c8195f1093cf8d41a688cfbbc5986c475376cc5e80ab58b2c7633ea9bc9a7bb4

Analysis

max time kernel
168s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8195f1093cf8d41a688cfbbc5986c475376cc5e80ab58b2c7633ea9bc9a7bb4.exe
Size

925KB
MD5

e3dcba90a4d031f7b0c7b9271c030af6
SHA1

7c81ed6bd6d66551a1a81c9cd52d211cb2bb2cf2
SHA256

c8195f1093cf8d41a688cfbbc5986c475376cc5e80ab58b2c7633ea9bc9a7bb4
SHA512

183e8c938eea99baba5442ae1a19e9b403e0c72aa7e2a1b166d10f130d96437f10b172bcb0737056c17024ac01b0f7fa7f667063ca9207bfd6940bbe61c4eac0
SSDEEP

24576:h1OYdaOWpi3TiqRomivrVhjlLZzpHAzSpkGk8t8Fh:h1OswGX0rN1lHAKkZ8t8Fh

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

0HfCkeFDDfk4Hyc.exe

pid process

4372 0HfCkeFDDfk4Hyc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

0HfCkeFDDfk4Hyc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bikiepmcbbnjnkkdhbknliochocncafn\2.0\manifest.json	0HfCkeFDDfk4Hyc.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bikiepmcbbnjnkkdhbknliochocncafn\2.0\manifest.json	0HfCkeFDDfk4Hyc.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bikiepmcbbnjnkkdhbknliochocncafn\2.0\manifest.json	0HfCkeFDDfk4Hyc.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bikiepmcbbnjnkkdhbknliochocncafn\2.0\manifest.json	0HfCkeFDDfk4Hyc.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bikiepmcbbnjnkkdhbknliochocncafn\2.0\manifest.json	0HfCkeFDDfk4Hyc.exe

Drops file in System32 directory 4 IoCs

Processes:

0HfCkeFDDfk4Hyc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	0HfCkeFDDfk4Hyc.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	0HfCkeFDDfk4Hyc.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	0HfCkeFDDfk4Hyc.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	0HfCkeFDDfk4Hyc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

0HfCkeFDDfk4Hyc.exe

pid	process
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe
4372	0HfCkeFDDfk4Hyc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

0HfCkeFDDfk4Hyc.exe

description	pid	process
Token: SeDebugPrivilege	4372	0HfCkeFDDfk4Hyc.exe
Token: SeDebugPrivilege	4372	0HfCkeFDDfk4Hyc.exe
Token: SeDebugPrivilege	4372	0HfCkeFDDfk4Hyc.exe
Token: SeDebugPrivilege	4372	0HfCkeFDDfk4Hyc.exe
Token: SeDebugPrivilege	4372	0HfCkeFDDfk4Hyc.exe
Token: SeDebugPrivilege	4372	0HfCkeFDDfk4Hyc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c8195f1093cf8d41a688cfbbc5986c475376cc5e80ab58b2c7633ea9bc9a7bb4.exe

description	pid	process	target process
PID 2900 wrote to memory of 4372	2900	c8195f1093cf8d41a688cfbbc5986c475376cc5e80ab58b2c7633ea9bc9a7bb4.exe	0HfCkeFDDfk4Hyc.exe
PID 2900 wrote to memory of 4372	2900	c8195f1093cf8d41a688cfbbc5986c475376cc5e80ab58b2c7633ea9bc9a7bb4.exe	0HfCkeFDDfk4Hyc.exe
PID 2900 wrote to memory of 4372	2900	c8195f1093cf8d41a688cfbbc5986c475376cc5e80ab58b2c7633ea9bc9a7bb4.exe	0HfCkeFDDfk4Hyc.exe

C:\Users\Admin\AppData\Local\Temp\c8195f1093cf8d41a688cfbbc5986c475376cc5e80ab58b2c7633ea9bc9a7bb4.exe
"C:\Users\Admin\AppData\Local\Temp\c8195f1093cf8d41a688cfbbc5986c475376cc5e80ab58b2c7633ea9bc9a7bb4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\0HfCkeFDDfk4Hyc.exe
  .\0HfCkeFDDfk4Hyc.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\0HfCkeFDDfk4Hyc.dat

