fcdf3238f74ffa46353317f9a0c9c318845df9b053287b19a700f515b55d2dc8

Analysis

max time kernel
308s
max time network
384s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcdf3238f74ffa46353317f9a0c9c318845df9b053287b19a700f515b55d2dc8.exe
Size

931KB
MD5

f9d32263047802a5ab8c0ff330a3c9b8
SHA1

e13bcbfd1eac257896165e5ac0e00d1a1f7fd7ff
SHA256

fcdf3238f74ffa46353317f9a0c9c318845df9b053287b19a700f515b55d2dc8
SHA512

5bf6d75c8aefc152abf74981532ef92a9b295b9146f84c190e966a3dfdec028af06c4863822bd359dee13d517060f46371cd208ca366ba4cdb442b750fb3e2dd
SSDEEP

24576:h1OYdaOdCZ/iWCvu/2sWsJA/jlt+DHhsI:h1OsDCpYO/dJJDHhsI

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

N4Zj4aRzDC1kKTo.exe

pid process

2900 N4Zj4aRzDC1kKTo.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

N4Zj4aRzDC1kKTo.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\chnbhpbggemmfoeolmepkibppogmhgpi\2.0\manifest.json	N4Zj4aRzDC1kKTo.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\chnbhpbggemmfoeolmepkibppogmhgpi\2.0\manifest.json	N4Zj4aRzDC1kKTo.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\chnbhpbggemmfoeolmepkibppogmhgpi\2.0\manifest.json	N4Zj4aRzDC1kKTo.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\chnbhpbggemmfoeolmepkibppogmhgpi\2.0\manifest.json	N4Zj4aRzDC1kKTo.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\chnbhpbggemmfoeolmepkibppogmhgpi\2.0\manifest.json	N4Zj4aRzDC1kKTo.exe

Drops file in System32 directory 4 IoCs

Processes:

N4Zj4aRzDC1kKTo.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	N4Zj4aRzDC1kKTo.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	N4Zj4aRzDC1kKTo.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	N4Zj4aRzDC1kKTo.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	N4Zj4aRzDC1kKTo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

N4Zj4aRzDC1kKTo.exe

pid	process
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe
2900	N4Zj4aRzDC1kKTo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

N4Zj4aRzDC1kKTo.exe

description	pid	process
Token: SeDebugPrivilege	2900	N4Zj4aRzDC1kKTo.exe
Token: SeDebugPrivilege	2900	N4Zj4aRzDC1kKTo.exe
Token: SeDebugPrivilege	2900	N4Zj4aRzDC1kKTo.exe
Token: SeDebugPrivilege	2900	N4Zj4aRzDC1kKTo.exe
Token: SeDebugPrivilege	2900	N4Zj4aRzDC1kKTo.exe
Token: SeDebugPrivilege	2900	N4Zj4aRzDC1kKTo.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fcdf3238f74ffa46353317f9a0c9c318845df9b053287b19a700f515b55d2dc8.exe

description	pid	process	target process
PID 2080 wrote to memory of 2900	2080	fcdf3238f74ffa46353317f9a0c9c318845df9b053287b19a700f515b55d2dc8.exe	N4Zj4aRzDC1kKTo.exe
PID 2080 wrote to memory of 2900	2080	fcdf3238f74ffa46353317f9a0c9c318845df9b053287b19a700f515b55d2dc8.exe	N4Zj4aRzDC1kKTo.exe
PID 2080 wrote to memory of 2900	2080	fcdf3238f74ffa46353317f9a0c9c318845df9b053287b19a700f515b55d2dc8.exe	N4Zj4aRzDC1kKTo.exe

C:\Users\Admin\AppData\Local\Temp\fcdf3238f74ffa46353317f9a0c9c318845df9b053287b19a700f515b55d2dc8.exe
"C:\Users\Admin\AppData\Local\Temp\fcdf3238f74ffa46353317f9a0c9c318845df9b053287b19a700f515b55d2dc8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\N4Zj4aRzDC1kKTo.exe
.\N4Zj4aRzDC1kKTo.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\N4Zj4aRzDC1kKTo.dat

Filesize
1KB

MD5
854ece1fc9b92157173aa53551081266

SHA1
5ff279103eb7449ddaf38a9f0807eeec29435419

SHA256
6fa4c96b272bb20a8b498e5ca90f7a1d360774f58c894792fce4bbbd4e6397ef

SHA512
71d78e8f7b711ebe5134d4fe2c731318c1058400f3e3a79fb57a7b92f4cda7844b280a75ef34dc15e8c373a758e36cc9aefaa291f1c7d7a083be61798695176c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\N4Zj4aRzDC1kKTo.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\N4Zj4aRzDC1kKTo.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
09f6b155d61982a1f1a9a1f10c0d8649

SHA1
3fe4af446a6790c8c59685294a355c5619be199e

SHA256
b5f3156f77d991172823be0035ca204d7d136bbb15d23410314817294f24535b

SHA512
c685c7aa6330701fdc6e6827c5bdc641ed2dc6b84187ebdd071e993eb32c0ad3c7887487439e380c46945dbd83c98890ed25d243c2f0ac303ffada5a5e3011ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
f9b5f4a790d4a4f555f51e34c34737dc

SHA1
885261e9815a26f2958090d726df59410996512b

SHA256
5271fc4b7608d594c962369b626d7054a8ac260c4cedd06cda66fa7994c055a7

SHA512
0ae54fcc652b0e7c8823aeb7bc2632d00212ffbee4297598b271db4201141d7cd815b59e69dfc9ee8d49b19597f5848aa5c9690e736ceca595c881cd0ae8f9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\[email protected]\install.rdf

Filesize
596B

MD5
5b218f90fd55b5112bd32eca30102910

SHA1
6c5ed2bca5bf74ba2dff8c0dfbb7c5817b198fb4

SHA256
ea7a779648d4944962cd23d5e8a29359dd1d0c5ebca3972b001a1181a43a3153

SHA512
34945656efec52675f8490df633c7ea2c521ac725e7d4b0716e55bcecb2860d2392192351f2ecf94a5fc4f27ee11ca0279ff52e423f8b96fc36f6a0beed4e9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\chnbhpbggemmfoeolmepkibppogmhgpi\KL.js

Filesize
6KB

MD5
67bc906b3a78ac30a4d8771c07b3dc9b

SHA1
a166fc9b137a0ec9928aff756b77360ec45b6bec

SHA256
212b0e2ccea9d47150f125596534e932255bba8f1f15c06ebd71c046e0c22464

SHA512
defa2e7c7b0613743de4e08e75bf5a5f57defbb50c3a4b4cb7b183594a8a3590c34ba4eb1c8bff46a959caccc0c989de3559ca54253d1b15671edc1948b0200c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\chnbhpbggemmfoeolmepkibppogmhgpi\background.html

Filesize
139B

MD5
4d9b5f6a2012a173bcff124126517862

SHA1
35ce4e1017d9185ddc6e00f0776462f06d54192a

SHA256
638de4608095664e799c9cb439ec1b3a01fde88f9c691c631fd343aa771b8610

SHA512
619c041c59fcc192e1b5a9467f344e007e4cfbdd7f66242f8f6b5cf16e6ca67e7d0ee9d41f34442b7019786889a3f9eff43743e9580223ddf4e2f3b00de70e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\chnbhpbggemmfoeolmepkibppogmhgpi\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\chnbhpbggemmfoeolmepkibppogmhgpi\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC84.tmp\chnbhpbggemmfoeolmepkibppogmhgpi\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/2900-132-0x0000000000000000-mapping.dmp

Download