cef9a47a17bc586512304c3cd13e462b34a8a50dcf481ed6a566817abdc41b04

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cef9a47a17bc586512304c3cd13e462b34a8a50dcf481ed6a566817abdc41b04.exe
Size

920KB
MD5

c712cef07dd981241003e5402486bd39
SHA1

be0fdb6d23ba09cb3e3286761612547b641c8ec6
SHA256

cef9a47a17bc586512304c3cd13e462b34a8a50dcf481ed6a566817abdc41b04
SHA512

95309b21818cf1deb53a5cdfd9a02565539b5be30984b6e4c8b44e2d241d0d696bd39cca480d9cf5417e605fa71ccba6cc43a8bc54c9d420c40a602040134a19
SSDEEP

24576:h1OYdaOJMtdHAqcdDVhYwiei7+EpFAh/kK0:h1OsMPHVmVhYwiLtKkK0

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ZLeIOFkxXHY2asV.exe

pid process

4972 ZLeIOFkxXHY2asV.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

ZLeIOFkxXHY2asV.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\knpaeflhgaamipkkmdpppgoengmpmhmh\2.0\manifest.json	ZLeIOFkxXHY2asV.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\knpaeflhgaamipkkmdpppgoengmpmhmh\2.0\manifest.json	ZLeIOFkxXHY2asV.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\knpaeflhgaamipkkmdpppgoengmpmhmh\2.0\manifest.json	ZLeIOFkxXHY2asV.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\knpaeflhgaamipkkmdpppgoengmpmhmh\2.0\manifest.json	ZLeIOFkxXHY2asV.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\knpaeflhgaamipkkmdpppgoengmpmhmh\2.0\manifest.json	ZLeIOFkxXHY2asV.exe

Drops file in System32 directory 4 IoCs

Processes:

ZLeIOFkxXHY2asV.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	ZLeIOFkxXHY2asV.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	ZLeIOFkxXHY2asV.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	ZLeIOFkxXHY2asV.exe
File opened for modification	C:\Windows\System32\GroupPolicy	ZLeIOFkxXHY2asV.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

ZLeIOFkxXHY2asV.exe

pid	process
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe
4972	ZLeIOFkxXHY2asV.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ZLeIOFkxXHY2asV.exe

description	pid	process
Token: SeDebugPrivilege	4972	ZLeIOFkxXHY2asV.exe
Token: SeDebugPrivilege	4972	ZLeIOFkxXHY2asV.exe
Token: SeDebugPrivilege	4972	ZLeIOFkxXHY2asV.exe
Token: SeDebugPrivilege	4972	ZLeIOFkxXHY2asV.exe
Token: SeDebugPrivilege	4972	ZLeIOFkxXHY2asV.exe
Token: SeDebugPrivilege	4972	ZLeIOFkxXHY2asV.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cef9a47a17bc586512304c3cd13e462b34a8a50dcf481ed6a566817abdc41b04.exe

description	pid	process	target process
PID 1716 wrote to memory of 4972	1716	cef9a47a17bc586512304c3cd13e462b34a8a50dcf481ed6a566817abdc41b04.exe	ZLeIOFkxXHY2asV.exe
PID 1716 wrote to memory of 4972	1716	cef9a47a17bc586512304c3cd13e462b34a8a50dcf481ed6a566817abdc41b04.exe	ZLeIOFkxXHY2asV.exe
PID 1716 wrote to memory of 4972	1716	cef9a47a17bc586512304c3cd13e462b34a8a50dcf481ed6a566817abdc41b04.exe	ZLeIOFkxXHY2asV.exe

C:\Users\Admin\AppData\Local\Temp\cef9a47a17bc586512304c3cd13e462b34a8a50dcf481ed6a566817abdc41b04.exe
"C:\Users\Admin\AppData\Local\Temp\cef9a47a17bc586512304c3cd13e462b34a8a50dcf481ed6a566817abdc41b04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\ZLeIOFkxXHY2asV.exe
.\ZLeIOFkxXHY2asV.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\ZLeIOFkxXHY2asV.dat
Filesize
1KB

