c40c5a7de894d69a07ef2dd13b966f7fcb6f4fff6f5710206a55a2aa1ba958da

Analysis

max time kernel
131s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c40c5a7de894d69a07ef2dd13b966f7fcb6f4fff6f5710206a55a2aa1ba958da.exe
Size

920KB
MD5

dfd73562fa26757580f27d8941ed53a5
SHA1

4dd1cc0d73c647b19f197f253c23c6030f8d7d83
SHA256

c40c5a7de894d69a07ef2dd13b966f7fcb6f4fff6f5710206a55a2aa1ba958da
SHA512

99c710042d1437a680aacd7cfd2fa5de85b105a41cd04e324f2e9a75dcc3a5390499ff9e42aa1c5bad388c3c9fa5b7b75290187e778e93d44edf86fb35eb678c
SSDEEP

24576:h1OYdaOmMtdHAqcdDVhYwiei7+EpFAh/kKK:h1Os7PHVmVhYwiLtKkKK

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Jzjb8SBVDiV0HSZ.exe

pid process

5036 Jzjb8SBVDiV0HSZ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

Jzjb8SBVDiV0HSZ.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdcpedhajpelpbpcejjlkodbbfcnfac\2.0\manifest.json	Jzjb8SBVDiV0HSZ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdcpedhajpelpbpcejjlkodbbfcnfac\2.0\manifest.json	Jzjb8SBVDiV0HSZ.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdcpedhajpelpbpcejjlkodbbfcnfac\2.0\manifest.json	Jzjb8SBVDiV0HSZ.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdcpedhajpelpbpcejjlkodbbfcnfac\2.0\manifest.json	Jzjb8SBVDiV0HSZ.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdcpedhajpelpbpcejjlkodbbfcnfac\2.0\manifest.json	Jzjb8SBVDiV0HSZ.exe

Drops file in System32 directory 4 IoCs

Processes:

Jzjb8SBVDiV0HSZ.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	Jzjb8SBVDiV0HSZ.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Jzjb8SBVDiV0HSZ.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jzjb8SBVDiV0HSZ.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Jzjb8SBVDiV0HSZ.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Jzjb8SBVDiV0HSZ.exe

pid	process
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe
5036	Jzjb8SBVDiV0HSZ.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Jzjb8SBVDiV0HSZ.exe

description	pid	process
Token: SeDebugPrivilege	5036	Jzjb8SBVDiV0HSZ.exe
Token: SeDebugPrivilege	5036	Jzjb8SBVDiV0HSZ.exe
Token: SeDebugPrivilege	5036	Jzjb8SBVDiV0HSZ.exe
Token: SeDebugPrivilege	5036	Jzjb8SBVDiV0HSZ.exe
Token: SeDebugPrivilege	5036	Jzjb8SBVDiV0HSZ.exe
Token: SeDebugPrivilege	5036	Jzjb8SBVDiV0HSZ.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c40c5a7de894d69a07ef2dd13b966f7fcb6f4fff6f5710206a55a2aa1ba958da.exe

description	pid	process	target process
PID 4972 wrote to memory of 5036	4972	c40c5a7de894d69a07ef2dd13b966f7fcb6f4fff6f5710206a55a2aa1ba958da.exe	Jzjb8SBVDiV0HSZ.exe
PID 4972 wrote to memory of 5036	4972	c40c5a7de894d69a07ef2dd13b966f7fcb6f4fff6f5710206a55a2aa1ba958da.exe	Jzjb8SBVDiV0HSZ.exe
PID 4972 wrote to memory of 5036	4972	c40c5a7de894d69a07ef2dd13b966f7fcb6f4fff6f5710206a55a2aa1ba958da.exe	Jzjb8SBVDiV0HSZ.exe

C:\Users\Admin\AppData\Local\Temp\c40c5a7de894d69a07ef2dd13b966f7fcb6f4fff6f5710206a55a2aa1ba958da.exe
"C:\Users\Admin\AppData\Local\Temp\c40c5a7de894d69a07ef2dd13b966f7fcb6f4fff6f5710206a55a2aa1ba958da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\Jzjb8SBVDiV0HSZ.exe
.\Jzjb8SBVDiV0HSZ.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\Jzjb8SBVDiV0HSZ.dat
Filesize
1KB

MD5
9daf6d175917159fd412bccfd1f9caa2

SHA1
f52d362c0bcc1a3d4e89918bededf2c2cd33f1f5

SHA256
a697110318f35f4fd49bbcd8daae39c13f6e0369f127dc5f7c23640f22865984

SHA512
b894ab5be2797fd53e30e42ed0aa75a6dc5d84d0a4495ea324bd97b83a55d06a9c36551f4838ba48bc791ac1aa4d2dbfd5c450e8be6e62b46062bfb84331fd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\Jzjb8SBVDiV0HSZ.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\Jzjb8SBVDiV0HSZ.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
694755ebdee38f9479e8979f944d7845

SHA1
99b81944ba804f0abc06611d0288a9b11b5f3ec1

SHA256
21f966f1db9595629a33ed813d85139e2db3870f0f7ebdab3c61f12620ab944e

SHA512
a05687ed163efe4d52a370cc4c28d907897dc24b160b7a8a0a04bab74de241a87f4b09899fa0e5cc9433c83dcad748953356be18b228591d975d9cae52303faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\[email protected]\content\bg.js
Filesize
9KB

MD5
e5d48d8ac1c67abc85f2cd45799ac418

SHA1
045be81a16d1392f939c720ea2fbf921cbbc947e

SHA256
27fa90466c1fa386db1eaec1f9d87b1a4755aaedd7999e0d7591c01e14f92964

SHA512
48538402db38fdabd01886228cc75f033afd5fce15865397e3c1342c0cfee86b646700756987b9c83c2df05384772292382b3fcf721ea0c2acc4d846d9e79101

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\[email protected]\install.rdf
Filesize
596B

MD5
d982f367236973a107c4efc92bbfe4b3

SHA1
af8841ae59b61a843a1bbae29a53a8c52ec0bbcc

SHA256
facd030028f13e668c710a18422f3e810b0984cf20a7a04468757efa6fe95102

SHA512
306017fdf05b38b4378b2add279b8b3d9c53f889c7b0a1c30694552f87b348e89d51860bf47959dc2c66433b93bc2a745144797a5817dc10fff94d00384c10fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\cgdcpedhajpelpbpcejjlkodbbfcnfac\background.html
Filesize
138B

MD5
b972c42d19ad291355009b55d5a7f2d9

SHA1
753a8b02deffbb8a3ce02d47e2b9ff55432da49f

SHA256
99f1bb13cd5c18f8480fe9ab54eef6f5d75801c133e8bd5a260536cfbdf93f21

SHA512
b1a480f39a01c31434dc14f1b51976be8f0f0e5371c5600e4cf055eb58a530b7fa7f0ac83fc98beed3eea35ef933d5d0fe25c84f28c76212ca69bc4576434cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\cgdcpedhajpelpbpcejjlkodbbfcnfac\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\cgdcpedhajpelpbpcejjlkodbbfcnfac\e.js
Filesize
6KB

MD5
0f25fdbad2e309856ee6c71603ec2103

SHA1
89e7203df836f6c76d67eaae8a1a52e548fba40f

SHA256
eb6e6822aca1fd3a68204c83d61e1d23db7a99d14113a730279e96fefe7bc5ea

SHA512
ba2e9d60d0cab77cc716284623951787bbdba526015d1c73475468570bcbfa7ac3eba6d48dffa437ee492460e1f2451b4d415bee2a7ffe023ff1d75067c2d6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\cgdcpedhajpelpbpcejjlkodbbfcnfac\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE2D3.tmp\cgdcpedhajpelpbpcejjlkodbbfcnfac\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/5036-132-0x0000000000000000-mapping.dmp

Download