Analysis
-
max time kernel
125s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:23
Static task
static1
Behavioral task
behavioral1
Sample
c87beca056b9347167b6885607e98a0f61b89c8807765c2740f461b4802750b5.exe
Resource
win7-20220812-en
General
-
Target
c87beca056b9347167b6885607e98a0f61b89c8807765c2740f461b4802750b5.exe
-
Size
932KB
-
MD5
57de377beb09dd1c154768714a3af8e6
-
SHA1
71994f3ad10b96307a5c5e308a5511c9a1877980
-
SHA256
c87beca056b9347167b6885607e98a0f61b89c8807765c2740f461b4802750b5
-
SHA512
3ac1ae71f4afe30312d10fbc7dc5929dfa44f3012148e509a55197828a371e84b729ddec0ed92cbc36c12f096c5124649ee7b3b3f96c5351f8ff6213d602d59e
-
SSDEEP
24576:h1OYdaODCZ/iWCvu/2sWsJA/jlt+DHhsy:h1OsJCpYO/dJJDHhsy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CU7uFcO5RD348lw.exepid process 3268 CU7uFcO5RD348lw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
CU7uFcO5RD348lw.exedescription ioc process File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\2.0\manifest.json CU7uFcO5RD348lw.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\2.0\manifest.json CU7uFcO5RD348lw.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\2.0\manifest.json CU7uFcO5RD348lw.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\2.0\manifest.json CU7uFcO5RD348lw.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\2.0\manifest.json CU7uFcO5RD348lw.exe -
Drops file in System32 directory 4 IoCs
Processes:
CU7uFcO5RD348lw.exedescription ioc process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini CU7uFcO5RD348lw.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol CU7uFcO5RD348lw.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI CU7uFcO5RD348lw.exe File opened for modification C:\Windows\System32\GroupPolicy CU7uFcO5RD348lw.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
CU7uFcO5RD348lw.exepid process 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe 3268 CU7uFcO5RD348lw.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
CU7uFcO5RD348lw.exedescription pid process Token: SeDebugPrivilege 3268 CU7uFcO5RD348lw.exe Token: SeDebugPrivilege 3268 CU7uFcO5RD348lw.exe Token: SeDebugPrivilege 3268 CU7uFcO5RD348lw.exe Token: SeDebugPrivilege 3268 CU7uFcO5RD348lw.exe Token: SeDebugPrivilege 3268 CU7uFcO5RD348lw.exe Token: SeDebugPrivilege 3268 CU7uFcO5RD348lw.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c87beca056b9347167b6885607e98a0f61b89c8807765c2740f461b4802750b5.exedescription pid process target process PID 2016 wrote to memory of 3268 2016 c87beca056b9347167b6885607e98a0f61b89c8807765c2740f461b4802750b5.exe CU7uFcO5RD348lw.exe PID 2016 wrote to memory of 3268 2016 c87beca056b9347167b6885607e98a0f61b89c8807765c2740f461b4802750b5.exe CU7uFcO5RD348lw.exe PID 2016 wrote to memory of 3268 2016 c87beca056b9347167b6885607e98a0f61b89c8807765c2740f461b4802750b5.exe CU7uFcO5RD348lw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c87beca056b9347167b6885607e98a0f61b89c8807765c2740f461b4802750b5.exe"C:\Users\Admin\AppData\Local\Temp\c87beca056b9347167b6885607e98a0f61b89c8807765c2740f461b4802750b5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\CU7uFcO5RD348lw.exe.\CU7uFcO5RD348lw.exe2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\[email protected]\chrome.manifestFilesize
35B
MD51d9a9e4a8c6fa5fcea49802b00d0a80e
SHA1e53524f49f2870e4ae9ea0afaab3e27976d6082b
SHA25642048c3da4f6cc00e7c66c1b510f22f927544db6f8c6b9b181d33b71ce08d502
SHA5129fb818816ba11c8054d9fe242150616acf1ef1a8e5a8a035489202802202e61e99ad086b8142bee052b8a2386da2f6e20ae6fa4bfd0ff4e2db91ed50f42da2c8
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\[email protected]\content\bg.jsFilesize
9KB
MD59cba287cf6d9b0d093ac2010fc34c9a9
SHA178840da29bad138402950b1ad01ef13da12dfa3a
SHA2565152837517216e506a3d0b2f6d325b2c40c8cb9b2d6aaea7dcdeb2d64ec8dca5
SHA512a90d5b806ee855ffd444f987dcd760ab1edb6e9629ac24a7b098cb591a3ca8b16d15dc0bb64de289ef0e4df93783b60d91f69eddcdc2ccdaad6f2137c15de841
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\[email protected]\install.rdfFilesize
591B
MD56ca6901a7121862207def673ff4d3b92
SHA1feefebecd55e6036ba65e6577dad6ed097b94faf
SHA2566e9dcf66696ad85a675678cf4ac7b3b555d613cb201b509eb833619b7fa80d4d
SHA512f56fc3acd38146d9a7c552dcc9808fdfd86a5d05c625b0c59e55606d611575c9e587c4af36fbe36228686993160219e03d9d84c86cdba087294aef249f8130cf
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\CU7uFcO5RD348lw.datFilesize
1KB
MD578135c7c8be163a50231513999696cc3
SHA1e73de6db41865c442231242521f302e20361bd71
SHA256efad7c49753e53dc20dc965dbf628ba7ab5367faec9dc96bda2aad34c1d22d6d
SHA512d6728b71f336e325d89413ccdd15df40730399a5215f566f27ca0ef97ba70f5e1ef4980b678b084c86bf116e5842e503a5852192d1263081e4913a77e2c1cf41
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\CU7uFcO5RD348lw.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\CU7uFcO5RD348lw.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\V4xQaD.jsFilesize
6KB
MD5f0fd7062e2d26852f7b604f8fdc2891a
SHA1c74a76aa62568bada2b6c7f3ac20375df1bc78e7
SHA256c5df69f673ec0fb7120728dfe1e459df2c6b4c40bb0cd8ee8ac7275d0320f114
SHA512089dbc38a5beadfa08e1945067125a5c9a8cf04c4a7f2444c7da3012eb80a4ec5fbea1faa7f89657d30db0094c27ac9b158bed1b8c90aa9bd4a41137e91541a0
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\background.htmlFilesize
143B
MD54fab197739514a79185560fa63e5a77c
SHA10dd653fbcd9fff5e4fe992fdcffb998d85663194
SHA25636051283d602fd052c99fed45417a36a174a889583226a6327b58d394c962d2d
SHA512c92a2b21804d5017f79ab9ce8919f1b89c9c52e6bed467740389949133cd6cf97fb6b76f89c67b90c2521cc46193f05fec51666fcb92185c2d8c6cc77b26f993
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSBBD3.tmp\ghgnpjfbhdhknimgnfjmlpcaimkcopgh\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
memory/3268-132-0x0000000000000000-mapping.dmp