cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f

Analysis

max time kernel
13s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe
Size

919KB
MD5

60d10d8e452e8b32843436d7a685c26b
SHA1

57ea8754e8de5fe60c10d06973165d003338f476
SHA256

cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f
SHA512

d819475defd60ef15dd4496e54b95506ccbd92f4061c1c446b361015b0b91574919c3832da9d60abc41740d683954e3f5d2f0d7a3f795bc4172b5f307322d80c
SSDEEP

24576:h1OYdaONMtdHAqcdDVhYwiei7+EpFAh/kKv:h1OsEPHVmVhYwiLtKkKv

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

TYu6Jpd0affrvKC.exe

pid process

1792 TYu6Jpd0affrvKC.exe
Loads dropped DLL 1 IoCs

Processes:

cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe

pid process

1264 cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1264	cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe

Drops Chrome extension 3 IoCs

Processes:

TYu6Jpd0affrvKC.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnddjgeefbmifdmlamcnjmjncipbkabg\2.0\manifest.json	TYu6Jpd0affrvKC.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnddjgeefbmifdmlamcnjmjncipbkabg\2.0\manifest.json	TYu6Jpd0affrvKC.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnddjgeefbmifdmlamcnjmjncipbkabg\2.0\manifest.json	TYu6Jpd0affrvKC.exe

Drops file in System32 directory 4 IoCs

Processes:

TYu6Jpd0affrvKC.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	TYu6Jpd0affrvKC.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	TYu6Jpd0affrvKC.exe
File opened for modification	C:\Windows\System32\GroupPolicy	TYu6Jpd0affrvKC.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	TYu6Jpd0affrvKC.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

TYu6Jpd0affrvKC.exe

pid	process
1792	TYu6Jpd0affrvKC.exe
1792	TYu6Jpd0affrvKC.exe
1792	TYu6Jpd0affrvKC.exe
1792	TYu6Jpd0affrvKC.exe
1792	TYu6Jpd0affrvKC.exe
1792	TYu6Jpd0affrvKC.exe
1792	TYu6Jpd0affrvKC.exe
1792	TYu6Jpd0affrvKC.exe
1792	TYu6Jpd0affrvKC.exe
1792	TYu6Jpd0affrvKC.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

TYu6Jpd0affrvKC.exe

description	pid	process
Token: SeDebugPrivilege	1792	TYu6Jpd0affrvKC.exe
Token: SeDebugPrivilege	1792	TYu6Jpd0affrvKC.exe
Token: SeDebugPrivilege	1792	TYu6Jpd0affrvKC.exe
Token: SeDebugPrivilege	1792	TYu6Jpd0affrvKC.exe
Token: SeDebugPrivilege	1792	TYu6Jpd0affrvKC.exe
Token: SeDebugPrivilege	1792	TYu6Jpd0affrvKC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe

description	pid	process	target process
PID 1264 wrote to memory of 1792	1264	cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe	TYu6Jpd0affrvKC.exe
PID 1264 wrote to memory of 1792	1264	cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe	TYu6Jpd0affrvKC.exe
PID 1264 wrote to memory of 1792	1264	cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe	TYu6Jpd0affrvKC.exe
PID 1264 wrote to memory of 1792	1264	cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe	TYu6Jpd0affrvKC.exe

C:\Users\Admin\AppData\Local\Temp\cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe
"C:\Users\Admin\AppData\Local\Temp\cf0d4d0308e6894729116ea06bce3ae449d90b7e9fdaab24070bee21648c873f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\TYu6Jpd0affrvKC.exe
.\TYu6Jpd0affrvKC.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\4xgdxnMZ5f@S.com\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\4xgdxnMZ5f@S.com\chrome.manifest
Filesize
35B

MD5
f7f2096936dc30a0b949a8561d35b902

SHA1
fb679e93833ab08e75224f9b1864fe546c00c2ac

SHA256
d86c428571e6e94bdf86c2f8e49ec7e9c11842eb2418d94ad3ddfde0e2c47e2e

SHA512
329b95b42ff369e28897b6240d9cd2e0bfb9ab6bc24dab659f0aaff87ccef72a346ed3966b6292763431b75013f909c24f810d74f900d69f627aacab3b958b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\4xgdxnMZ5f@S.com\content\bg.js
Filesize
8KB

MD5
6fe30c3f74cd3a701c419232b3f693a3

SHA1
0f58df27bed046e90e2dad25d0318d96c69dcf09

SHA256
9ff243a52b5d51452073614575e5e1109190f9f096440d96b9795073c72038a3

SHA512
d39fa281fe2d95b569040de53a109de8e9cc4086f0b376832288a236872fcc9cb9e2d44c278f2fa157c63fb4f253923d35e747eabf21758a9292bb568342f90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\4xgdxnMZ5f@S.com\install.rdf
Filesize
598B

MD5
a928b738878d05fab4beb72ff35ab88d

SHA1
7025a083ed3f23425c8baa21fde44d43afcce3c6

SHA256
74c5c1484eaf9e30818e42460b057b727972901d37aedf5de0df04e196e8a2c0

SHA512
b6b264b9ee57dc1643a60adb2c42b84b8b45255be3346188b5b0403f605f08e757f21c24c01ae72d2f7c3ce306b0dc085ab060aee4c0b16a73d1f1fa7fe16d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\TYu6Jpd0affrvKC.dat
Filesize
1KB

MD5
0a18cd697df0985671d25d1cf751d819

SHA1
ebfc4e87b6077e87efc8467fdb72363b9e2de8fe

SHA256
12faca5e4577a96513856f93c0782582dc6d88bbc68d13bcf323de43f5e7fae6

SHA512
7500d52b00b441e9b7d29d95131d3f60b67e63f595f604fc332a532ff4c82c709d0fcc0394c940ea5b378507dec700a34887b3a9c7ef329e66fc37dfed53ecf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\TYu6Jpd0affrvKC.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\dnddjgeefbmifdmlamcnjmjncipbkabg\E5KlIPoB6z.js
Filesize
6KB

MD5
c8d90209f59c69b876a7411d2258124c

SHA1
50a7d0b72d3ddf71ecaef9f56b0f8b512fc82343

SHA256
de1738cffb4e16b78ee41289f1d0018f848e5e4ba1b9896afd99fadfcf32b8a0

SHA512
3c25ff271585104561d42d76939e64461efc57a3f3e0c96092649c15551b429b9cc9ec1edcd0491846fe71f3de05edd4dcd251761f1667b9940750b189cd710c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\dnddjgeefbmifdmlamcnjmjncipbkabg\background.html
Filesize
147B

MD5
29a0baeb6913c86ee4ec3ce218463bea

SHA1
6f54c7d68303421a278dfd95489d73ce427b6ef7

SHA256
31918469a48543b8da493716eeabf875a9a3c1e843bbc18e4e706817e2c7f2b8

SHA512
73987bf6ea54ef4a62157ee8bb28843d7edc0315c9c794fd20cfb7a7d5cc927290ec9525bb40c2870be1f7c5399c8b365d84cd42fdc94b51e473d9853b80045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\dnddjgeefbmifdmlamcnjmjncipbkabg\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\dnddjgeefbmifdmlamcnjmjncipbkabg\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4876.tmp\dnddjgeefbmifdmlamcnjmjncipbkabg\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4876.tmp\TYu6Jpd0affrvKC.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
memory/1264-54-0x0000000074E01000-0x0000000074E03000-memory.dmp

Filesize
8KB

Download
memory/1792-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads