c7abe16eec5bb7b67d596775b245191054df6e1c802d3c7e2d8d169480d09328

Analysis

max time kernel
181s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7abe16eec5bb7b67d596775b245191054df6e1c802d3c7e2d8d169480d09328.exe
Size

920KB
MD5

3debb3f26bd4a07027cfabd0d783052f
SHA1

7f04a68e0b0c333055b3065b02bd1821e2c30841
SHA256

c7abe16eec5bb7b67d596775b245191054df6e1c802d3c7e2d8d169480d09328
SHA512

e282a11b1cf42ff9ca3ac0d1d7cd38a9e99932b17a50ad1258f179914699003d7510b93a207ef8aa003607bb29e236a8fefca9398c699e10dbe3d7149f6bc8e1
SSDEEP

24576:h1OYdaOxMtdHAqcdDVhYwiei7+EpFAh/kK3:h1OsIPHVmVhYwiLtKkK3

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bd3D4V8oyVhqxgM.exe

pid process

368 bd3D4V8oyVhqxgM.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

bd3D4V8oyVhqxgM.exe

description	ioc	process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldpcadiahgdonndbhebcbljnlpjfgiaf\2.0\manifest.json	bd3D4V8oyVhqxgM.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldpcadiahgdonndbhebcbljnlpjfgiaf\2.0\manifest.json	bd3D4V8oyVhqxgM.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldpcadiahgdonndbhebcbljnlpjfgiaf\2.0\manifest.json	bd3D4V8oyVhqxgM.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldpcadiahgdonndbhebcbljnlpjfgiaf\2.0\manifest.json	bd3D4V8oyVhqxgM.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldpcadiahgdonndbhebcbljnlpjfgiaf\2.0\manifest.json	bd3D4V8oyVhqxgM.exe

Drops file in System32 directory 4 IoCs

Processes:

bd3D4V8oyVhqxgM.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	bd3D4V8oyVhqxgM.exe
File opened for modification	C:\Windows\System32\GroupPolicy	bd3D4V8oyVhqxgM.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	bd3D4V8oyVhqxgM.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	bd3D4V8oyVhqxgM.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

bd3D4V8oyVhqxgM.exe

pid	process
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe
368	bd3D4V8oyVhqxgM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

bd3D4V8oyVhqxgM.exe

description	pid	process
Token: SeDebugPrivilege	368	bd3D4V8oyVhqxgM.exe
Token: SeDebugPrivilege	368	bd3D4V8oyVhqxgM.exe
Token: SeDebugPrivilege	368	bd3D4V8oyVhqxgM.exe
Token: SeDebugPrivilege	368	bd3D4V8oyVhqxgM.exe
Token: SeDebugPrivilege	368	bd3D4V8oyVhqxgM.exe
Token: SeDebugPrivilege	368	bd3D4V8oyVhqxgM.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c7abe16eec5bb7b67d596775b245191054df6e1c802d3c7e2d8d169480d09328.exe

description	pid	process	target process
PID 5012 wrote to memory of 368	5012	c7abe16eec5bb7b67d596775b245191054df6e1c802d3c7e2d8d169480d09328.exe	bd3D4V8oyVhqxgM.exe
PID 5012 wrote to memory of 368	5012	c7abe16eec5bb7b67d596775b245191054df6e1c802d3c7e2d8d169480d09328.exe	bd3D4V8oyVhqxgM.exe
PID 5012 wrote to memory of 368	5012	c7abe16eec5bb7b67d596775b245191054df6e1c802d3c7e2d8d169480d09328.exe	bd3D4V8oyVhqxgM.exe

C:\Users\Admin\AppData\Local\Temp\c7abe16eec5bb7b67d596775b245191054df6e1c802d3c7e2d8d169480d09328.exe
"C:\Users\Admin\AppData\Local\Temp\c7abe16eec5bb7b67d596775b245191054df6e1c802d3c7e2d8d169480d09328.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\bd3D4V8oyVhqxgM.exe
  .\bd3D4V8oyVhqxgM.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
e0f6039ca4a56c45a96a8bfa295941ca

SHA1
085301bd5cd6f295b07a5ac012018c55b72f9395

SHA256
a65556bcedb551156bb9da538501ff55ebe98ac79e1e87e9cb5497c18507b493

SHA512
af78416862a69b786e30d5c07ed7d0992fe7df20152178d63233381b08ad6af2445ef1d048be98e4c816dc429ba20284d06aac48fa20b208b087bc4550a11d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
6e325e0a4c3da87c77e01cded0c6bfd6

SHA1
54cd20b6255ab10eafb2ba3c9db106109182b16b

SHA256
c38426b77763a55ef0aaa2de26ac54fd5cb3c530de8e3ac5db399514a2573048

SHA512
d9bf058e4daaab668b9f50764abc27a7b5a669ed11f34fde95caafc6083d36660816373a338195ecea2ec6acd46a1c2efb177e7ed8f14d55840536dd268eb847

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\[email protected]\install.rdf

Filesize
592B

MD5
c3199a180aeb66cfdb62951468d1beb1

SHA1
f326da20621b8caf4ade4c4ed6e54e861388f9db

SHA256
44152627f9f309cd31e60f12287bf5c7b073c100646e7acee7ebe769278a7f91

SHA512
f813b7a55d69b4d0ec550c1ce95256d74610100e8691528d434fdc76bdf594d8800beccb27296633960845b116b2b5f6db9212677f045b5e74460187e507806e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\bd3D4V8oyVhqxgM.dat

Filesize
1KB

MD5
0a56c36ae1c5f4b5bc4684d985917783

SHA1
a60dba1ac91955696f67b62e80958b0537ef4445

SHA256
120d9fcc2cc0922b0e85238b4c9daf6483784d6b38fec60c35683b9da65395fa

SHA512
7459ed2c5a8a6eb76a84301e7957eb561865a1c5452d71ddbb7a800938993e885c895659b25cd29e18804f550d133666820231bd3bc072f72e0d333a63e5b6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\bd3D4V8oyVhqxgM.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\bd3D4V8oyVhqxgM.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\ldpcadiahgdonndbhebcbljnlpjfgiaf\CYg.js

Filesize
6KB

MD5
54e9474f6e046a15438a5787e7be7d88

SHA1
1ed5175a19bcb26dc61b000cce9d12bcff2d074a

SHA256
d8783f7c5d7340c2410f886495257d51a2217c019da1aa922d1b8fc93245f40c

SHA512
d1c6b48ae004097323d77d04d3ed930da096ad94fa597f335d4c978fc02d87a8bfca6dddca36ebedcc11be341091b11caf1c4431d8d30e229155025f0826d455

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\ldpcadiahgdonndbhebcbljnlpjfgiaf\background.html

Filesize
140B

MD5
b1a628c24c95d834e751b1510c25f1eb

SHA1
c755f811927572ae03d4606a3a5afd0a30c1edbd

SHA256
3802b20e3df8e89aa3c85315d00cf8432caafcff5a52c5e36cecd5d7c673be6d

SHA512
a547bc6f6b22aeb8c8cada0f1922fd8b27314e81a8a6936bad7fc1ff9f7530b43e71fbae0d28f73a911dfcd16592834c58748818e2baa51f8695bfc7a34c56e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\ldpcadiahgdonndbhebcbljnlpjfgiaf\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\ldpcadiahgdonndbhebcbljnlpjfgiaf\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2700.tmp\ldpcadiahgdonndbhebcbljnlpjfgiaf\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/368-132-0x0000000000000000-mapping.dmp

Download