c62edd64f440d4b47ab7b4ce87210b44c8215698dc022f67349eab794dcaaf92

Analysis

max time kernel
168s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c62edd64f440d4b47ab7b4ce87210b44c8215698dc022f67349eab794dcaaf92.exe
Size

919KB
MD5

b3f77bba418e3153a2a5c23fdef2b5d5
SHA1

96ee23ee908e7a80819cbf80a24e7615fffb055a
SHA256

c62edd64f440d4b47ab7b4ce87210b44c8215698dc022f67349eab794dcaaf92
SHA512

a5e64e04f90107e7e0f456df92750ce854c3a882cad2cd4ca129fa2b045961606a53b7e7fb1a595f96a8e038b858a893a50989d33b66eba201c0d29fa1b3d722
SSDEEP

24576:h1OYdaOKMtdHAqcdDVhYwiei7+EpFAh/kKx:h1OsPPHVmVhYwiLtKkKx

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

yfX0HWDdVkGJEa1.exe

pid process

3948 yfX0HWDdVkGJEa1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

yfX0HWDdVkGJEa1.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaplhlcpjacbdljoopmkilpkmmbmgmjn\2.0\manifest.json	yfX0HWDdVkGJEa1.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaplhlcpjacbdljoopmkilpkmmbmgmjn\2.0\manifest.json	yfX0HWDdVkGJEa1.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaplhlcpjacbdljoopmkilpkmmbmgmjn\2.0\manifest.json	yfX0HWDdVkGJEa1.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaplhlcpjacbdljoopmkilpkmmbmgmjn\2.0\manifest.json	yfX0HWDdVkGJEa1.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaplhlcpjacbdljoopmkilpkmmbmgmjn\2.0\manifest.json	yfX0HWDdVkGJEa1.exe

Drops file in System32 directory 4 IoCs

Processes:

yfX0HWDdVkGJEa1.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	yfX0HWDdVkGJEa1.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	yfX0HWDdVkGJEa1.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	yfX0HWDdVkGJEa1.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	yfX0HWDdVkGJEa1.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

yfX0HWDdVkGJEa1.exe

pid	process
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe
3948	yfX0HWDdVkGJEa1.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

yfX0HWDdVkGJEa1.exe

description	pid	process
Token: SeDebugPrivilege	3948	yfX0HWDdVkGJEa1.exe
Token: SeDebugPrivilege	3948	yfX0HWDdVkGJEa1.exe
Token: SeDebugPrivilege	3948	yfX0HWDdVkGJEa1.exe
Token: SeDebugPrivilege	3948	yfX0HWDdVkGJEa1.exe
Token: SeDebugPrivilege	3948	yfX0HWDdVkGJEa1.exe
Token: SeDebugPrivilege	3948	yfX0HWDdVkGJEa1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c62edd64f440d4b47ab7b4ce87210b44c8215698dc022f67349eab794dcaaf92.exe

description	pid	process	target process
PID 4708 wrote to memory of 3948	4708	c62edd64f440d4b47ab7b4ce87210b44c8215698dc022f67349eab794dcaaf92.exe	yfX0HWDdVkGJEa1.exe
PID 4708 wrote to memory of 3948	4708	c62edd64f440d4b47ab7b4ce87210b44c8215698dc022f67349eab794dcaaf92.exe	yfX0HWDdVkGJEa1.exe
PID 4708 wrote to memory of 3948	4708	c62edd64f440d4b47ab7b4ce87210b44c8215698dc022f67349eab794dcaaf92.exe	yfX0HWDdVkGJEa1.exe

C:\Users\Admin\AppData\Local\Temp\c62edd64f440d4b47ab7b4ce87210b44c8215698dc022f67349eab794dcaaf92.exe
"C:\Users\Admin\AppData\Local\Temp\c62edd64f440d4b47ab7b4ce87210b44c8215698dc022f67349eab794dcaaf92.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\yfX0HWDdVkGJEa1.exe
.\yfX0HWDdVkGJEa1.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\SYJ@M.org\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\SYJ@M.org\chrome.manifest
Filesize
35B

