Analysis
-
max time kernel
13s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:43
Static task
static1
Behavioral task
behavioral1
Sample
c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exe
Resource
win7-20221111-en
General
-
Target
c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exe
-
Size
920KB
-
MD5
c56697b642bbdebb35d2ff369965259e
-
SHA1
58f301855e411858836b6ccb5bc01e272f34fc07
-
SHA256
c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e
-
SHA512
47124e0ea89766c1222031511c5ed535a796808837876b77fc0534d19ca70e35588c9ee3c1f00e4a6d0714adf0ea7bf3ce4c2d5e3adfb6a1194fa953ae159a15
-
SSDEEP
24576:h1OYdaO2MtdHAqcdDVhYwiei7+EpFAh/kKb:h1OsDPHVmVhYwiLtKkKb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
trU4fdsI2SAdRGC.exepid process 928 trU4fdsI2SAdRGC.exe -
Loads dropped DLL 1 IoCs
Processes:
c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exepid process 932 c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
trU4fdsI2SAdRGC.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bknbdhoghbpojncgochbenphjpidgepm\2.0\manifest.json trU4fdsI2SAdRGC.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bknbdhoghbpojncgochbenphjpidgepm\2.0\manifest.json trU4fdsI2SAdRGC.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bknbdhoghbpojncgochbenphjpidgepm\2.0\manifest.json trU4fdsI2SAdRGC.exe -
Drops file in System32 directory 4 IoCs
Processes:
trU4fdsI2SAdRGC.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol trU4fdsI2SAdRGC.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI trU4fdsI2SAdRGC.exe File opened for modification C:\Windows\System32\GroupPolicy trU4fdsI2SAdRGC.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini trU4fdsI2SAdRGC.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
trU4fdsI2SAdRGC.exepid process 928 trU4fdsI2SAdRGC.exe 928 trU4fdsI2SAdRGC.exe 928 trU4fdsI2SAdRGC.exe 928 trU4fdsI2SAdRGC.exe 928 trU4fdsI2SAdRGC.exe 928 trU4fdsI2SAdRGC.exe 928 trU4fdsI2SAdRGC.exe 928 trU4fdsI2SAdRGC.exe 928 trU4fdsI2SAdRGC.exe 928 trU4fdsI2SAdRGC.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
trU4fdsI2SAdRGC.exedescription pid process Token: SeDebugPrivilege 928 trU4fdsI2SAdRGC.exe Token: SeDebugPrivilege 928 trU4fdsI2SAdRGC.exe Token: SeDebugPrivilege 928 trU4fdsI2SAdRGC.exe Token: SeDebugPrivilege 928 trU4fdsI2SAdRGC.exe Token: SeDebugPrivilege 928 trU4fdsI2SAdRGC.exe Token: SeDebugPrivilege 928 trU4fdsI2SAdRGC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exedescription pid process target process PID 932 wrote to memory of 928 932 c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exe trU4fdsI2SAdRGC.exe PID 932 wrote to memory of 928 932 c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exe trU4fdsI2SAdRGC.exe PID 932 wrote to memory of 928 932 c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exe trU4fdsI2SAdRGC.exe PID 932 wrote to memory of 928 932 c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exe trU4fdsI2SAdRGC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exe"C:\Users\Admin\AppData\Local\Temp\c231d8ef5095335b52c5cc628afe8bc2fa96fffed105db94fe7067b1fe113f7e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\trU4fdsI2SAdRGC.exe.\trU4fdsI2SAdRGC.exe2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\1TYZnrZla@8v.com\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\1TYZnrZla@8v.com\chrome.manifestFilesize