Filesize
1KB

MD5
34079f727f337bfb3debbf800d1dcd0b

SHA1
6d6255effb738959c346d9b87d59bdba974c765b

SHA256
4c09f7ed20a0403fb1c6835b0c69dce66db1ffed71c34eda3647bf87b41b2f88

SHA512
35ffc8c3d5758aa1316de26efe6e4b6765deaca2725a9e44d82eb3e3c8b147efb7c8d6912c1ebb25fd8099677979fcf477caa349f54cf44b436202da21928e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\0HfCkeFDDfk4Hyc.exe

Filesize
765KB

MD5
754a15785aaff9c8a9ab023ceaefe6f4

SHA1
f4fe2eaf0ab6de7c630693a95f621cd7bcd7891d

SHA256
8265556161785f62a6eb0eba4edaa6b1045694d1bd33015c34b4a89577df608f

SHA512
9ed0ce64411d3e71dbf6064c15310d257295958d8e762d0704254f88c9d1f676a341bf92d162719075ed9050c9b42a9bdbcc69d5355395257098bbcb1155a13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\0HfCkeFDDfk4Hyc.exe

Filesize
765KB

MD5
754a15785aaff9c8a9ab023ceaefe6f4

SHA1
f4fe2eaf0ab6de7c630693a95f621cd7bcd7891d

SHA256
8265556161785f62a6eb0eba4edaa6b1045694d1bd33015c34b4a89577df608f

SHA512
9ed0ce64411d3e71dbf6064c15310d257295958d8e762d0704254f88c9d1f676a341bf92d162719075ed9050c9b42a9bdbcc69d5355395257098bbcb1155a13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
f6636cb528e439774884507bb67665df

SHA1
851931bd8c7655917279ba3c1269ca1895e3eea0

SHA256
59b9e13f6b01d0a9ea66df9b6473d26d50e840b7fcfb8b7c45f910d2d3a07fae

SHA512
ec5d46355791ba3adb169308bd7f03411dffcc2a6520150d9593865d8da639288a9dbee939736cba04d07b57cc222c44e791f11d60df40e7313dff9cbe5d3264

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
769d1669906f9c8d213cc9af4824432e

SHA1
3d713d9f40fa39181effc5a6aac799b10d53946a

SHA256
f09b69aecc2b3051a6885a1c633bdb902b1609f271ddfdff23af9ca26203d360

SHA512
6db3ea459fa39c73b58ee3b37c5c667384ca5980bce6e384b16b975da9eb9965444777666b457ea7db92cc0381c857f2d4c7f7757fc18f5f067160479ef0857e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\[email protected]\install.rdf

Filesize
597B

MD5
c23b3855b99f743051c1423525fb597b

SHA1
242128da8301b566f8fedca02ae5a7ba472c79d8

SHA256
9c64bcb61e94926ffe1f007a4dadcededabe493c8afbaf758af8c24e377c72a0

SHA512
c56304470783ebf0dac5972bdfb529515634603aaa8e37f6c9ac5068f7f4086fc72d89456c85f8153b6ac9acb327058d07fdd6f365599bccda0382c0da215d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\bikiepmcbbnjnkkdhbknliochocncafn\background.html

Filesize
142B

MD5
24c2117fdaaafe336f10fb8e2f2a9cdf

SHA1
1201f83a1cb9f5c34da052746a57d5727fbf4d85

SHA256
e825048861fdb076159bea5160794a78445cb5c67e4bbb45f0eacc0214614b5c

SHA512
b10b639b1afa9148c3d42cead7671988dee928fb507a00738a490d77c7ee100b986024b5137959b3e9ee27269612683ae1dfc0cc8303cae83e4e5265e2436a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\bikiepmcbbnjnkkdhbknliochocncafn\cfO4V.js

Filesize
6KB

MD5
cc464b8898b220e0ce6228d4c1ac5024

SHA1
9e6b61cbe6a56a9aabbf8d5a69ac9d4d02b9c256

SHA256
b988e2dc1009a41683650a52ba5b85b024f41e0cf1cf4433ba02d67bd8930cec

SHA512
664700e1daea5036a1c4a9aab7feb19e0830f29560667e653ccf3f56a227936bc821372216fcb4a63d916c50b7066c47ea188f16f590174d0721c516623ff30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\bikiepmcbbnjnkkdhbknliochocncafn\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\bikiepmcbbnjnkkdhbknliochocncafn\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF012.tmp\bikiepmcbbnjnkkdhbknliochocncafn\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/4372-132-0x0000000000000000-mapping.dmp

Download