c39b4b5efd208b26e979fd6972519981bb30d4aab9481ac1f7b11f0757101886

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c39b4b5efd208b26e979fd6972519981bb30d4aab9481ac1f7b11f0757101886.exe
Size

920KB
MD5

25ff3c5685267041b9b5631a0930068a
SHA1

61cf24ea5689430d638a75cabd57843d1f5f4e41
SHA256

c39b4b5efd208b26e979fd6972519981bb30d4aab9481ac1f7b11f0757101886
SHA512

d2245d68697db28428b7ba3ac8210f7e056ba19aae42a51c8ba370de3afd0d99ba0ea6cd6855f0075d9da043db3a15778bcd3f8115eaaf8380d4d72199ecc4b9
SSDEEP

24576:h1OYdaOVMtdHAqcdDVhYwiei7+EpFAh/kK6:h1Os0PHVmVhYwiLtKkK6

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

MYIJbE3CvC4ls6Q.exe

pid process

3468 MYIJbE3CvC4ls6Q.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

MYIJbE3CvC4ls6Q.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjglkecioaijcejllkclcgjclldldein\1.3\manifest.json	MYIJbE3CvC4ls6Q.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjglkecioaijcejllkclcgjclldldein\1.3\manifest.json	MYIJbE3CvC4ls6Q.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjglkecioaijcejllkclcgjclldldein\1.3\manifest.json	MYIJbE3CvC4ls6Q.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjglkecioaijcejllkclcgjclldldein\1.3\manifest.json	MYIJbE3CvC4ls6Q.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjglkecioaijcejllkclcgjclldldein\1.3\manifest.json	MYIJbE3CvC4ls6Q.exe

Drops file in System32 directory 4 IoCs

Processes:

MYIJbE3CvC4ls6Q.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	MYIJbE3CvC4ls6Q.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	MYIJbE3CvC4ls6Q.exe
File opened for modification	C:\Windows\System32\GroupPolicy	MYIJbE3CvC4ls6Q.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	MYIJbE3CvC4ls6Q.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

MYIJbE3CvC4ls6Q.exe

pid	process
3468	MYIJbE3CvC4ls6Q.exe
3468	MYIJbE3CvC4ls6Q.exe
3468	MYIJbE3CvC4ls6Q.exe
3468	MYIJbE3CvC4ls6Q.exe
3468	MYIJbE3CvC4ls6Q.exe
3468	MYIJbE3CvC4ls6Q.exe
3468	MYIJbE3CvC4ls6Q.exe
3468	MYIJbE3CvC4ls6Q.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c39b4b5efd208b26e979fd6972519981bb30d4aab9481ac1f7b11f0757101886.exe

description	pid	process	target process
PID 3460 wrote to memory of 3468	3460	c39b4b5efd208b26e979fd6972519981bb30d4aab9481ac1f7b11f0757101886.exe	MYIJbE3CvC4ls6Q.exe
PID 3460 wrote to memory of 3468	3460	c39b4b5efd208b26e979fd6972519981bb30d4aab9481ac1f7b11f0757101886.exe	MYIJbE3CvC4ls6Q.exe
PID 3460 wrote to memory of 3468	3460	c39b4b5efd208b26e979fd6972519981bb30d4aab9481ac1f7b11f0757101886.exe	MYIJbE3CvC4ls6Q.exe

C:\Users\Admin\AppData\Local\Temp\c39b4b5efd208b26e979fd6972519981bb30d4aab9481ac1f7b11f0757101886.exe
"C:\Users\Admin\AppData\Local\Temp\c39b4b5efd208b26e979fd6972519981bb30d4aab9481ac1f7b11f0757101886.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\MYIJbE3CvC4ls6Q.exe
.\MYIJbE3CvC4ls6Q.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
fe656b4e458f3ff7d187edd9dc406606

SHA1
b494b978053f37f1773a42415d5fbf5e2fe416c7

SHA256
46fccbe0a936a429ae850c0bd83c747bf21bf218208ea6f179cf1006a336f0d0

SHA512
2ba7ee2342de2cf5c566566f13aa0af82925c5f0b935ec507167d97a4088941d4e8eb5c5083639947cd435c31124ccab33e43228119190ea1f36b36c02dfb4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\[email protected]\content\bg.js
Filesize
9KB

MD5
51e440ed67b5d4a5498bd79d98b2f330

SHA1
ebb71d54922261117c830cee1d850dd310a076a5

SHA256
5bd6aa35e284778d9483157d1725e1e342928e479e3e0abbf2dcb2784975b108

SHA512
f250a4b595600f81f7f4b66127203d54ecf9671f34e9f1c2cb80526c6b1596c58247ffad101facd0230a37bd25e857927b3a306f0f53226e5a02fe9173b6da33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\[email protected]\install.rdf
Filesize
591B

MD5
284ebb8b1a54203f33c8470c717e7fba

SHA1
f71769f61b129b10a4279186b5f8586c8501c901

SHA256
76b1bc9c77a4860da4bf68cb0225bef88d1ae46b1cde55a57a1fb6af37b1512f

SHA512
29b373db8bbacf8bf50664ebadefc86f29bfdb57fc2a546857d8f244db83470fd83cbe4dc28a2c9d9c043c045783a052ff1947769d8b20d500703807af0d626d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\MYIJbE3CvC4ls6Q.dat
Filesize
1KB

MD5
dd47e204b9cf4105950bc8b765a22e1f

SHA1
7c625e7efc3ecfcbf0d187973a20187732bbba97

SHA256
81ea64c5f89eba38c84511466a6f6a8233be55ba33ede8748aeea1402ea7422d

SHA512
d5c053efe67f545799be6b0629e5778241b5845494629c249a6e313e2e22e77d58659dedb9e2254c393fab69d76e34deca4fdbf32df6031cfdba60e49ad79475

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\MYIJbE3CvC4ls6Q.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\MYIJbE3CvC4ls6Q.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\kjglkecioaijcejllkclcgjclldldein\background.html
Filesize
138B

MD5
6ca1f3fddeec7313fa21a469a4c755d6

SHA1
6eedf483402befcfc5f6fd7a3024035e11f65323

SHA256
f7ff1a0b874563366f143b43ef597bb205748c382c88189a7c858561a60f0525

SHA512
6317b4b0b47a8afb028bd7f54efe9bc0f5ab5d9740e579daaa06269257b0ad680c13a807098156a01c0f763f095219a69fc88cda9608df0e1fef058af93dac24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\kjglkecioaijcejllkclcgjclldldein\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\kjglkecioaijcejllkclcgjclldldein\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\kjglkecioaijcejllkclcgjclldldein\manifest.json
Filesize
498B

MD5
664e2884e17f23553a19eee317642194

SHA1
a28ccc088d6b6692646150f3e8f111e568723fb4

SHA256
ee4ef853224cde2aa7e54351c02bc811af939202b82e19cbd1cc011fc3565191

SHA512
b2cef8c4dfb6a0648f21c53393b982c9171d8a0344a94970c13866ebd2870de2cd99dab5984000b10802c54a748230104c7997c3d2cd3ac5e97c9355a4cb7ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6834.tmp\kjglkecioaijcejllkclcgjclldldein\t.js
Filesize
6KB

MD5
0a08cdae23103a5e13dd86dbc66861ea

SHA1
5db89995fd06feab32d6c97bc700786692d7ff6f

SHA256
6a31af106003f932799d5670390eb2812ad1b9cfe3de62758deca64c69edc5f3

SHA512
1aacece6d0f193dc633fa41d582d15c605ddff2ab33a2306f500662fb4ce2f3d175f4f0b7542614352adb9b5285bc1fe4e2d94d735a916aa108e81f973ff8609

Download Submit
memory/3468-132-0x0000000000000000-mapping.dmp

Download