c8fe66b74036784198f4bd977caaee368aeb05b70994ab43b038cd4fe93723fe

Analysis

max time kernel
157s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8fe66b74036784198f4bd977caaee368aeb05b70994ab43b038cd4fe93723fe.exe
Size

920KB
MD5

59726427d95fe003adee9814a1279db2
SHA1

4fcec337cb08cfc6b5b258263a39c6f8085b97c0
SHA256

c8fe66b74036784198f4bd977caaee368aeb05b70994ab43b038cd4fe93723fe
SHA512

a9546ee6c17f8c0ef50cfdbf6d293cf2c11636343565fc32448f4231c9e0b9eb41b59308c9e66e9f611f7025b1af6100fee9a3df472a00c7d7d34b837ef58e0e
SSDEEP

24576:h1OYdaOUMtdHAqcdDVhYwiei7+EpFAh/kKW:h1OslPHVmVhYwiLtKkKW

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DmLS9y941dpHyWh.exe

pid process

1276 DmLS9y941dpHyWh.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

DmLS9y941dpHyWh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojfofbhhjnekjfcnjnjappafpmlpngip\2.0\manifest.json	DmLS9y941dpHyWh.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojfofbhhjnekjfcnjnjappafpmlpngip\2.0\manifest.json	DmLS9y941dpHyWh.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojfofbhhjnekjfcnjnjappafpmlpngip\2.0\manifest.json	DmLS9y941dpHyWh.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojfofbhhjnekjfcnjnjappafpmlpngip\2.0\manifest.json	DmLS9y941dpHyWh.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojfofbhhjnekjfcnjnjappafpmlpngip\2.0\manifest.json	DmLS9y941dpHyWh.exe

Drops file in System32 directory 4 IoCs

Processes:

DmLS9y941dpHyWh.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	DmLS9y941dpHyWh.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	DmLS9y941dpHyWh.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	DmLS9y941dpHyWh.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	DmLS9y941dpHyWh.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

DmLS9y941dpHyWh.exe

pid	process
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe
1276	DmLS9y941dpHyWh.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

DmLS9y941dpHyWh.exe

description	pid	process
Token: SeDebugPrivilege	1276	DmLS9y941dpHyWh.exe
Token: SeDebugPrivilege	1276	DmLS9y941dpHyWh.exe
Token: SeDebugPrivilege	1276	DmLS9y941dpHyWh.exe
Token: SeDebugPrivilege	1276	DmLS9y941dpHyWh.exe
Token: SeDebugPrivilege	1276	DmLS9y941dpHyWh.exe
Token: SeDebugPrivilege	1276	DmLS9y941dpHyWh.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c8fe66b74036784198f4bd977caaee368aeb05b70994ab43b038cd4fe93723fe.exe

description	pid	process	target process
PID 5084 wrote to memory of 1276	5084	c8fe66b74036784198f4bd977caaee368aeb05b70994ab43b038cd4fe93723fe.exe	DmLS9y941dpHyWh.exe
PID 5084 wrote to memory of 1276	5084	c8fe66b74036784198f4bd977caaee368aeb05b70994ab43b038cd4fe93723fe.exe	DmLS9y941dpHyWh.exe
PID 5084 wrote to memory of 1276	5084	c8fe66b74036784198f4bd977caaee368aeb05b70994ab43b038cd4fe93723fe.exe	DmLS9y941dpHyWh.exe

C:\Users\Admin\AppData\Local\Temp\c8fe66b74036784198f4bd977caaee368aeb05b70994ab43b038cd4fe93723fe.exe
"C:\Users\Admin\AppData\Local\Temp\c8fe66b74036784198f4bd977caaee368aeb05b70994ab43b038cd4fe93723fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\DmLS9y941dpHyWh.exe
.\DmLS9y941dpHyWh.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
a93343ef2af10038b37eebd8934307b0

SHA1
a2a2289a6e1595ca3de386bc97db42402690f57f

SHA256
f5fbd68b61a597438f4cbeff87fa5052c85b02ac1e57931598811a95e31287b2

SHA512
8e25253a3e7898b49c05765e2d9af8dffc71120decc9faed97a1126a6462255aa608b91117c828575abc0db5116c0ab2bc965e813db1cf2a1b6d022fd4f83070

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
7f1482b03dd1f0806f6e86b5405b3c71

SHA1
cbc46cd5c5edc53b53b65acaed1ccf0d20c53c7a

SHA256
7808122d745e53d6438764027ee0f870b67e2433beca62179e465257be8aac4e

SHA512
097e766af279a42bbf8b8b30c970d834b8d8ed6dcdbd59380cef1fb64e68b9086a6c8aa62f9fc5cb1710a2ace3a6a3438c800332b5501178fe8f002bdac654bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\[email protected]\install.rdf
Filesize
593B

MD5
7b8b5c3cc082f26958959a69b12444d4

SHA1
01d10de4669fb25c5d34d147bf65a0bbc619e8b6

SHA256
eca7d978d8bc84c38bfbaaf3e0e6faaa7d1415a20fe8c5a77eecddb924b4c464

SHA512
5bb584c29cba1b150d8d0bfc2f9e8f22c380f72fb7d81e38a539ee265d494a2be2294a662697c8e1be1778a1460263867f6eb37b17e992ef3260e09601254b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\DmLS9y941dpHyWh.dat
Filesize
1KB

MD5
c282c85879ebbbb6ccf1a652c1172b8a

SHA1
62f31dbcba432d2f6f0329988a1b687a950d0551

SHA256
5c2d7b3c0b669a0717cb57f2b02ebab6b6c5bf6f8f01b07f27a21cb165933560

SHA512
0352b06862bfdde39e8b7c1851bd55aa9bf613605ced1a5765a3a36af75ea130333b573439596e7f1515f4c56f142d1d9319a9665b9083ea02c2d3763a0304d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\DmLS9y941dpHyWh.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\DmLS9y941dpHyWh.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\ojfofbhhjnekjfcnjnjappafpmlpngip\VMPbpR83W.js
Filesize
6KB

MD5
6c554186ce43a09a6cfecdf04f209b79

SHA1
271a34586e49fef038614e843d388a20f4ba1ec4

SHA256
3446a1da175c39169d2dad79e8f96c8d66dfe7384a10af083dc3a611755bd45b

SHA512
0f7038e75ad7fb3d507baa7b166cf07a0c7859afc1b13b752a813b1327752d465f0b40249c0c94cd21b140ea9edad749910e3c035f010cbc6b8620f93b649b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\ojfofbhhjnekjfcnjnjappafpmlpngip\background.html
Filesize
146B

MD5
b88e0f9d1c7035208846aafd6d2e328f

SHA1
221636a89521c5701c650ae426d15e06f9615a06

SHA256
eae52c4d6a8a7a925497e1254e7543bb7614be87339fb8e47cf38f6aa8d68a87

SHA512
52e0889b988f6ad9e0c64b6d03dc35c1dbf2a3ba1eaf0c6ce9b740383370b71d2b994634acae8eae7dcf8685c64c5035b4778edfc0ded36ae2182ce5098faa74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\ojfofbhhjnekjfcnjnjappafpmlpngip\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\ojfofbhhjnekjfcnjnjappafpmlpngip\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB6F1.tmp\ojfofbhhjnekjfcnjnjappafpmlpngip\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/1276-132-0x0000000000000000-mapping.dmp

Download