c417261408aca2c15215c9db37df82354825ad8064731b55ff2faf1cd5ca6486

Analysis

max time kernel
154s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c417261408aca2c15215c9db37df82354825ad8064731b55ff2faf1cd5ca6486.exe
Size

920KB
MD5

8a2e39cdf7b0cc09428a631caa9e33bf
SHA1

c0de6c620dfa8eee3c15a19f70d568195f7b4495
SHA256

c417261408aca2c15215c9db37df82354825ad8064731b55ff2faf1cd5ca6486
SHA512

22c5750fdb01d4bb0b9e9a7b9299737ee51352fbf6ac78aae6aac46e02e36af888e1159f894c69d16be42ba0c3a1fb877df80f3bf5336e451de567c8695a24e0
SSDEEP

24576:h1OYdaOkMtdHAqcdDVhYwiei7+EpFAh/kKA:h1OsFPHVmVhYwiLtKkKA

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

VJKfgxxOfpOMjcu.exe

pid process

216 VJKfgxxOfpOMjcu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

VJKfgxxOfpOMjcu.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\caajfokmfcbolfbhmokmooipfkfnpcdk\2.0\manifest.json	VJKfgxxOfpOMjcu.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\caajfokmfcbolfbhmokmooipfkfnpcdk\2.0\manifest.json	VJKfgxxOfpOMjcu.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\caajfokmfcbolfbhmokmooipfkfnpcdk\2.0\manifest.json	VJKfgxxOfpOMjcu.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\caajfokmfcbolfbhmokmooipfkfnpcdk\2.0\manifest.json	VJKfgxxOfpOMjcu.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\caajfokmfcbolfbhmokmooipfkfnpcdk\2.0\manifest.json	VJKfgxxOfpOMjcu.exe

Drops file in System32 directory 4 IoCs

Processes:

VJKfgxxOfpOMjcu.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	VJKfgxxOfpOMjcu.exe
File opened for modification	C:\Windows\System32\GroupPolicy	VJKfgxxOfpOMjcu.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	VJKfgxxOfpOMjcu.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	VJKfgxxOfpOMjcu.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

VJKfgxxOfpOMjcu.exe

pid	process
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe
216	VJKfgxxOfpOMjcu.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

VJKfgxxOfpOMjcu.exe

description	pid	process
Token: SeDebugPrivilege	216	VJKfgxxOfpOMjcu.exe
Token: SeDebugPrivilege	216	VJKfgxxOfpOMjcu.exe
Token: SeDebugPrivilege	216	VJKfgxxOfpOMjcu.exe
Token: SeDebugPrivilege	216	VJKfgxxOfpOMjcu.exe
Token: SeDebugPrivilege	216	VJKfgxxOfpOMjcu.exe
Token: SeDebugPrivilege	216	VJKfgxxOfpOMjcu.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c417261408aca2c15215c9db37df82354825ad8064731b55ff2faf1cd5ca6486.exe

description	pid	process	target process
PID 1368 wrote to memory of 216	1368	c417261408aca2c15215c9db37df82354825ad8064731b55ff2faf1cd5ca6486.exe	VJKfgxxOfpOMjcu.exe
PID 1368 wrote to memory of 216	1368	c417261408aca2c15215c9db37df82354825ad8064731b55ff2faf1cd5ca6486.exe	VJKfgxxOfpOMjcu.exe
PID 1368 wrote to memory of 216	1368	c417261408aca2c15215c9db37df82354825ad8064731b55ff2faf1cd5ca6486.exe	VJKfgxxOfpOMjcu.exe

C:\Users\Admin\AppData\Local\Temp\c417261408aca2c15215c9db37df82354825ad8064731b55ff2faf1cd5ca6486.exe
"C:\Users\Admin\AppData\Local\Temp\c417261408aca2c15215c9db37df82354825ad8064731b55ff2faf1cd5ca6486.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\VJKfgxxOfpOMjcu.exe
.\VJKfgxxOfpOMjcu.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
3758d65237b966ef37038a6a8ac40de9

SHA1
1637f81ad027ce8064b565fb89719656069818f1

SHA256
69e1f208518a54d6cc2256e63e6399a0408262d4be2df5257407defa45dd147d

SHA512
97dbb1a86316c050a532d4ec1da0300947f0e11a91e2ab0588817b8f710840d06c6a8ff2a4ec62e50a8c54746f3b0d2515004a917c3ba158257babd432aed2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
578a3bab61f5cf481c1e476acf360dbb

SHA1
71d10a862609892b14a4d64c45d158b6bdf6d1fc

SHA256
7c855755ae16df74a06c02c2461d52795c5dbda294a6e62f027980cb1c8fb3c3

SHA512
7921c664e05c4ff5f839062c1e88787d0beba0561aea5984b8416e4acaae29229e66a908e74a9cc3d26664c266298116951b7415ea5941edda4d65d6da52cfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\[email protected]\install.rdf
Filesize
593B

MD5
1da45cee9dbfe2c55256f2069cee3a59

SHA1
665d5c4d34cbd0cdeea9dc2758ba57fa9a4f290c

SHA256
c2a35428771aa52295de230e1bd70471d12c49a54462b51000eb3a448ede5fd8

SHA512
70d21b6422f5feb8573b891878f0a70b38ca663ad12957a2b3ff323df9548eb8757559f2330e8a9aef55479edb61873fb88e333a4384be2a175a1b362f23e99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\VJKfgxxOfpOMjcu.dat
Filesize
1KB

MD5
3a050adf1e8f04a9bb4da4ea692a2e71

SHA1
fccdb5d58b01ed1e1713ed428d122f3d88bb4cfb

SHA256
5579741f35fc66cd46bc44770523e0d7d88a4a50cc5465ccdaa13a05dd36137d

SHA512
1ad79c43bdae5c8f26176704a772bcac1435abed570c1fbccad9c3c863d74f23be52cbc6d39683d80fbdd836fb5436b35cc0a321470dc98b2d54c8263ed6016e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\VJKfgxxOfpOMjcu.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\VJKfgxxOfpOMjcu.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\caajfokmfcbolfbhmokmooipfkfnpcdk\J76Jr.js
Filesize
6KB

MD5
f987252de6ad5cbe4d48077d111786bc

SHA1
249639a331100127a86d448b2fe535ebf6d50a05

SHA256
84c632e6cc25f37900242471d663b1653246ab8eccccd2f652904651482bbe5b

SHA512
c624ec12af22d7817c69183e74e39a2b181b6e1d3e150454a02af945a3b60bcb26e06836dac81cc8d08070ad13582ff83bbad50abb9730cba979208a315946e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\caajfokmfcbolfbhmokmooipfkfnpcdk\background.html
Filesize
142B

MD5
9522ae64cb6ad438c8f9f1438162e645

SHA1
b96571ace62a29e1e6687ace4eb55c28fe042c5d

SHA256
312615b703fd659567af5d64452f3290cd9264d0a04e9a99a883974844ef5eb9

SHA512
c86129ca4c6101f97a0f62d95d3992a242ff9551d56d5ebb270dcbdb49366be5d9f028bfda05d29d6c3d7e97acd0c48565c298702212e6f40f23161f5ce5e8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\caajfokmfcbolfbhmokmooipfkfnpcdk\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\caajfokmfcbolfbhmokmooipfkfnpcdk\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS17DD.tmp\caajfokmfcbolfbhmokmooipfkfnpcdk\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/216-132-0x0000000000000000-mapping.dmp

Download