c39b97f96b83eff44e0b38cd393194857b408e0bb641ab93153300f975c5a685

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c39b97f96b83eff44e0b38cd393194857b408e0bb641ab93153300f975c5a685.exe
Size

931KB
MD5

4457d7f4cbaf3b448ddbd21aae568181
SHA1

8ff430bb5c5619e8c0c350da4da4f9cc7a4a3418
SHA256

c39b97f96b83eff44e0b38cd393194857b408e0bb641ab93153300f975c5a685
SHA512

9251a6a8818b683fe4825b1ffbbaba70cc01b7c1215a31fc5cc19b0afd190913b19caa193eac67508ee9be9d627b0e264c8d58f59c01baa8541653317b4b979e
SSDEEP

24576:h1OYdaORCZ/iWCvu/2sWsJA/jlt+DHhs1:h1OsXCpYO/dJJDHhs1

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

XuOpQt51hMpSnJM.exe

pid process

4024 XuOpQt51hMpSnJM.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

XuOpQt51hMpSnJM.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmflnbhgkenojdopfojkcdelfpkgkdha\2.0\manifest.json	XuOpQt51hMpSnJM.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmflnbhgkenojdopfojkcdelfpkgkdha\2.0\manifest.json	XuOpQt51hMpSnJM.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmflnbhgkenojdopfojkcdelfpkgkdha\2.0\manifest.json	XuOpQt51hMpSnJM.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmflnbhgkenojdopfojkcdelfpkgkdha\2.0\manifest.json	XuOpQt51hMpSnJM.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmflnbhgkenojdopfojkcdelfpkgkdha\2.0\manifest.json	XuOpQt51hMpSnJM.exe

Drops file in System32 directory 4 IoCs

Processes:

XuOpQt51hMpSnJM.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	XuOpQt51hMpSnJM.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	XuOpQt51hMpSnJM.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	XuOpQt51hMpSnJM.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	XuOpQt51hMpSnJM.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

XuOpQt51hMpSnJM.exe

pid	process
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe
4024	XuOpQt51hMpSnJM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

XuOpQt51hMpSnJM.exe

description	pid	process
Token: SeDebugPrivilege	4024	XuOpQt51hMpSnJM.exe
Token: SeDebugPrivilege	4024	XuOpQt51hMpSnJM.exe
Token: SeDebugPrivilege	4024	XuOpQt51hMpSnJM.exe
Token: SeDebugPrivilege	4024	XuOpQt51hMpSnJM.exe
Token: SeDebugPrivilege	4024	XuOpQt51hMpSnJM.exe
Token: SeDebugPrivilege	4024	XuOpQt51hMpSnJM.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c39b97f96b83eff44e0b38cd393194857b408e0bb641ab93153300f975c5a685.exe

description	pid	process	target process
PID 2168 wrote to memory of 4024	2168	c39b97f96b83eff44e0b38cd393194857b408e0bb641ab93153300f975c5a685.exe	XuOpQt51hMpSnJM.exe
PID 2168 wrote to memory of 4024	2168	c39b97f96b83eff44e0b38cd393194857b408e0bb641ab93153300f975c5a685.exe	XuOpQt51hMpSnJM.exe
PID 2168 wrote to memory of 4024	2168	c39b97f96b83eff44e0b38cd393194857b408e0bb641ab93153300f975c5a685.exe	XuOpQt51hMpSnJM.exe

C:\Users\Admin\AppData\Local\Temp\c39b97f96b83eff44e0b38cd393194857b408e0bb641ab93153300f975c5a685.exe
"C:\Users\Admin\AppData\Local\Temp\c39b97f96b83eff44e0b38cd393194857b408e0bb641ab93153300f975c5a685.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\XuOpQt51hMpSnJM.exe
.\XuOpQt51hMpSnJM.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
2902c0c329f2875df8c10ac846ad2924

SHA1
c64d32bb5a27a1c07ce8cc634d2000cd6ac18fe7

SHA256
8ef0206fed4585d689498f11e72afa49e4aaab6416d5152150d6e42bc5c4c38d

SHA512
556d6c895d1dc80b6595066fea0665d676046373acdba06e94f36598cf2e55d44e47be56237723c3075189fe641530a33fe3f65091dfe0b840d2dae09cd1cb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
1ec87b49011ba775e287578a3bf2b1f6

SHA1
32303efa7c81705f2a234b365ac7f34ad3d33f31

SHA256
073ae2d81f368177243d9d5c94c30a43c7f616da7a5f25fbecd6d7a53f482c61

SHA512
bc3d2be79e83a1e69f594ee54bdd2f03df3b33a0289aea02e7d5b13465f730ba0279b900a02b888b4ae643eaeb8b81221beddbf4e4b13f26f5580f10317e8304

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\[email protected]\install.rdf
Filesize
595B

MD5
7dd2e02b0b6a915cb69d9ebbe1af692f

SHA1
93aed61b52ce6a417bd835e128e07ba776fd3621

SHA256
e6296899669cd40109e89619b5b7ebb1b10edb70784704530bd84fcc94dc69f7

SHA512
144adebf14f5338354823f6f2923b781393720b3f398df06e7fb5c02711c04ae8bef98ed52f9800cf4b062a4bf1f8375432e21e6bbd87d86c8172eb7c2038f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\XuOpQt51hMpSnJM.dat
Filesize
1KB

MD5
94aeefe531edab579bbbeb34641c41f4

SHA1
a464ab99520c6f5402d306ea0223e1d83e3c0b31

SHA256
a5856af18b20bd9ee7017dace697a78baa12492c168fa05417d049f7d660db98

SHA512
edc952e617312a02e7f883df95223e732835f2ae7733cd41eed5db3630d7f398efb313e14245def0cc69b88d1c44c55d796e9c3ac4146707252dff2932aa7074

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\XuOpQt51hMpSnJM.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\XuOpQt51hMpSnJM.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\pmflnbhgkenojdopfojkcdelfpkgkdha\background.html
Filesize
141B

MD5
2ef541549ac3b8dab412e5c3c374b172

SHA1
2d84ca26b05a4e0f6d6bc140320b5bb137c87f76

SHA256
ddef55ff8cb3571cebd17d407e249caf1b24452cffcf47ecd1fca3126f450fea

SHA512
c6f104ac0cdf6f08873845b6e4f84e46651f2cba7113661f9af6ff4a6cb0bac74823f76fc8b6f0fddb9c2de96d44701d15c0d5caeee679fd0d709c43fc4b8a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\pmflnbhgkenojdopfojkcdelfpkgkdha\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\pmflnbhgkenojdopfojkcdelfpkgkdha\l7Xj.js
Filesize
6KB

MD5
e217038ed23959049257f098b4c62ffe

SHA1
be0505433746d4e5226aa43dbac362a7a8a9bb03

SHA256
35421f036dcc3ee2cc61817b7f5a545e4ca2639c0b8e89f724e506b15859129d

SHA512
cf15321460e612f3fe9e5ae9a6245e8b6993f83b9dde5869c8f422069904fa4da2798505bce37fcd731716bf8c12540f0cf95fbb511a6ad0e2314008d1e0de47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\pmflnbhgkenojdopfojkcdelfpkgkdha\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB904.tmp\pmflnbhgkenojdopfojkcdelfpkgkdha\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/4024-132-0x0000000000000000-mapping.dmp

Download