35B
MD521b25ed22ede14044bba63d85b8c6e86
SHA1181e35f98940238445f8dfedc5c9367220d1c30a
SHA25687acf2c8b45f2baaeb567467db18ecc9989b185693218a0b921af850b6a374c9
SHA5123434affee4be67c96811a8eeb25d239d4265a1c3a89055b35fc397f4796393b7e7520fc46f148a15af86e8e89f6ff4b943955495f71c3856e5421d172cb64737
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\1TYZnrZla@8v.com\content\bg.jsFilesize
8KB
MD58b86865ca8dc3432e63f75ffd7e768be
SHA11bddee4d4b54510b026c078fbdd71fbf0328718e
SHA25675b7fbe4b162e2b2f9e269ddba1a87f90bc7677ca6171f996a220075e2de912e
SHA512f23f01b14b09201b94a7240774a83e186da964e0bead5f5b6aefc360a0c8ad44d4133021b0b9143c844f21ae1d788905ffd66de98989f5913606a5d873a8eb53
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\1TYZnrZla@8v.com\install.rdfFilesize
598B
MD5a81ee6674f50ca78cb29bb6a8c5c9424
SHA1eaf286520f6fc0a4ff7529615e98588e9a4526b0
SHA256b9378ac846749ed3792988c414a9cc036fd1af0e57e536026d4d989613cd1138
SHA512c4f7f9b655fcddbbab8e4e2c589fa61c5e418e2b32717d7b88e9bb78c81045caafadd356fe2eaaca6de7adc73eb65d44ef7cc1a2b3a7c5add1c3ce1a28220404
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\bknbdhoghbpojncgochbenphjpidgepm\background.htmlFilesize
144B
MD50c5eaf31c94679526ccf8524c0761613
SHA1004a2c48dedb98815f6bc8dcf7bc10856d573989
SHA256c34a5762d14ba08e48534e3aeef79e44495c2e4b3bd32fa309dcd83b1cd8b987
SHA51221e4ca2814f36b56565eacc9039a0f2afb82693c25dbe02058881ff5233b324a74bfe9784e2c31348d033410c49624d062535a98c5c2c416b130bb6896bb1dd8
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\bknbdhoghbpojncgochbenphjpidgepm\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\bknbdhoghbpojncgochbenphjpidgepm\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\bknbdhoghbpojncgochbenphjpidgepm\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\bknbdhoghbpojncgochbenphjpidgepm\nQUIh9b.jsFilesize
6KB
MD5aa77516619c4586eece0d6af91b69ab0
SHA12c3578d290842b7668a28dbcff93f61e25c4678e
SHA2567bde23bfb2af79793118962ce451e8f57d1642d95be62cc951fd3d5b075fff6f
SHA512dd68d77f9a30899447c6daa7f1a42c73d93222b126412d741646e04ce7a197f1588e7c24f8e35302f7acc67a5c5a8da22f42efe2c49a3f3fa4ac46337fd0a045
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\trU4fdsI2SAdRGC.datFilesize
1KB
MD5eb7d9e4ea5810b8acb23e2e0d8c219da
SHA13d454bbb336785b11c4c4a3825ed5516fc572c70
SHA256bbb2243207ab2bb79c2ac275a42645703ce6ea4778455cf20ecfd57073c09ef6
SHA512ed976238deab57afd14592b139d3a7c8d667b47573673aa69b75d2e453dfaabecd5529542020dfc3d1db55b16966743b091cb0442c10858ce9d3aaf490455c15
-
C:\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\trU4fdsI2SAdRGC.exeFilesize
760KB
MD5dcd148f6f3af3e3b0935c4fcc9f41811
SHA1ee9bdbc7c568c7832d90b85921ab20030b6734cd
SHA256f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4
SHA51234be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886
-
\Users\Admin\AppData\Local\Temp\7zSA6AC.tmp\trU4fdsI2SAdRGC.exeFilesize
760KB
MD5dcd148f6f3af3e3b0935c4fcc9f41811
SHA1ee9bdbc7c568c7832d90b85921ab20030b6734cd
SHA256f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4
SHA51234be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886
-
memory/928-56-0x0000000000000000-mapping.dmp
-
memory/932-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB