c4d1ade2316dbe92617c5766ad53ee500715f650f32d0a0d94e7b60bf9605780

Analysis

max time kernel
178s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4d1ade2316dbe92617c5766ad53ee500715f650f32d0a0d94e7b60bf9605780.exe
Size

920KB
MD5

63e0f9cb7c83646c86f8fe64e2cb6ea0
SHA1

3c3f07f203ad686a55286b95a5147e64b41b2caa
SHA256

c4d1ade2316dbe92617c5766ad53ee500715f650f32d0a0d94e7b60bf9605780
SHA512

a8de00eadda3ef9deb4b24dec42fac689f19a61073121e893e8ef9fb741223b82f00113305533bea1d3cb6c5300e8a22ab30715e1389617c8267ba49fcf96521
SSDEEP

24576:h1OYdaOeMtdHAqcdDVhYwiei7+EpFAh/kKc:h1OsHPHVmVhYwiLtKkKc

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tZGNbVz977Zcvww.exe

pid process

4300 tZGNbVz977Zcvww.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

tZGNbVz977Zcvww.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcplpggaigbcoidbiennmdfmackbkno\2.0\manifest.json	tZGNbVz977Zcvww.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcplpggaigbcoidbiennmdfmackbkno\2.0\manifest.json	tZGNbVz977Zcvww.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcplpggaigbcoidbiennmdfmackbkno\2.0\manifest.json	tZGNbVz977Zcvww.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcplpggaigbcoidbiennmdfmackbkno\2.0\manifest.json	tZGNbVz977Zcvww.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcplpggaigbcoidbiennmdfmackbkno\2.0\manifest.json	tZGNbVz977Zcvww.exe

Drops file in System32 directory 4 IoCs

Processes:

tZGNbVz977Zcvww.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	tZGNbVz977Zcvww.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	tZGNbVz977Zcvww.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	tZGNbVz977Zcvww.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	tZGNbVz977Zcvww.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

tZGNbVz977Zcvww.exe

pid	process
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe
4300	tZGNbVz977Zcvww.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tZGNbVz977Zcvww.exe

description	pid	process
Token: SeDebugPrivilege	4300	tZGNbVz977Zcvww.exe
Token: SeDebugPrivilege	4300	tZGNbVz977Zcvww.exe
Token: SeDebugPrivilege	4300	tZGNbVz977Zcvww.exe
Token: SeDebugPrivilege	4300	tZGNbVz977Zcvww.exe
Token: SeDebugPrivilege	4300	tZGNbVz977Zcvww.exe
Token: SeDebugPrivilege	4300	tZGNbVz977Zcvww.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c4d1ade2316dbe92617c5766ad53ee500715f650f32d0a0d94e7b60bf9605780.exe

description	pid	process	target process
PID 4764 wrote to memory of 4300	4764	c4d1ade2316dbe92617c5766ad53ee500715f650f32d0a0d94e7b60bf9605780.exe	tZGNbVz977Zcvww.exe
PID 4764 wrote to memory of 4300	4764	c4d1ade2316dbe92617c5766ad53ee500715f650f32d0a0d94e7b60bf9605780.exe	tZGNbVz977Zcvww.exe
PID 4764 wrote to memory of 4300	4764	c4d1ade2316dbe92617c5766ad53ee500715f650f32d0a0d94e7b60bf9605780.exe	tZGNbVz977Zcvww.exe

C:\Users\Admin\AppData\Local\Temp\c4d1ade2316dbe92617c5766ad53ee500715f650f32d0a0d94e7b60bf9605780.exe
"C:\Users\Admin\AppData\Local\Temp\c4d1ade2316dbe92617c5766ad53ee500715f650f32d0a0d94e7b60bf9605780.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\tZGNbVz977Zcvww.exe
.\tZGNbVz977Zcvww.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
91a0f93c09e073ea8d0e32385786825a

SHA1
67339e0b67e7c31124262e9297be5481ae9ddda5

SHA256
fde2bf63b4c9d26bbb2860ac5d9b1b4ab86696d3544011e63b444a8a15796c20

SHA512
1cd6d0814aea3355424e06285ef20dd4913fef3570395a4998c2d6bd82cbaf07a4702399fd197ba1a13926629c94cfa1cfecdcad78c7775d57daef94bb89d115

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
a94d4d126098de07117d167d004305b4

SHA1
e6b102b4d6f7d7ceb84432ac3913dd5b54c8396c

SHA256
c7c7cd7fceca0c51649e95171dcdad63c9c9c7e4b0db51dc8a3b44f2a795b0d3

SHA512
b7a726341493391507bb66489a6e8b8c58a2d01bcf24b74c94175c7dd94df8e5b355232a9a1a2e1a7f375aef691d9a2b46a04be4decc8c470708a7bb8abff6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\[email protected]\install.rdf
Filesize
592B

MD5
9034b4dc4f355cd274e576f2a53d4683

SHA1
f6ab8f9c35a4a762170d4112906808be184633cd

SHA256
cb3db3168fe83e94f3d147e1d4060044149fc3e4a955478378ef7c8fec6aa6dd

SHA512
5122e8f8c8881d8dd46abc595cbfe5cb967d6219cec77641a5cf9099be6320ce3d8a164a4da4e0c2e2c2cb0c2ef7e4c22b2b0c622916344340032022473ae7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\gfcplpggaigbcoidbiennmdfmackbkno\SatdjNUh.js
Filesize
6KB

MD5
f40b03f5afda03680df7b796b80c8068

SHA1
fdbd7477f53d64d1016ef5d1a1b9895fd4479473

SHA256
1a7c1d3d53e059c56e28afcb55d720a5f1313c579631929f5c365313d3c0cc6c

SHA512
e719a70f15a21f3410632aaffe1c0f2a2299ede15681379e7e21e7b104edff60df8ecdab71a4b33f39747e51ba636e58d06d38bf55d68d802c57531a72665601

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\gfcplpggaigbcoidbiennmdfmackbkno\background.html
Filesize
145B

MD5
a508d77aa023184d78e4a08b5ca7e19c

SHA1
4ae924dba0e0c3ffa36e97336043972696450f2c

SHA256
712870c6e9c472d822604cc5ee9f2e6bf13bc285a9c6e32184c1973a860001d8

SHA512
db3c9e718a448f36c8c5e2dc5300a6fb1e2d81a84523dd8385b6c69b6e72d412037f831e7d090374dff61eea2096f915569211b962db909bb66f23f014f7ae38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\gfcplpggaigbcoidbiennmdfmackbkno\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\gfcplpggaigbcoidbiennmdfmackbkno\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\gfcplpggaigbcoidbiennmdfmackbkno\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\tZGNbVz977Zcvww.dat
Filesize
1KB

MD5
b0cd14fa93570f000e7e0969b6725fe2

SHA1
80466572689062c2999cfef5215d774565b36857

SHA256
6d4d73922b5048e5cfadd665bf983642bf1726ab6b2753412add0dc64aa8a337

SHA512
d9f299fda5d41d49059f997ab14c0e2f03042c8aae0d75152822a93bcdfb8e80f84c5d9b1b32acce75b75b1ad0deb6f169d6bef91d70122d9e270badbef63762

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\tZGNbVz977Zcvww.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17BE.tmp\tZGNbVz977Zcvww.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
memory/4300-132-0x0000000000000000-mapping.dmp

Download