c81bb86fc853d887634668b87b49dd91b187a1cfd623cacb205aa7117aa26600

Analysis

max time kernel
181s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c81bb86fc853d887634668b87b49dd91b187a1cfd623cacb205aa7117aa26600.exe
Size

932KB
MD5

a7ed3e1007f9fdf9d4e6305113fa24fb
SHA1

e7be9119b44b1250c4f70193701e5f0b8621b8c2
SHA256

c81bb86fc853d887634668b87b49dd91b187a1cfd623cacb205aa7117aa26600
SHA512

7cb3a2d042054aef4f349ba1768da1991e07cf3291a6f151d1a10cdc8e05c229372f6ae5fa8fcc5e522420784b0c13f9732dcab0aa4b490f2c09c4bcace445b5
SSDEEP

24576:h1OYdaODCZ/iWCvu/2sWsJA/jlt+DHhsT:h1OshCpYO/dJJDHhsT

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sU4wrdvChc7uzf4.exe

pid process

660 sU4wrdvChc7uzf4.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

sU4wrdvChc7uzf4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\igfojbcbfilfadafjhgddfbmlhopaejo\2.0\manifest.json	sU4wrdvChc7uzf4.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\igfojbcbfilfadafjhgddfbmlhopaejo\2.0\manifest.json	sU4wrdvChc7uzf4.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\igfojbcbfilfadafjhgddfbmlhopaejo\2.0\manifest.json	sU4wrdvChc7uzf4.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\igfojbcbfilfadafjhgddfbmlhopaejo\2.0\manifest.json	sU4wrdvChc7uzf4.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\igfojbcbfilfadafjhgddfbmlhopaejo\2.0\manifest.json	sU4wrdvChc7uzf4.exe

Drops file in System32 directory 4 IoCs

Processes:

sU4wrdvChc7uzf4.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	sU4wrdvChc7uzf4.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	sU4wrdvChc7uzf4.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	sU4wrdvChc7uzf4.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	sU4wrdvChc7uzf4.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

sU4wrdvChc7uzf4.exe

pid	process
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe
660	sU4wrdvChc7uzf4.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

sU4wrdvChc7uzf4.exe

description	pid	process
Token: SeDebugPrivilege	660	sU4wrdvChc7uzf4.exe
Token: SeDebugPrivilege	660	sU4wrdvChc7uzf4.exe
Token: SeDebugPrivilege	660	sU4wrdvChc7uzf4.exe
Token: SeDebugPrivilege	660	sU4wrdvChc7uzf4.exe
Token: SeDebugPrivilege	660	sU4wrdvChc7uzf4.exe
Token: SeDebugPrivilege	660	sU4wrdvChc7uzf4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c81bb86fc853d887634668b87b49dd91b187a1cfd623cacb205aa7117aa26600.exe

description	pid	process	target process
PID 1616 wrote to memory of 660	1616	c81bb86fc853d887634668b87b49dd91b187a1cfd623cacb205aa7117aa26600.exe	sU4wrdvChc7uzf4.exe
PID 1616 wrote to memory of 660	1616	c81bb86fc853d887634668b87b49dd91b187a1cfd623cacb205aa7117aa26600.exe	sU4wrdvChc7uzf4.exe
PID 1616 wrote to memory of 660	1616	c81bb86fc853d887634668b87b49dd91b187a1cfd623cacb205aa7117aa26600.exe	sU4wrdvChc7uzf4.exe

C:\Users\Admin\AppData\Local\Temp\c81bb86fc853d887634668b87b49dd91b187a1cfd623cacb205aa7117aa26600.exe
"C:\Users\Admin\AppData\Local\Temp\c81bb86fc853d887634668b87b49dd91b187a1cfd623cacb205aa7117aa26600.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\sU4wrdvChc7uzf4.exe
.\sU4wrdvChc7uzf4.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
6647a7978f9f2818231700ba4ab18d2a

SHA1
ab0bef371ec17b2c767607deaf7b107e59c1292a

SHA256
37b45ba40cdd5c2ce0a2e8e10800309cc35851de99995f5aa789bbbd0b296cef

SHA512
f1a32d0d7a3b472623c4cfa890add9ab22995ae2466d375a0230f49e089bd7d07ddca6ae80236aa7e0cf89d3025750a5d8eca0d1eafdb63c2cb748cc890305ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\[email protected]\content\bg.js
Filesize
9KB

MD5
ae0339fe05dd10e12adf47ad989fedf0

SHA1
b11971a7a5e0ec375238e1a32c8cab69a5fde621

SHA256
ac9aed1a6ceef47be063dd5b61e70c2011d46457d45744823c819455a1970489

SHA512
e09503a5d7bc681abf3217083f962e30d794b4a1ff74da680c366f8919d23ec3467a3c911dfd4eac17015ae2131d4e4c935ea21e6f26ee8d1ce802fcdb8a014b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\[email protected]\install.rdf
Filesize
596B

MD5
0f01493cd18eb95b8f2ac92c3947bd07

SHA1
ea684a04ce3f9882a0e43664ee14934a88dfaa61

SHA256
50c74768b14578502ecb470c09811b1a487ef5e15d1696cf68e0c7504b383b96

SHA512
2a11d9d4f44cb79efd1034e75f4787cea600a8a00bba8ca07d01e4748c202acb6932abfdd3622712303ce833236253f8362e0aa6616a138f1c9128f0c65ba3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\igfojbcbfilfadafjhgddfbmlhopaejo\background.html
Filesize
147B

MD5
5ccd17196f665fa9ecf09e9549b6bfb1

SHA1
7f87dde2c09288f55c639598207b9b9a459c1e44

SHA256
ad3280700ff25e451e77f7d9ea0aaa3bb7fc018e57e41bdf339dc5f5553ccb4c

SHA512
9233f362ee2c8efe49bd23fcb5edf5f5ef0b31967b0fbd49fb2be1a6692ad0c9f000369ae6adc357ddc21c0b1ac5dfbf320fc37a9309675bc5f0c1bcd4f77e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\igfojbcbfilfadafjhgddfbmlhopaejo\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\igfojbcbfilfadafjhgddfbmlhopaejo\lKXWDbdb3S.js
Filesize
6KB

MD5
996d2f213f75f8d27a66020f2ecc4af8

SHA1
5d327d27db9102c2737571477e3af6b50a60bb21

SHA256
9cf0ad2b88c7458dc59471b9318e0d3d376a112c0ab9c86f3f1deec58ad17e21

SHA512
b2145eed7da39406dc5b50d86dac1087f818d0a64d38d3868a22a3741094bf346bc3f2e0fbdd736069000726c0a7488b60a5840a362d65f973c17ee5883c82ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\igfojbcbfilfadafjhgddfbmlhopaejo\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\igfojbcbfilfadafjhgddfbmlhopaejo\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\sU4wrdvChc7uzf4.dat
Filesize
1KB

MD5
63d2d7bf04db5acfc236d6984c9f9c53

SHA1
2d9388e87cca77f0ed8c36c70a4cf84db675439c

SHA256
cb81f9b36fb0d985dd3c6232b2e8b0b564331d3a78f2e2468f59bfb4d61c813a

SHA512
ea226bf87b6dd5c6fa61d5ea711c4209e9bc0928977a14d55ea040f9fd601e1a051afbaf8f78eec8e81a7457ed195796512962421c797a1ab098f523928ef4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\sU4wrdvChc7uzf4.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41DB.tmp\sU4wrdvChc7uzf4.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/660-132-0x0000000000000000-mapping.dmp

Download