201f0783d04177ca7b55dbc0249907a0

SHA256
ae17f2133f44bdf7c01b5b54ec2523caa453fe4cd2cf26286dbdec16f471f529

SHA512
b5ffb3464b46f8f3103f5d03ef8af1674892e0c9f5133c4b31c27f98d7eaff534a8a59c0d73c4dbb36cf167d346e84ca17001d5db771698cab3d4c94e35cd4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\eHnuAP3dJnE6ZcR.dat

Filesize
1KB

MD5
11a2849f50364e7a0a96f02ec6ffc5f5

SHA1
c1022d76f1f6c65d680fc61804cb4fa0db3fc3d5

SHA256
319692035a5667748aab18dc511252377cd25fad523360373cd25b9be5742858

SHA512
887fda94947b9686a4bc6e7725b0acda62516f4f31e018a6bf47d54e94679eb4f46c6ad6fad3d4b2c9f6ce99a52b9efd6c2f05efe981c56bca2cc87e34090075

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\eHnuAP3dJnE6ZcR.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\eHnuAP3dJnE6ZcR.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\phdablgkchhlcfhlmjfhlcdkabdejjab\background.html

Filesize
143B

MD5
d965cc1982ccb3ae3013b498a7d85c90

SHA1
d9feedd319147cb388ff770bcff28fd0617a6b7a

SHA256
996259728b5479781efa0c9cb21d7ecdb60c187abde37e3caee79d008e2ee305

SHA512
af294178b96171933f0f43c942fa064c7cfab3df8cbb7800105aa15f493b176b85c56eb84b0ca9ba718257bf941652bb34010a0679d5d34a6d86431674a48ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\phdablgkchhlcfhlmjfhlcdkabdejjab\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\phdablgkchhlcfhlmjfhlcdkabdejjab\iuKdbM.js

Filesize
6KB

MD5
3450da950b11f9478c1d3956b202c227

SHA1
718c0cf921a917ccf19adabe58e725a067528ed9

SHA256
73e56a655d994b082848f48545faaab0f6284ceda6f4309f3576264c4af86422

SHA512
867bfebfe348bfe2bbbf5e81add665026f32d13906c33f95e52b29857035ec9fb352fe2000c8ba7146a0f20e44b30fe96090301ffbeab82244e3355533ceadcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\phdablgkchhlcfhlmjfhlcdkabdejjab\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDAE.tmp\phdablgkchhlcfhlmjfhlcdkabdejjab\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/1276-132-0x0000000000000000-mapping.dmp

Download