MD5
76e67168fc98d94ac7e0b7d24021ba45

SHA1
0f3cdbc7cd8b94ea9ba8b008e516031c27aef868

SHA256
6ae28caace16796d0a8f8ec00bb920fb9cb9578fcfe6f0d22744eefa139d3653

SHA512
93a47cfc12eae469477c23feb92493b31be683ad710156c7ef46901c5ffb2518a955e246b2c57b5a46a7fb995ceb399f51197ddd739d282cc2d41effeda45210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\ZLeIOFkxXHY2asV.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\ZLeIOFkxXHY2asV.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\knpaeflhgaamipkkmdpppgoengmpmhmh\background.html
Filesize
138B

MD5
cf76a0d862b79318eb8e21ee49cef7da

SHA1
cb7211a504c718e37d4941e8e8559628ddd0aa63

SHA256
b3ec3abc833e4adf28504fd012059626ea11d058702ad7d968b0ab9ecb75adc8

SHA512
8521163153c814b9f91ddaab17b13c13d43920247dda6e012a9e0287916fa7f7fde0e2340d0884b2a032c6e3f12c27b9aef606fb091807a221f7633bd666d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\knpaeflhgaamipkkmdpppgoengmpmhmh\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\knpaeflhgaamipkkmdpppgoengmpmhmh\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\knpaeflhgaamipkkmdpppgoengmpmhmh\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\knpaeflhgaamipkkmdpppgoengmpmhmh\y.js
Filesize
6KB

MD5
f8f7fbc0c237383a2a470738c0d4283a

SHA1
1082da5694889ce8ae87b41f1c2a4829e68facb4

SHA256
ca7ed2fae82a7216bd3a3c1a83614c8c4176eb70b55331ff235df146ce0fe1b4

SHA512
bc5a161a13f47784de2e66ae32e67bed6d3b9de6d4f57175890c4111282f809b0761e84ba39630b53321c116a36233ea8b49435ddc8e5893ca0e5ed4f7b01b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\z@BVGj.com\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\z@BVGj.com\chrome.manifest
Filesize
35B

MD5
47217d60feeceadbf3f2e3b149e0c66b

SHA1
708ef70e6958a81373bfff16fb1199d2d314a153

SHA256
a04382edcb0258e703ac32d95d1741f9e20b627af51549c4ade4202623c19e06

SHA512
775656a490d69c591df861a01339d46f0a1092e2e28330d058cf062fe8f36c4869c0b9f7ea1167510eb27b79060c533e507ecb00adac9af5ec405316d5e32860

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\z@BVGj.com\content\bg.js
Filesize
9KB

MD5
2a567f74f17f8d8d06e113afc3df5804

SHA1
30770adf84d12ed8f97904e6ce6f3896e8f8bc1f

SHA256
7f684ae2310c3758523a125fcf8e4bea1b19f55b61a819509500849c54b01ae7

SHA512
adf4ec647bc74b20b80a7bb386eb1730aadd38a42f0e52e68dc98ef3cf62001bf78ff61bf3c74d742321ec5d92c15ce92ec0c0d1e1453b32ae5c550fec972af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS675A.tmp\z@BVGj.com\install.rdf
Filesize
592B

MD5
738317e525cf03a3689a1289b9f7280c

SHA1
ce745c8b685ebacac14413817028efe2a3d0cf1f

SHA256
4792b2767d0662d798df74190cfbb9d8fa110b37a4b43f7bbcea798aa07af01e

SHA512
ec1fea4b34f52aab7aac0d818444d531a8cafc2eb28eec803b0b55368e19b2b37de2a208d4d0b76f1dbacd6ec4c2473070ca0d8ce2e29c2a9695f6685d3310cb

Download Submit
memory/4972-132-0x0000000000000000-mapping.dmp

Download