MD5
758b6d5ae710a267f6f7430a332079bd

SHA1
7d1f5b43592a77159957681e3129cba359054d48

SHA256
6c867d0acb4c76c2778329b02ae749f959c3433891db40ff18e4e8158d347041

SHA512
c5764a263e96a36b8bbe7b30705a125ca999b89512c398b6112bce0be839daa3d32c970805ed5604263e5ce0f434a145752ab6c28e35545ddb6f3746a9058fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\SYJ@M.org\content\bg.js
Filesize
8KB

MD5
37282c00ba9a1d439b85cb080618d35f

SHA1
35c5ebbe701c82bc42483e600096d7ecacc26322

SHA256
5f5f4b8865a890f3adbda11f7421b2b834647e04ffe8538b19324625329e5bb5

SHA512
d96d67a30022a7c3baeda348df3b9e96949a0b9bd6c52eaff1513fe9dd53a2d92c0c92e0ba9e346f254128efa1b40b049e325c7eccdb7c61c3fec9b07b36b52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\SYJ@M.org\install.rdf
Filesize
591B

MD5
0d4c456ec63ad8d135cecee2bc333e1e

SHA1
9bbcc316397233d99da601df014820cb54eed390

SHA256
4fc85fc88b353ac0bf5a4706cc69c29bcc5c8167f57e7641dfd179c5a67ddf4d

SHA512
846919d3d7b01b151563946bac3ea6e85d9fe48b1948f0d8d3bf85b5ff8bfa45c148ebfd2b4e266432d6b83b4ccbf7f4b6b9b00413ab300e2e77aad6b4437d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\iaplhlcpjacbdljoopmkilpkmmbmgmjn\background.html
Filesize
141B

MD5
8b69a9a76bbbd9ee386aa81c1fb881a2

SHA1
0a9ccdefe36c6cbd7681e3c189eb68d6b042b0d1

SHA256
3a682c7bcf8033c223a0544c4ce47b7f033c6cf92c22372669fa407deb599647

SHA512
8551109e85c4b0cabd94b9423be978d4381809e1db5c1e0405bc4bbac8f22446f038f8dd8648d25e013c78f799185f9a2051228ce88d628367cc96a7e6e596ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\iaplhlcpjacbdljoopmkilpkmmbmgmjn\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\iaplhlcpjacbdljoopmkilpkmmbmgmjn\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\iaplhlcpjacbdljoopmkilpkmmbmgmjn\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\iaplhlcpjacbdljoopmkilpkmmbmgmjn\mqbN.js
Filesize
6KB

MD5
cb4ffd226ed5f9a0edf2dc0aad7edff7

SHA1
af71d661271509567ab94b99a4eaea6be9e010b8

SHA256
3fa31f4c73e88f7325ecedff5b20e70c3b6f2c8738bffc5af62dec3db67319a0

SHA512
6160b2734198de2861c13760a94bc35a4992634917865f2b59bf55bea7952e635687393ea34ad7084801b3fbff699890b03f88e24aa2ad687980e90d573132e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\yfX0HWDdVkGJEa1.dat
Filesize
1KB

MD5
181af208eef97c16b9abb2a01ee26c7f

SHA1
02d0615a940d71ef0493928276b780fd85a10666

SHA256
c05514014d033730b5d8997e43d62b6977ccaf8b835159870a0320e5a1acb104

SHA512
e17dc91a1138b531dab8358ce530d5626b7a8867fdcfb608e02b0d6ce0dd8ca77eb948ac0bea0196bfc033501ac6ac2664f7b89ed1e4d33ce226d93ff2a8775d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\yfX0HWDdVkGJEa1.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1DC9.tmp\yfX0HWDdVkGJEa1.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
memory/3948-132-0x0000000000000000-mapping.dmp

Download