Overview

overview

8

Static

static

c6466a8019...b5.exe

windows7-x64

8

c6466a8019...b5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    167s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6466a80194ce4abe2b06206c86b66ae40919ec43a8913be27806496a084dbb5.exe

  • Size

    932KB

  • MD5

    4235b89a2be8c3db8e3ff1f1b9b30fd2

  • SHA1

    b9ef559b3f05e21624fa3d560fafd6e9d8726c64

  • SHA256

    c6466a80194ce4abe2b06206c86b66ae40919ec43a8913be27806496a084dbb5

  • SHA512

    6eb5c46fb8b17627e4b650ec19fb55b4f56dc6adb09580fac58ff18fe3fec6b06be16805f19281d090a5cbda2da62a187fd3f7b1417c734e6ef73fe90be103e7

  • SSDEEP

    24576:h1OYdaOWCZ/iWCvu/2sWsJA/jlt+DHhsi:h1Os8CpYO/dJJDHhsi

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6466a80194ce4abe2b06206c86b66ae40919ec43a8913be27806496a084dbb5.exe
    "C:\Users\Admin\AppData\Local\Temp\c6466a80194ce4abe2b06206c86b66ae40919ec43a8913be27806496a084dbb5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\G3eIW7An4fVC4in.exe
      .\G3eIW7An4fVC4in.exe
      2⤵
      • Executes dropped EXE
      • Drops Chrome extension
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:2580
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:2496

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\G3eIW7An4fVC4in.dat
        Filesize

        1KB

        MD5

        865930b37b658dcb086e1b92fc1c409c

        SHA1

        4a93ea398668be0f743708ad676b9954f2347c98

        SHA256

        2b5023d621323f6bee8ed2514800465752c245b1225334f5ccd79adacafda70d

        SHA512

        bb0eb4ad0dd8ad9a073f11886e78119f506795e5bb521298c13a693b64f4110079c513a957c40b54540e2ead35ac5b4eb33f1c639effe5c757095ada3fe6ad0e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\G3eIW7An4fVC4in.exe
        Filesize

        772KB

        MD5

        5ed7019dcd0008dbcd8e54017b8c7dd9

        SHA1

        7e4457da2ff06c2170bad636c9eb7c1bb436fd06

        SHA256

        7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

        SHA512

        10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\G3eIW7An4fVC4in.exe
        Filesize

        772KB

        MD5

        5ed7019dcd0008dbcd8e54017b8c7dd9

        SHA1

        7e4457da2ff06c2170bad636c9eb7c1bb436fd06

        SHA256

        7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

        SHA512

        10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\LYd@W.com\bootstrap.js
        Filesize

        2KB

        MD5

        df13f711e20e9c80171846d4f2f7ae06

        SHA1

        56d29cda58427efe0e21d3880d39eb1b0ef60bee

        SHA256

        6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

        SHA512

        6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\LYd@W.com\chrome.manifest
        Filesize

        35B

        MD5

        f622c2bef479d5cd516b99015557491d

        SHA1

        b3faf33599a46764c57b9bc98f123d345af6eb07

        SHA256

        3691c2ea2fe74ab31f05134ea14e3f7c72aa449107a8266eb0564eacf6e28564

        SHA512

        e4b5e76eb8496e7ac126883d023e678c2bf940683e163e0612046694f20af6041b0e31415e256c2ebf4bda5bf0867666a0b45b0c128497ed1b7d0ae9b58aa784

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\LYd@W.com\content\bg.js
        Filesize

        9KB

        MD5

        3a8a6e93870a8937b181fe1b4b7a7d0a

        SHA1

        688814deb65ad28aef80072ce4f3916677fa1bd8

        SHA256

        43dad96aff1ae6576d4842c1e8b415ddd9a22c76fd871bc27d0c5242aab9c7e9

        SHA512

        bbdba8a63a33cc4c279121129dc86469f5dead93b6f5f8ed63fdc70e0fa2375c4b24988b0f044897155aa0a83b87c25c5749b2e21f4d3a5d6844ad8120c6a43f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\LYd@W.com\install.rdf
        Filesize

        592B

        MD5

        c938d03621c14be8c8b4b27cc42c46fc

        SHA1

        fb2806a52a188878610895aaa05cb5baf5e0cf07

        SHA256

        19bdb2e59e6be47bc1ee83be6b3f6b6356be8f302249b7030f18b7e51c1ddab0

        SHA512

        75fe488f07b9f143dd33fa02fb42a051647276bdc0a2e376a6d1db82e0f0592d7123797a82b1fc6a62bcf4c83871c0f2419320da0b1168b1d9bed97b0041292c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\aigefilkcljedeiamemchhlfbjnobbmp\background.html
        Filesize

        144B

        MD5

        a4b6a6890bb68c03a0a78130cdaf8b51

        SHA1

        3ca089cd517324df5f93ccc36f6c42c9bb19a35d

        SHA256

        c102b0597f66c517fd3f0a8bd1057ead0c71c45d3cc72548b13db42741278b48

        SHA512

        6d7af4a2fca2a3e9cd8437f4f0ee76d83fd80edca6214b0999e72ec32a63ced6e0e7403eafc5d981af29e310939e50fdc1d203cdef4995819347a5dc83eaba89

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\aigefilkcljedeiamemchhlfbjnobbmp\content.js
        Filesize

        144B

        MD5

        fca19198fd8af21016a8b1dec7980002

        SHA1

        fd01a47d14004e17a625efe66cc46a06c786cf40

        SHA256

        332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

        SHA512

        60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\aigefilkcljedeiamemchhlfbjnobbmp\lsdb.js
        Filesize

        531B

        MD5

        36d98318ab2b3b2585a30984db328afb

        SHA1

        f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

        SHA256

        ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

        SHA512

        6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\aigefilkcljedeiamemchhlfbjnobbmp\manifest.json
        Filesize

        498B

        MD5

        640199ea4621e34510de919f6a54436f

        SHA1

        dc65dbfad02bd2688030bd56ca1cab85917a9937

        SHA256

        e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

        SHA512

        d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zSC3F1.tmp\aigefilkcljedeiamemchhlfbjnobbmp\xXHmUO9.js
        Filesize

        6KB

        MD5

        32e14d5e73420cdcf1d6b9b97ae5dec0

        SHA1

        36cccd853de5cad2ea20a1e5e7e4e24f92a7659c

        SHA256

        73dd17418b19926e97b7ca8ef90e62718e6fca1bdde5da08e4c378247761e834

        SHA512

        4539c3b140ff3ae1a2db8d175bdb459f1811c984a86bfcb02dbf2f10b6b7579a7e6e74439c0d6c3c0fbc2b6fbf66ad1b3d88f1a6d8d05bcd5808716482ff0ee1

        Download Submit
      • memory/1620-132-0x0000000000000000-mapping.dmp
        Download