c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446

Analysis

max time kernel
42s
max time network
71s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe
Size

931KB
MD5

ced10b017e16f53b1be54c71f8cd58fc
SHA1

117b9fad268876cc1aa2d89962e4966f3231d75f
SHA256

c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446
SHA512

0abbdd7590ec4ad5eb681623ebaa3611a262f1bad84990788dfddbebdc61f1938a60912eb92aa8f840466b17c6bda5c591ae91266d93aa25d55e042b1ce11d49
SSDEEP

24576:h1OYdaOtCZ/iWCvu/2sWsJA/jlt+DHhsu:h1OsjCpYO/dJJDHhsu

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

KcG6727oMz7NlU0.exe

pid process

876 KcG6727oMz7NlU0.exe
Loads dropped DLL 1 IoCs

Processes:

c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe

pid process

536 c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
536	c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe

Drops Chrome extension 3 IoCs

Processes:

KcG6727oMz7NlU0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdjehhajhoidifofhpojkbaneioeodaa\2.0\manifest.json	KcG6727oMz7NlU0.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdjehhajhoidifofhpojkbaneioeodaa\2.0\manifest.json	KcG6727oMz7NlU0.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdjehhajhoidifofhpojkbaneioeodaa\2.0\manifest.json	KcG6727oMz7NlU0.exe

Drops file in System32 directory 4 IoCs

Processes:

KcG6727oMz7NlU0.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	KcG6727oMz7NlU0.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	KcG6727oMz7NlU0.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	KcG6727oMz7NlU0.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	KcG6727oMz7NlU0.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

KcG6727oMz7NlU0.exe

pid	process
876	KcG6727oMz7NlU0.exe
876	KcG6727oMz7NlU0.exe
876	KcG6727oMz7NlU0.exe
876	KcG6727oMz7NlU0.exe
876	KcG6727oMz7NlU0.exe
876	KcG6727oMz7NlU0.exe
876	KcG6727oMz7NlU0.exe
876	KcG6727oMz7NlU0.exe
876	KcG6727oMz7NlU0.exe
876	KcG6727oMz7NlU0.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

KcG6727oMz7NlU0.exe

description	pid	process
Token: SeDebugPrivilege	876	KcG6727oMz7NlU0.exe
Token: SeDebugPrivilege	876	KcG6727oMz7NlU0.exe
Token: SeDebugPrivilege	876	KcG6727oMz7NlU0.exe
Token: SeDebugPrivilege	876	KcG6727oMz7NlU0.exe
Token: SeDebugPrivilege	876	KcG6727oMz7NlU0.exe
Token: SeDebugPrivilege	876	KcG6727oMz7NlU0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe

description	pid	process	target process
PID 536 wrote to memory of 876	536	c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe	KcG6727oMz7NlU0.exe
PID 536 wrote to memory of 876	536	c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe	KcG6727oMz7NlU0.exe
PID 536 wrote to memory of 876	536	c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe	KcG6727oMz7NlU0.exe
PID 536 wrote to memory of 876	536	c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe	KcG6727oMz7NlU0.exe

C:\Users\Admin\AppData\Local\Temp\c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe
"C:\Users\Admin\AppData\Local\Temp\c45cbf84d36531e71f684141be5571a03635aca1c8b277b6860d3f3759a2b446.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\KcG6727oMz7NlU0.exe
.\KcG6727oMz7NlU0.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\KcG6727oMz7NlU0.dat
Filesize
1KB

MD5
f6dd18eafad246b91456af982dcc1ed2

SHA1
b9d223873e8f493187f3b9de89d959157065efac

SHA256
7db2fead4b904c5abc1429eb81ec35409e7fd64683f4a7f654c5ff37a8ebf3e0

SHA512
364181aef424529e868e0b71f3a41b767214a13148c1d1e5c31e54ae3457fff083c0d72cdce85d6be7cd42065fe76b0f6c625219185fbfd9e4e5af59090d741e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\KcG6727oMz7NlU0.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\cdjehhajhoidifofhpojkbaneioeodaa\background.html
Filesize
144B

MD5
8d5b9a1a531fb10d79680393b589ba70

SHA1
678bfd3978ac925ed339a70574de4fa4b502c4cf

SHA256
9240e1b2f670921f8c102f48fb1afe8a2ba48ff08da5f5f133364b7f98b925f5

SHA512
996007ab285d10bff7f776802f85c0fd16df07539b62de901ab1a3db38b7d4cee349eef5ce3855edb6a1b3f734750a2863f24e7e69bd182d991d7a76c9d2f446

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\cdjehhajhoidifofhpojkbaneioeodaa\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\cdjehhajhoidifofhpojkbaneioeodaa\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\cdjehhajhoidifofhpojkbaneioeodaa\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\cdjehhajhoidifofhpojkbaneioeodaa\vKXTIYL.js
Filesize
6KB

MD5
e3f92bd2bed80378380730dfca64cbbc

SHA1
fda6b1b8c251ee74963e584e50d10abf5cee6348

SHA256
011e79c7dfe99a37a5f1c1509bb4301ea1b3ca34287462c0eb2308636bb739d3

SHA512
4eab75e5820cab718ca96ed8852d6bb42a7861b5dcf5c634578deadb77db80b6cb018d9b7c052792ae8135027a7d96e108a06af62ced6fcfe84063154e658dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
de92ea736df086a50383550b44ae598b

SHA1
d43db13319592b371ea21c872fd01c111e62bb7a

SHA256
8e745b783a27edcaf2fb697c4b74ccd6435ab8ae25c485b022e9cff243bd98de

SHA512
fa83d9e4b5610614b02e7a425ce9f35a3cba055e3b3c9b1ec40fe6488798b828515e067c803ebbb1ba702dfbb196d983b6ba78deb5eb6144fc36d334bc593500

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
25e0ecd344a444b7124ec1a47193a54e

SHA1
775c9743580a6f4d7fed045a625d202c37ba817f

SHA256
5d7073ebcc001188828344627839d10a75ae126d0b6541f52c47c6a547c5405e

SHA512
ee73309b18039ded278e0cc68af12caa9383005249992a19999191afdb5f1ba5a458b838c2ba042b6767b847539f92a92321ae572d9ffd7f553a44d2b900bb14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\[email protected]\install.rdf
Filesize
595B

MD5
18d8a89761c0e10b13f9744f330ad382

SHA1
dbc5a63cf08a29cd0d524ea28d40aedb5725b029

SHA256
17fb09c825370793d1260ed2bc01b5fe4ab29b587b896c5bffe7d92efc182ee6

SHA512
9a298fae0fac03ab564d6741e6f84565457db6163b5993ccde21b7171f41d71ddcfaabfd019f903627ca3179492dfdbce388123d860697456c7fe93314dc329f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\KcG6727oMz7NlU0.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/536-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/876-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads