c457edbca9c250575250a2c0653636d781e235843ecaf67d9c7049e0376cf2cb

Analysis

max time kernel
141s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c457edbca9c250575250a2c0653636d781e235843ecaf67d9c7049e0376cf2cb.exe
Size

926KB
MD5

8ea5b7e6f3e4fefd30223c56b1ce35e2
SHA1

a58de7c3f3639611b5393135fce9085c6c8b9f57
SHA256

c457edbca9c250575250a2c0653636d781e235843ecaf67d9c7049e0376cf2cb
SHA512

908e9b14bdb26f1eea526aade1986c8610001efc84cf20fc39793dfa3254e63e8b3cabcdfa38fe825637136a8514279bb0daea66fa3595b1a273ae7d707e156d
SSDEEP

24576:h1OYdaOmnQju5vMu6qN2FctIOBYXZBai3GBlgpKLe/7rI:h1OsUQjO6HHzayGBe/7rI

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Yz5HnUKW2y2FmMc.exe

pid process

4912 Yz5HnUKW2y2FmMc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

Yz5HnUKW2y2FmMc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogljhocnejdjhfbkgblkfkkhkonmgcbh\2.0\manifest.json	Yz5HnUKW2y2FmMc.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogljhocnejdjhfbkgblkfkkhkonmgcbh\2.0\manifest.json	Yz5HnUKW2y2FmMc.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogljhocnejdjhfbkgblkfkkhkonmgcbh\2.0\manifest.json	Yz5HnUKW2y2FmMc.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogljhocnejdjhfbkgblkfkkhkonmgcbh\2.0\manifest.json	Yz5HnUKW2y2FmMc.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogljhocnejdjhfbkgblkfkkhkonmgcbh\2.0\manifest.json	Yz5HnUKW2y2FmMc.exe

Drops file in System32 directory 4 IoCs

Processes:

Yz5HnUKW2y2FmMc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Yz5HnUKW2y2FmMc.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Yz5HnUKW2y2FmMc.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Yz5HnUKW2y2FmMc.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Yz5HnUKW2y2FmMc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Yz5HnUKW2y2FmMc.exe

pid	process
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe
4912	Yz5HnUKW2y2FmMc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Yz5HnUKW2y2FmMc.exe

description	pid	process
Token: SeDebugPrivilege	4912	Yz5HnUKW2y2FmMc.exe
Token: SeDebugPrivilege	4912	Yz5HnUKW2y2FmMc.exe
Token: SeDebugPrivilege	4912	Yz5HnUKW2y2FmMc.exe
Token: SeDebugPrivilege	4912	Yz5HnUKW2y2FmMc.exe
Token: SeDebugPrivilege	4912	Yz5HnUKW2y2FmMc.exe
Token: SeDebugPrivilege	4912	Yz5HnUKW2y2FmMc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c457edbca9c250575250a2c0653636d781e235843ecaf67d9c7049e0376cf2cb.exe

description	pid	process	target process
PID 4972 wrote to memory of 4912	4972	c457edbca9c250575250a2c0653636d781e235843ecaf67d9c7049e0376cf2cb.exe	Yz5HnUKW2y2FmMc.exe
PID 4972 wrote to memory of 4912	4972	c457edbca9c250575250a2c0653636d781e235843ecaf67d9c7049e0376cf2cb.exe	Yz5HnUKW2y2FmMc.exe
PID 4972 wrote to memory of 4912	4972	c457edbca9c250575250a2c0653636d781e235843ecaf67d9c7049e0376cf2cb.exe	Yz5HnUKW2y2FmMc.exe

C:\Users\Admin\AppData\Local\Temp\c457edbca9c250575250a2c0653636d781e235843ecaf67d9c7049e0376cf2cb.exe
"C:\Users\Admin\AppData\Local\Temp\c457edbca9c250575250a2c0653636d781e235843ecaf67d9c7049e0376cf2cb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\Yz5HnUKW2y2FmMc.exe
.\Yz5HnUKW2y2FmMc.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\Yz5HnUKW2y2FmMc.dat
Filesize
1KB

MD5
3ddea856513a989d62ddafa43786e3a5

SHA1
c329c7ffee48efabf3c17c980374eeeba477351f

SHA256
95a1e10cad869f18ac3d86d0257ce7797a1178fcce9073c8f0770c57512ed678

SHA512
52506388ef81c8f43c19fadae0beb79239b859130dbc1308a5e10db34dafd6cf071bb2559f69e0b55e63d640fa325eecf732c3d99f2f47e4d32586d05f694454

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\Yz5HnUKW2y2FmMc.exe
Filesize
768KB

MD5
09e156c94b649920c0c6efa8508ada9a

SHA1
8ba966f84a07648613468b06a11d17f2650e8af0

SHA256
2584e4b5077edba37c8e6f97ccdc2e582136ae0144212b37eb97cd4d8685059a

SHA512
1a1d2ff05d413ec1c18735dcb06775f0e652fc778f0ce31a9bdc8e567beb32253df635ee2e9b3bdc430c49f0f5ca6128e44cbd88b2cb712a6712c8327f209375

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\Yz5HnUKW2y2FmMc.exe
Filesize
768KB

MD5
09e156c94b649920c0c6efa8508ada9a

SHA1
8ba966f84a07648613468b06a11d17f2650e8af0

SHA256
2584e4b5077edba37c8e6f97ccdc2e582136ae0144212b37eb97cd4d8685059a

SHA512
1a1d2ff05d413ec1c18735dcb06775f0e652fc778f0ce31a9bdc8e567beb32253df635ee2e9b3bdc430c49f0f5ca6128e44cbd88b2cb712a6712c8327f209375

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
83ad552d8efb11d6a9cf43bb6c1e7ca5

SHA1
9c7e3d08b1879caa25c6821cd99ca4ceff2c6ee7

SHA256
f26f978b0933dab1a8e560119076b68a9cd027c3bbe4bc969087a4788a840654

SHA512
2ff10f4e2f9cc58775f75305e2ff0a2322d91dec7670e1833b3ca784e5f01d7331c911dfed77eec08119ce0e0e5b49ca7312bdbe76e6a185d254a4b7927ea1fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
4e48a68b30c51c4767a79bc86d92434e

SHA1
37d315b12b457df75781405da4d04228a6855d52

SHA256
e2605e1dcfa1d26f96825100f80d61565d68154f88a93634f3edc4ab649fdc7b

SHA512
e038982c92906b7e53da7d88c9b82d3a2a89c936c1a09ada28336d3cedd2cae4c9a0f0e1cf428c6cec4c325b00d825ac4367df002512d274131dc3d97cfa52d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\[email protected]\install.rdf
Filesize
592B

MD5
7bd080ddb721545b62477e814718a611

SHA1
f6cb174e79a401586bf6193c8ef0b9a39cd2b31b

SHA256
0a3f133c940edc4eba046b5846942191a9bd4f856cf74b58134480d151175e63

SHA512
04339bf0a8e2c2993e0c1fdc2e9296dc39c7d8237b484764bb09c18b3cfb193c1ed33a7bb2ea0863d88906294a7902182c8ab1e1d146d770773c4d52e619291f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\ogljhocnejdjhfbkgblkfkkhkonmgcbh\background.html
Filesize
144B

MD5
3ebd605fed4dd95a6a29c9c579cd7dff

SHA1
dc66bd276e38a2e377cafac2e6cbf5ae880e9317

SHA256
471ae64f1b21ad08d06b13c90d79189b65af1fc8c34e785074f865a1dc372e48

SHA512
a5fa414149832fb064174245017798c431f322452c8a3cfd26d7e50ac2548094c903074d1acdec84d61043ebf74fe8697721a2b565a0bcfd10a6e89a52186c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\ogljhocnejdjhfbkgblkfkkhkonmgcbh\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\ogljhocnejdjhfbkgblkfkkhkonmgcbh\jtHibdS.js
Filesize
6KB

MD5
0cca3cb971e615ac05d4fd235265ebd8

SHA1
b8ce46190f20cb28841c90774ddd4951fe0545e4

SHA256
cf68534e57d3e123f25a0a87f2f5759a798d796c355d5677be0263ee182dd456

SHA512
d487c9cef20ea5d7f169cdc6cab14944f76b6163ddd748e68166b75d4abe4b8503fa6d361349e332c4a2382c9feca9097171bd98e4f0edfa44244ae95311c28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\ogljhocnejdjhfbkgblkfkkhkonmgcbh\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0FC.tmp\ogljhocnejdjhfbkgblkfkkhkonmgcbh\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/4912-132-0x0000000000000000-mapping.dmp

Download