c4a304e312155223185c12c7aacb2efb233d57f37e4d27f72c1681eb4402f1b8

Analysis

max time kernel
414s
max time network
436s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a304e312155223185c12c7aacb2efb233d57f37e4d27f72c1681eb4402f1b8.exe
Size

931KB
MD5

e5af7ea8b684b3df89092c312273b421
SHA1

b6aa6685414f6d7b29df9394d784d5fb2e8ba837
SHA256

c4a304e312155223185c12c7aacb2efb233d57f37e4d27f72c1681eb4402f1b8
SHA512

6207d1aad46076669dcaa932fe9b1cad2ac7ae9452f8694e2f8e796ef1f1b6beffb7627e32f2d6cf42a091f788ab0ae7ecdc5ef323e6f6ca375bd1e5c76f051e
SSDEEP

24576:h1OYdaOHCZ/iWCvu/2sWsJA/jlt+DHhsu:h1Os5CpYO/dJJDHhsu

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

37x3yqoFE8Tcy79.exe

pid process

1900 37x3yqoFE8Tcy79.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

37x3yqoFE8Tcy79.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfpcliicecmbihcfcbjbfafejnkhkomg\2.0\manifest.json	37x3yqoFE8Tcy79.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfpcliicecmbihcfcbjbfafejnkhkomg\2.0\manifest.json	37x3yqoFE8Tcy79.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfpcliicecmbihcfcbjbfafejnkhkomg\2.0\manifest.json	37x3yqoFE8Tcy79.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfpcliicecmbihcfcbjbfafejnkhkomg\2.0\manifest.json	37x3yqoFE8Tcy79.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfpcliicecmbihcfcbjbfafejnkhkomg\2.0\manifest.json	37x3yqoFE8Tcy79.exe

Drops file in System32 directory 4 IoCs

Processes:

37x3yqoFE8Tcy79.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	37x3yqoFE8Tcy79.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	37x3yqoFE8Tcy79.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	37x3yqoFE8Tcy79.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	37x3yqoFE8Tcy79.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

37x3yqoFE8Tcy79.exe

pid	process
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe
1900	37x3yqoFE8Tcy79.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

37x3yqoFE8Tcy79.exe

description	pid	process
Token: SeDebugPrivilege	1900	37x3yqoFE8Tcy79.exe
Token: SeDebugPrivilege	1900	37x3yqoFE8Tcy79.exe
Token: SeDebugPrivilege	1900	37x3yqoFE8Tcy79.exe
Token: SeDebugPrivilege	1900	37x3yqoFE8Tcy79.exe
Token: SeDebugPrivilege	1900	37x3yqoFE8Tcy79.exe
Token: SeDebugPrivilege	1900	37x3yqoFE8Tcy79.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c4a304e312155223185c12c7aacb2efb233d57f37e4d27f72c1681eb4402f1b8.exe

description	pid	process	target process
PID 3816 wrote to memory of 1900	3816	c4a304e312155223185c12c7aacb2efb233d57f37e4d27f72c1681eb4402f1b8.exe	37x3yqoFE8Tcy79.exe
PID 3816 wrote to memory of 1900	3816	c4a304e312155223185c12c7aacb2efb233d57f37e4d27f72c1681eb4402f1b8.exe	37x3yqoFE8Tcy79.exe
PID 3816 wrote to memory of 1900	3816	c4a304e312155223185c12c7aacb2efb233d57f37e4d27f72c1681eb4402f1b8.exe	37x3yqoFE8Tcy79.exe

C:\Users\Admin\AppData\Local\Temp\c4a304e312155223185c12c7aacb2efb233d57f37e4d27f72c1681eb4402f1b8.exe
"C:\Users\Admin\AppData\Local\Temp\c4a304e312155223185c12c7aacb2efb233d57f37e4d27f72c1681eb4402f1b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\37x3yqoFE8Tcy79.exe
.\37x3yqoFE8Tcy79.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\37x3yqoFE8Tcy79.dat
Filesize
1KB

MD5
ed5eaaa7221c2c5bed61e8d9422a1d4f

SHA1
a26a0edc36ab2d416a69c7ab057e4f8ef2e4493f

SHA256
abd68cf62d827c5282c50e94f6b4e27bdf6383fdb7a90aaf35df157170aa3b8b

SHA512
24799d9a7aa1d0fec387a394598ad3603545ac9927678ba708c5e448eb9ba7aa6c11eaabefb085282fa14dbfb0c686c74443ec6879509b6de793a313085eec23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\37x3yqoFE8Tcy79.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\37x3yqoFE8Tcy79.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
5922fe6da29c37462d870cbf35c93196

SHA1
067ee4f695473ee1a2e8710d519968ec85c61914

SHA256
6e28e2f202df427f4e7bb60dcd66a3a4c65c1f4e42bceed0973732407cff3214

SHA512
92dddfffbf405877a71794ab518b5774a605858df6fd23c3833d5d9204a91ebf7807897cb9ef0bcbf84b34a95fc51d0e14aaad06c39638dbb971273f6a4b2b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
5a6f708919da626cfcae360acd3a1bce

SHA1
eb79154046d9fce39492850f22209fda152157e7

SHA256
fccc5267a536d0eea1d41c8faa130e2bcda51f7e48a498effd2c7088c8468515

SHA512
3a447ce4948659af32dad2229a77ba64872d5da464302515395c083508ca945d8df277c160ab7d802646013b0bb31bf4d0d8e5c102d86de4a0057b564741d926

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\[email protected]\install.rdf
Filesize
597B

MD5
64076805a0bc80edf3bfa687d573bb99

SHA1
d966b544919040407ad9fb1d71c2f262983cdc92

SHA256
650c1e2ca16c795cb87501c96418a76b284dcc39e69aebc1c4ef43270a0d34b0

SHA512
944956510e827e0deba17cf804d60adc31dd55fbd20228837b6bf7a218177a332680a5da140aaae01c7375a17888ee87fde6a09f785986d4b9157708fe2eceff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\gfpcliicecmbihcfcbjbfafejnkhkomg\aySj2.js
Filesize
6KB

MD5
0a6ac345ae14ceb6fe05532b3fa76177

SHA1
8c15d6175ae3e3b449b7b268fbb4f3d0b3e15e58

SHA256
f6b08c8bf3e9f31ce2ce7c8238cfbf3c47e5c4c65607ae1d9bcb1989d0e53749

SHA512
e59e9ed2e5c12eca7bc90e30bf9e0bea08547318854a5e70064082ead0258873b3883b39da7db9ba2f3726e6cc0e69c098d6e9a5a7f245ec91956da24a9ebd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\gfpcliicecmbihcfcbjbfafejnkhkomg\background.html
Filesize
142B

MD5
4c6c668adae1059c031103b028ffc16e

SHA1
667275d98b18861aeb084405bc2cbd38757bdc55

SHA256
c00631f678cdecd75efde44e9ed51b8de3f50f2e78fea7cad381641e533ce6ef

SHA512
8687eb62c63a43d6f57b0f2f13f017992c103a5eeb50270e5fd819a63e17a6f974e03ea9f518a57129d5a1d45234bfd52681627b32d4e6563c9fe4f7117c73c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\gfpcliicecmbihcfcbjbfafejnkhkomg\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\gfpcliicecmbihcfcbjbfafejnkhkomg\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D2E.tmp\gfpcliicecmbihcfcbjbfafejnkhkomg\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/1900-132-0x0000000000000000-mapping.dmp

Download