fd5192700408041cb3a7fc81078ae96dde0c980dd43315728e0ab8ebdc4f5900

Analysis

max time kernel
191s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd5192700408041cb3a7fc81078ae96dde0c980dd43315728e0ab8ebdc4f5900.exe
Size

920KB
MD5

dfe1ab4761d5e47a0afed697ce1d0b2d
SHA1

e956856e0b649b73846c8b089d62f63f1004c35c
SHA256

fd5192700408041cb3a7fc81078ae96dde0c980dd43315728e0ab8ebdc4f5900
SHA512

114b60f709bf6150fa0050dd98e83240f9e60860c9b97845f63df4e9127e4b4334b122785ad69b6a2d856edd4ee89b874066c51c2bb21515310420b4633fe77e
SSDEEP

24576:h1OYdaO/MtdHAqcdDVhYwiei7+EpFAh/kKr:h1OsOPHVmVhYwiLtKkKr

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

j2QIRqAXVpBVG5G.exe

pid process

1504 j2QIRqAXVpBVG5G.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

j2QIRqAXVpBVG5G.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgbmaedbfnjconfifpkpojaajimpecij\2.0\manifest.json	j2QIRqAXVpBVG5G.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgbmaedbfnjconfifpkpojaajimpecij\2.0\manifest.json	j2QIRqAXVpBVG5G.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgbmaedbfnjconfifpkpojaajimpecij\2.0\manifest.json	j2QIRqAXVpBVG5G.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgbmaedbfnjconfifpkpojaajimpecij\2.0\manifest.json	j2QIRqAXVpBVG5G.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgbmaedbfnjconfifpkpojaajimpecij\2.0\manifest.json	j2QIRqAXVpBVG5G.exe

Drops file in System32 directory 4 IoCs

Processes:

j2QIRqAXVpBVG5G.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	j2QIRqAXVpBVG5G.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	j2QIRqAXVpBVG5G.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	j2QIRqAXVpBVG5G.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	j2QIRqAXVpBVG5G.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

j2QIRqAXVpBVG5G.exe

pid	process
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe
1504	j2QIRqAXVpBVG5G.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

j2QIRqAXVpBVG5G.exe

description	pid	process
Token: SeDebugPrivilege	1504	j2QIRqAXVpBVG5G.exe
Token: SeDebugPrivilege	1504	j2QIRqAXVpBVG5G.exe
Token: SeDebugPrivilege	1504	j2QIRqAXVpBVG5G.exe
Token: SeDebugPrivilege	1504	j2QIRqAXVpBVG5G.exe
Token: SeDebugPrivilege	1504	j2QIRqAXVpBVG5G.exe
Token: SeDebugPrivilege	1504	j2QIRqAXVpBVG5G.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fd5192700408041cb3a7fc81078ae96dde0c980dd43315728e0ab8ebdc4f5900.exe

description	pid	process	target process
PID 1444 wrote to memory of 1504	1444	fd5192700408041cb3a7fc81078ae96dde0c980dd43315728e0ab8ebdc4f5900.exe	j2QIRqAXVpBVG5G.exe
PID 1444 wrote to memory of 1504	1444	fd5192700408041cb3a7fc81078ae96dde0c980dd43315728e0ab8ebdc4f5900.exe	j2QIRqAXVpBVG5G.exe
PID 1444 wrote to memory of 1504	1444	fd5192700408041cb3a7fc81078ae96dde0c980dd43315728e0ab8ebdc4f5900.exe	j2QIRqAXVpBVG5G.exe

C:\Users\Admin\AppData\Local\Temp\fd5192700408041cb3a7fc81078ae96dde0c980dd43315728e0ab8ebdc4f5900.exe
"C:\Users\Admin\AppData\Local\Temp\fd5192700408041cb3a7fc81078ae96dde0c980dd43315728e0ab8ebdc4f5900.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\j2QIRqAXVpBVG5G.exe
.\j2QIRqAXVpBVG5G.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
dd513c54223b815c81730929f2dcd18e

SHA1
dd41e7a932347f2dc9cc118d298139d2eb2954ee

SHA256
1ac2fadf4bb2b51b1d297b91754ac1ef55e7adf61e7d3d33efacb11456191c45

SHA512
7a65e8a1e5ce75572ae781a7328cdfdda2f087c97d0708dd08e8e4a09de46858dab379cf43dff2203d3fa682d7ebd34d57248cb86f5d3008c9b9b2220ed65ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
bc735694ee6ffb6cf3853865d3776fc7

SHA1
b623134b702cc46116bbec4508f03d6bd5f6eaf3

SHA256
bb9ee2766e7296d37de927d823007e2d608fc985cbeb111cf2c6d43bf6fa7230

SHA512
e1fdd0e1593aafa6daf9ad4cc3faa49827cfbc463bb2a4397e86fb9137441cf8992203ce6ca3da6b49e39e1307203541243e6360fd1c320ce2cc775e27ca7cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\[email protected]\install.rdf

Filesize
594B

MD5
cf656b3d05fdd236a902d94a990fc6b2

SHA1
785bffe89f702017476d37c0d1f62cea8e90b74b

SHA256
2fce04804ae3464777f3f6cfd5eb0ca8027f456eb5b522067fc0d8bf5675a483

SHA512
2e16838766d36bf6c3787efde973fb56decbb4dc91cf19b7fa9db0e7ee45ae71b36f3eb5bb5f55c81413394a788b7fd73e876bada27d00c9d3aafdef94540b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\j2QIRqAXVpBVG5G.dat

Filesize
1KB

MD5
b7cc66a3a44553339724a8408900a89d

SHA1
7c4b62fb2ec168845de056b6405d59a9369f13ea

SHA256
c64a3e4fc3d338347e1c0dbd346c3cefc52a33b5eb81104bc0394e1f5e8913bf

SHA512
b2909291b7dfb8af660cb8d261107ec5c2b583f209f0ce9b385767dfb375720a37d9b3df9156701b21da30eabf1ef19c57ad2931c63171f6a41677adf40fb434

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\j2QIRqAXVpBVG5G.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\j2QIRqAXVpBVG5G.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\lgbmaedbfnjconfifpkpojaajimpecij\background.html

Filesize
140B

MD5
79d788578da3cd45c13aa21c2ced4ece

SHA1
8f06648798056ddf129c343748c32a91649adadf

SHA256
79fc5821680411ac7df0072707fc228fe21b5326130dd3ee93f114825c12aaaf

SHA512
8f20663de03604c9f500dacde6defde7d9fef95c88d08d88a0a8970907846b23863be395540a3886f809012f881ffa8cb95912ed009dc8a90820c6d30652dbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\lgbmaedbfnjconfifpkpojaajimpecij\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\lgbmaedbfnjconfifpkpojaajimpecij\hgG.js

Filesize
6KB

MD5
47cdc7021ca02de4add1071bbc1d1afc

SHA1
379f6cd83b46972f7301daf3abc1bf9e3c1d5756

SHA256
25877eb462139a8fd2f93fd2dfa15b38130e257d8db78a91901d84f7519048bc

SHA512
8a0e0016193630684fe743a5d204e7ad63d124913d31bbeeedf2a7487388a01cd0d119d649a1e566a2878bde2397395a3141e4719dd7445f99f8c6571442a19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\lgbmaedbfnjconfifpkpojaajimpecij\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3F3B.tmp\lgbmaedbfnjconfifpkpojaajimpecij\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/1504-132-0x0000000000000000-mapping.dmp

Download