Analysis
-
max time kernel
133s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
ca0122c194fe41bf97ac1596a9bdfe67891fa354b1908a835461cfe3b5b4992f.exe
Resource
win7-20220812-en
General
-
Target
ca0122c194fe41bf97ac1596a9bdfe67891fa354b1908a835461cfe3b5b4992f.exe
-
Size
931KB
-
MD5
b8808d84602f039171bedc591e0cf5c6
-
SHA1
ed3c74caad40233e6b17820be110805a3dca8c55
-
SHA256
ca0122c194fe41bf97ac1596a9bdfe67891fa354b1908a835461cfe3b5b4992f
-
SHA512
20691e5ee3cae1e571477f017ba2acc07706b1560d8a6d133631139a9dd68560be59828fb9f98b5f6b986555adae0ed4608f03674448ac2f2c18da22dff2f549
-
SSDEEP
24576:h1OYdaOlCZ/iWCvu/2sWsJA/jlt+DHhsM:h1OsnCpYO/dJJDHhsM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
BHbdlSgWfEWvg8h.exepid process 3612 BHbdlSgWfEWvg8h.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
BHbdlSgWfEWvg8h.exedescription ioc process File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\emnjdohgampdolddnekadpphojpjnjga\2.0\manifest.json BHbdlSgWfEWvg8h.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\emnjdohgampdolddnekadpphojpjnjga\2.0\manifest.json BHbdlSgWfEWvg8h.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\emnjdohgampdolddnekadpphojpjnjga\2.0\manifest.json BHbdlSgWfEWvg8h.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\emnjdohgampdolddnekadpphojpjnjga\2.0\manifest.json BHbdlSgWfEWvg8h.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\emnjdohgampdolddnekadpphojpjnjga\2.0\manifest.json BHbdlSgWfEWvg8h.exe -
Drops file in System32 directory 4 IoCs
Processes:
BHbdlSgWfEWvg8h.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy BHbdlSgWfEWvg8h.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini BHbdlSgWfEWvg8h.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol BHbdlSgWfEWvg8h.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI BHbdlSgWfEWvg8h.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
BHbdlSgWfEWvg8h.exepid process 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe 3612 BHbdlSgWfEWvg8h.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
BHbdlSgWfEWvg8h.exedescription pid process Token: SeDebugPrivilege 3612 BHbdlSgWfEWvg8h.exe Token: SeDebugPrivilege 3612 BHbdlSgWfEWvg8h.exe Token: SeDebugPrivilege 3612 BHbdlSgWfEWvg8h.exe Token: SeDebugPrivilege 3612 BHbdlSgWfEWvg8h.exe Token: SeDebugPrivilege 3612 BHbdlSgWfEWvg8h.exe Token: SeDebugPrivilege 3612 BHbdlSgWfEWvg8h.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ca0122c194fe41bf97ac1596a9bdfe67891fa354b1908a835461cfe3b5b4992f.exedescription pid process target process PID 2284 wrote to memory of 3612 2284 ca0122c194fe41bf97ac1596a9bdfe67891fa354b1908a835461cfe3b5b4992f.exe BHbdlSgWfEWvg8h.exe PID 2284 wrote to memory of 3612 2284 ca0122c194fe41bf97ac1596a9bdfe67891fa354b1908a835461cfe3b5b4992f.exe BHbdlSgWfEWvg8h.exe PID 2284 wrote to memory of 3612 2284 ca0122c194fe41bf97ac1596a9bdfe67891fa354b1908a835461cfe3b5b4992f.exe BHbdlSgWfEWvg8h.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca0122c194fe41bf97ac1596a9bdfe67891fa354b1908a835461cfe3b5b4992f.exe"C:\Users\Admin\AppData\Local\Temp\ca0122c194fe41bf97ac1596a9bdfe67891fa354b1908a835461cfe3b5b4992f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\BHbdlSgWfEWvg8h.exe.\BHbdlSgWfEWvg8h.exe2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\BHbdlSgWfEWvg8h.datFilesize
1KB
MD5a569bc5db9730a701bcfa66b2d84fb18
SHA1fce6ce80137d49181d250e675d04e41bfd7e4060
SHA25651b4ea67677f4dd46fb69f5ffa2cd5b19a24ae003066732648b97ba3dea3ae91
SHA512dec7247b039936b7a41345e50f32cb37dc893d3b9348515e07939b37c58d4ed62242a4558d3be32250242aaa98a10bd3e057103fe6331bee1cd34c1af20be72b
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\BHbdlSgWfEWvg8h.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\BHbdlSgWfEWvg8h.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\emnjdohgampdolddnekadpphojpjnjga\U2ql.jsFilesize
6KB
MD5087238ceb7bbd9b610823d3a53c2ce6d
SHA1a3118918b13583d669b70373705093bb0a442933
SHA256d33f3102580009c3fad0a7594a5e81f4635eff41673668810e268744ab67ef76
SHA512b98dfb0216832190dc8feb529fa7af61bfcb6f9e01b5580650eb4d695d2b568ac3f3ed4abe85cdd59d9124b5ddcf41dc9a88c2bab970dd31fcfdbc3338f491df
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\emnjdohgampdolddnekadpphojpjnjga\background.htmlFilesize
141B
MD531855a5e21456dcf06ccddcfaf54053d
SHA1a213beccfbb2acc52011be4590fdafdfeb038c9f
SHA256737cd0dfb0a8663981a58cd20eaa7726cf30b7327d22fa0fa3b44b2cf1995ab0
SHA512d9a6d183fd37dde4b560fcbff5611ad070e692847fe0c54788dbad572998b9d9e22f7bb4233126a451d910ccdd86e594803a4291aa9d637150088ee3feef43d2
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\emnjdohgampdolddnekadpphojpjnjga\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\emnjdohgampdolddnekadpphojpjnjga\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\emnjdohgampdolddnekadpphojpjnjga\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\v@nAl.net\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\v@nAl.net\chrome.manifestFilesize
35B
MD5ba1230d309edb8a94e9593fec059153d
SHA1046afe36c5bda559f545423a00c2e519c5580a15
SHA2568846395e7dc030617abe4746cd37d5e4ca4143ff4e0a496057df177370728b0b
SHA512522569caf7c01367f6adfca360549e8f93fb4c37a2a357ddc3245cb800f3ff556bd53062f736f0abe69b2a9a1e590961002f9aaeed53e12b714213c1f2e90da9
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\v@nAl.net\content\bg.jsFilesize
8KB
MD50af7b3d74ae696dec7c1695ac210d0b1
SHA11e4e2c78d46d9b77c2c2b17687d79ec389cc5c9a
SHA2561b310a85c90d9a3bd5268281b858f0a0d0cf2d84bf424e6926693dfd989a27a5
SHA512ee93728a444d761907e5e76e41ea81daa63e5f9e83ae644f1f230b6cad361beb353dadca7deac79b2ea24ebac970ce08d14924c5e94022ef2d9ecf996a698195
-
C:\Users\Admin\AppData\Local\Temp\7zSFFC1.tmp\v@nAl.net\install.rdfFilesize
592B
MD5c0ca2901442597252696af3b30a65a36
SHA1c54158b22b12b7c8a08adef8481cf883655e1b16
SHA256dffa0fd76041d12aecebf28f12ce14bdd844223ce6168030f0ca9cb64ab13c1e
SHA5129e8c4263ec5834f4c85574bb1fa065024e4e4adc08e560f88fc4d6918770e82169d8f35de96bda2336c679625ec6a963dea1bfaaaf270cd724b0f21bf5c9aece
-
memory/3612-132-0x0000000000000000-mapping.dmp