c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe
Size

926KB
MD5

e955e06bbba906adaf332557008b726e
SHA1

62348d715408769abfa8a926a447cec746d0586e
SHA256

c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0
SHA512

02948a3f77feb26957caba3c970a77a923474b5a5d6928a3dd236bacdd5a93df35ff9b74d0a4dc84b42362a2df6c1074dde452750e2d78374c597c3adade7391
SSDEEP

24576:h1OYdaOnnQju5vMu6qN2FctIOBYXZBai3GBlgpKLe/7rj:h1OsdQjO6HHzayGBe/7rj

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

qaXQ661QDbW3d20.exe

pid process

1536 qaXQ661QDbW3d20.exe
Loads dropped DLL 1 IoCs

Processes:

c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe

pid process

1504 c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1504	c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe

Drops Chrome extension 3 IoCs

Processes:

qaXQ661QDbW3d20.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\elikpbkbmhcjmakkofihobpbegplnihf\2.0\manifest.json	qaXQ661QDbW3d20.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\elikpbkbmhcjmakkofihobpbegplnihf\2.0\manifest.json	qaXQ661QDbW3d20.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\elikpbkbmhcjmakkofihobpbegplnihf\2.0\manifest.json	qaXQ661QDbW3d20.exe

Drops file in System32 directory 4 IoCs

Processes:

qaXQ661QDbW3d20.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	qaXQ661QDbW3d20.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	qaXQ661QDbW3d20.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	qaXQ661QDbW3d20.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	qaXQ661QDbW3d20.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

qaXQ661QDbW3d20.exe

pid	process
1536	qaXQ661QDbW3d20.exe
1536	qaXQ661QDbW3d20.exe
1536	qaXQ661QDbW3d20.exe
1536	qaXQ661QDbW3d20.exe
1536	qaXQ661QDbW3d20.exe
1536	qaXQ661QDbW3d20.exe
1536	qaXQ661QDbW3d20.exe
1536	qaXQ661QDbW3d20.exe
1536	qaXQ661QDbW3d20.exe
1536	qaXQ661QDbW3d20.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

qaXQ661QDbW3d20.exe

description	pid	process
Token: SeDebugPrivilege	1536	qaXQ661QDbW3d20.exe
Token: SeDebugPrivilege	1536	qaXQ661QDbW3d20.exe
Token: SeDebugPrivilege	1536	qaXQ661QDbW3d20.exe
Token: SeDebugPrivilege	1536	qaXQ661QDbW3d20.exe
Token: SeDebugPrivilege	1536	qaXQ661QDbW3d20.exe
Token: SeDebugPrivilege	1536	qaXQ661QDbW3d20.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe

description	pid	process	target process
PID 1504 wrote to memory of 1536	1504	c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe	qaXQ661QDbW3d20.exe
PID 1504 wrote to memory of 1536	1504	c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe	qaXQ661QDbW3d20.exe
PID 1504 wrote to memory of 1536	1504	c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe	qaXQ661QDbW3d20.exe
PID 1504 wrote to memory of 1536	1504	c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe	qaXQ661QDbW3d20.exe

C:\Users\Admin\AppData\Local\Temp\c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe
"C:\Users\Admin\AppData\Local\Temp\c4f388db95c8d8a15d07c6436973692d7ae32416717ae403714d315da7b15ac0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\qaXQ661QDbW3d20.exe
.\qaXQ661QDbW3d20.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\elikpbkbmhcjmakkofihobpbegplnihf\XqKG.js
Filesize
5KB

MD5
b15eab98325fe1eafeb7c010f2cbe519

SHA1
b196a8c2870f8cc6ffb32a31fe10775aa7ad9d5c

SHA256
e33bcf8ad3eee43ca7df1259e1168dfbc21c3027576c5826f20355bca5cdd72b

SHA512
da4212724198089c7bf81b4357f3d81b8ed7cbafb604dba82e2bab6f9b340693ac7d099bead12728a03b10c9e8bce0b81643d9c930b2b116ef5bd47bb4c46dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\elikpbkbmhcjmakkofihobpbegplnihf\background.html
Filesize
141B

MD5
d831296c0978dc34049baafb51f15421

SHA1
42eadab4ebd3712b53d68ac8944ccd2515323ada

SHA256
33df2c114af2096cab9fb0fcc5a476afa0f2343676a556d093f605c3d2b8c502

SHA512
b4c8a1c493d62bf2613103425e657501dc72540a479c2e3466f40f129888de75c97a18c6c1becf923bfaa88371ea7d67474a5a65d92f21e147d2b824e2cfa30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\elikpbkbmhcjmakkofihobpbegplnihf\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\elikpbkbmhcjmakkofihobpbegplnihf\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\elikpbkbmhcjmakkofihobpbegplnihf\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
d0d1f5f0ac4424241177017bb69b4edf

SHA1
f275b6c5de3e1e6470c18927d05101c3b6263248

SHA256
8f4f8900d94f1c9de4937b689d047e6df5c16a312974019423a3626730716351

SHA512
ffb8170ce0a65c9caecd7f793535c7d768a87b04a5aa1458b6a7e17413f017212913bae8fdb889336f9be7515b637e05df59b460e66e2a78d5282e6ae1ee507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
bf58d6c626d4f8480c7390e77c2bd691

SHA1
749614d6d0432b3196b6af7e68a3d96d1784091b

SHA256
680d9c5e91517a599b857327f1dfc6e41097ab3e9ac751341656d212e708b08a

SHA512
e3d6c94e1bb6c8051298c4319eb210436738290a34f2bd8ad920f6ea603ec3f2e2eacd3c4e3dc635153b5d60da37521fad060b21c39f4784bf10bae05da4780b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\[email protected]\install.rdf
Filesize
596B

MD5
0bd2dd0135f7610306ce712b5f6b316a

SHA1
c4b9f76bd8e110ec423ecb111e645a50fe3b402e

SHA256
1b09b74a8f0adfdf00b2558d6911df129d50bc718111e77f5235c262c6f536f7

SHA512
70cf6f8c06a7f2b98e666f1859f6526758c2b7b762e4e04479bc21941c88910ee8e1e4db1c083e865a4cf9e76753d70df23806201c1649d4e3c4c9fe32e5f655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\qaXQ661QDbW3d20.dat
Filesize
1KB

MD5
cba36fa1f37f6bd86e384604e7633d6d

SHA1
ae66d7ee2b9ed693e709ee1d6b226e04cd3ed2fa

SHA256
262fd33adaab7daa9c20fb12945577011011f1d951630070b848b78378f93301

SHA512
e9c3b95ab61213e31c59da5b18bfb4fb9d94a1fbd7890eeac705de7d484dfa6d7a26aeb6b5b4e54dc1187efb41e740c02763b7fde03ea4e1209297cac6548177

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\qaXQ661QDbW3d20.exe
Filesize
768KB

MD5
09e156c94b649920c0c6efa8508ada9a

SHA1
8ba966f84a07648613468b06a11d17f2650e8af0

SHA256
2584e4b5077edba37c8e6f97ccdc2e582136ae0144212b37eb97cd4d8685059a

SHA512
1a1d2ff05d413ec1c18735dcb06775f0e652fc778f0ce31a9bdc8e567beb32253df635ee2e9b3bdc430c49f0f5ca6128e44cbd88b2cb712a6712c8327f209375

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3CB3.tmp\qaXQ661QDbW3d20.exe
Filesize
768KB

MD5
09e156c94b649920c0c6efa8508ada9a

SHA1
8ba966f84a07648613468b06a11d17f2650e8af0

SHA256
2584e4b5077edba37c8e6f97ccdc2e582136ae0144212b37eb97cd4d8685059a

SHA512
1a1d2ff05d413ec1c18735dcb06775f0e652fc778f0ce31a9bdc8e567beb32253df635ee2e9b3bdc430c49f0f5ca6128e44cbd88b2cb712a6712c8327f209375

Download Submit
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1536-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads