fd0678f49981ca7ba67d58389070a15c20c13937a3fe3c1cd27051fe3dc26813

Analysis

max time kernel
146s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd0678f49981ca7ba67d58389070a15c20c13937a3fe3c1cd27051fe3dc26813.exe
Size

932KB
MD5

43a91e142167dd774505dfc78bbebd5a
SHA1

77d275f1aeebfe4b5e1cd206f2ac38e8dc71f329
SHA256

fd0678f49981ca7ba67d58389070a15c20c13937a3fe3c1cd27051fe3dc26813
SHA512

3dd96d47e97309c4cbd2fdcfc0449b03973a069f8a559e60b12cd05b9084ef9e9fd86514ca939f5775d03fe4eda7dfe0a2eaac6851ee8db7d3a2ffa8b58648c6
SSDEEP

24576:h1OYdaOjCZ/iWCvu/2sWsJA/jlt+DHhse:h1OsZCpYO/dJJDHhse

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

czF0ni6f9cpoab7.exe

pid process

1792 czF0ni6f9cpoab7.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

czF0ni6f9cpoab7.exe

description	ioc	process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\anjgmfiocenmpkhdhjakfgjjeijepmjm\2.0\manifest.json	czF0ni6f9cpoab7.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\anjgmfiocenmpkhdhjakfgjjeijepmjm\2.0\manifest.json	czF0ni6f9cpoab7.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\anjgmfiocenmpkhdhjakfgjjeijepmjm\2.0\manifest.json	czF0ni6f9cpoab7.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\anjgmfiocenmpkhdhjakfgjjeijepmjm\2.0\manifest.json	czF0ni6f9cpoab7.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\anjgmfiocenmpkhdhjakfgjjeijepmjm\2.0\manifest.json	czF0ni6f9cpoab7.exe

Drops file in System32 directory 4 IoCs

Processes:

czF0ni6f9cpoab7.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	czF0ni6f9cpoab7.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	czF0ni6f9cpoab7.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	czF0ni6f9cpoab7.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	czF0ni6f9cpoab7.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

czF0ni6f9cpoab7.exe

pid	process
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe
1792	czF0ni6f9cpoab7.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

czF0ni6f9cpoab7.exe

description	pid	process
Token: SeDebugPrivilege	1792	czF0ni6f9cpoab7.exe
Token: SeDebugPrivilege	1792	czF0ni6f9cpoab7.exe
Token: SeDebugPrivilege	1792	czF0ni6f9cpoab7.exe
Token: SeDebugPrivilege	1792	czF0ni6f9cpoab7.exe
Token: SeDebugPrivilege	1792	czF0ni6f9cpoab7.exe
Token: SeDebugPrivilege	1792	czF0ni6f9cpoab7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fd0678f49981ca7ba67d58389070a15c20c13937a3fe3c1cd27051fe3dc26813.exe

description	pid	process	target process
PID 804 wrote to memory of 1792	804	fd0678f49981ca7ba67d58389070a15c20c13937a3fe3c1cd27051fe3dc26813.exe	czF0ni6f9cpoab7.exe
PID 804 wrote to memory of 1792	804	fd0678f49981ca7ba67d58389070a15c20c13937a3fe3c1cd27051fe3dc26813.exe	czF0ni6f9cpoab7.exe
PID 804 wrote to memory of 1792	804	fd0678f49981ca7ba67d58389070a15c20c13937a3fe3c1cd27051fe3dc26813.exe	czF0ni6f9cpoab7.exe

C:\Users\Admin\AppData\Local\Temp\fd0678f49981ca7ba67d58389070a15c20c13937a3fe3c1cd27051fe3dc26813.exe
"C:\Users\Admin\AppData\Local\Temp\fd0678f49981ca7ba67d58389070a15c20c13937a3fe3c1cd27051fe3dc26813.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\czF0ni6f9cpoab7.exe
.\czF0ni6f9cpoab7.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
fb9b74b2e73d426863502d36d37762c7

SHA1
2cb99da6c1dde19483efad1ef183bcd740e8ef18

SHA256
f03aaf8df1ae3f16295cce0cb9d72d10c7a62525bfb44a572c22426853cc07d2

SHA512
7297ca74e153c19a60ba3f56f01e21e411f3b25b4a8d252adf4fabcc6fc4e35f955df95d33c7be113cbb943f1609fcd93ffb431e11a8d05cec2990eed34091d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
98c79cdd6dbe71858843192257b707d5

SHA1
cfe3fedd3eb890e8971170ab1a60780548c7e35d

SHA256
1687d155d77687cad164d33ada4f07788b00ffcd1b32374d34d46f518001bb33

SHA512
a9a3fecb4d878fa4541f83c009b89fee8dda9fa0c4833965e280b82d1fc415a62f1378c61100b5fadbd35196d859d95ca84b419e91673b8fcb46391552742775

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\[email protected]\install.rdf

Filesize
595B

MD5
012df74f0a92d74d31444148c069c164

SHA1
05cf33517b2f178b56ab009cd5deb986424befad

SHA256
ee852720d8ca9adaa1cc7fde2697a039dd851ae8ffea476475fa93897b04f681

SHA512
027d6db15776d13de0206e0209c6eedab2e247d220d8908d8a736d599788a64d700d1ea7837a12f7a33f525b8e5fc4c45340594fc7ce2ff0dd21fa72f0acc642

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\anjgmfiocenmpkhdhjakfgjjeijepmjm\Exs.js

Filesize
6KB

MD5
124324166c86440bb4454a03c8cf563a

SHA1
a541507f71d228a599f248482982e33a642e2a70

SHA256
c57c278ff7a10e618fb681f37d71e17412953c5dd8601f8ae7139e8196d2aaa9

SHA512
114f53f3374b20a76f00275d68a36ce3faa040f1b14cdf9c527c6f674cc14a10c980144d30ba0063a7e60a23811f8039377f6d33568abd652add8e3cfd9ee669

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\anjgmfiocenmpkhdhjakfgjjeijepmjm\background.html

Filesize
140B

MD5
a4e0406ef5f214c1a265868354a55dd0

SHA1
4375c85c5cf0cd0ffcba0a5edb9182bcf50c3f47

SHA256
e6d5b0f6e38800a943d019e00028550c3321186ef19a7e6f456c787e048dd374

SHA512
08f7569d44f2486dd7a19567a0141307efd46e9d7fc6206ef4d725c29f8a4d9e1a82748aaea030738fcc80a413b150c724d5bfc7d438022010e76833611fe7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\anjgmfiocenmpkhdhjakfgjjeijepmjm\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\anjgmfiocenmpkhdhjakfgjjeijepmjm\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\anjgmfiocenmpkhdhjakfgjjeijepmjm\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\czF0ni6f9cpoab7.dat

Filesize
1KB

MD5
1614339a7d16927b2887e2c42b32fd2e

SHA1
15cf69b29cf75990d49d736b4e7a9a3301db5163

SHA256
998b09d166c85a7038d2e17f6e3b4be8adbaeb8e4531e26bbeb9aacda597910d

SHA512
383ad871c2ae88c9b02e58293bb47e491387e8ac1f5e27d8740b00c31bd6816434ecad588754953307bae85bc0c51951640bb198a564c7579aa9018133fbdfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\czF0ni6f9cpoab7.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF75.tmp\czF0ni6f9cpoab7.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/1792-132-0x0000000000000000-mapping.dmp

Download