Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:45
Static task
static1
Behavioral task
behavioral1
Sample
c16aac11f21a4be27357c152fb575febff640e11f51bb0014033f76966052f32.exe
Resource
win7-20220812-en
General
-
Target
c16aac11f21a4be27357c152fb575febff640e11f51bb0014033f76966052f32.exe
-
Size
932KB
-
MD5
4c7c62baac5d7ec575c164a033b3d7df
-
SHA1
d5551cfe79abf52b71f1aaf5c725ba7a7cdb18a6
-
SHA256
c16aac11f21a4be27357c152fb575febff640e11f51bb0014033f76966052f32
-
SHA512
6e9ad710a3d0d690cc3dc898507600ee619ec499d24da6a93f09e93124cbd5325937e276b3c57f0eb617561f79d21934d858aa71f18d152b8e0dbff5b9e8fbae
-
SSDEEP
24576:h1OYdaOyCZ/iWCvu/2sWsJA/jlt+DHhsQ:h1OsoCpYO/dJJDHhsQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
6zCboaJAS2HnCXM.exepid process 544 6zCboaJAS2HnCXM.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
6zCboaJAS2HnCXM.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgmcbbakkdjhdmhobjpmmboncennmhdj\2.0\manifest.json 6zCboaJAS2HnCXM.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgmcbbakkdjhdmhobjpmmboncennmhdj\2.0\manifest.json 6zCboaJAS2HnCXM.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgmcbbakkdjhdmhobjpmmboncennmhdj\2.0\manifest.json 6zCboaJAS2HnCXM.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgmcbbakkdjhdmhobjpmmboncennmhdj\2.0\manifest.json 6zCboaJAS2HnCXM.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgmcbbakkdjhdmhobjpmmboncennmhdj\2.0\manifest.json 6zCboaJAS2HnCXM.exe -
Drops file in System32 directory 4 IoCs
Processes:
6zCboaJAS2HnCXM.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy 6zCboaJAS2HnCXM.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 6zCboaJAS2HnCXM.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 6zCboaJAS2HnCXM.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 6zCboaJAS2HnCXM.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
6zCboaJAS2HnCXM.exepid process 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe 544 6zCboaJAS2HnCXM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
6zCboaJAS2HnCXM.exedescription pid process Token: SeDebugPrivilege 544 6zCboaJAS2HnCXM.exe Token: SeDebugPrivilege 544 6zCboaJAS2HnCXM.exe Token: SeDebugPrivilege 544 6zCboaJAS2HnCXM.exe Token: SeDebugPrivilege 544 6zCboaJAS2HnCXM.exe Token: SeDebugPrivilege 544 6zCboaJAS2HnCXM.exe Token: SeDebugPrivilege 544 6zCboaJAS2HnCXM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c16aac11f21a4be27357c152fb575febff640e11f51bb0014033f76966052f32.exedescription pid process target process PID 4656 wrote to memory of 544 4656 c16aac11f21a4be27357c152fb575febff640e11f51bb0014033f76966052f32.exe 6zCboaJAS2HnCXM.exe PID 4656 wrote to memory of 544 4656 c16aac11f21a4be27357c152fb575febff640e11f51bb0014033f76966052f32.exe 6zCboaJAS2HnCXM.exe PID 4656 wrote to memory of 544 4656 c16aac11f21a4be27357c152fb575febff640e11f51bb0014033f76966052f32.exe 6zCboaJAS2HnCXM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c16aac11f21a4be27357c152fb575febff640e11f51bb0014033f76966052f32.exe"C:\Users\Admin\AppData\Local\Temp\c16aac11f21a4be27357c152fb575febff640e11f51bb0014033f76966052f32.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\6zCboaJAS2HnCXM.exe.\6zCboaJAS2HnCXM.exe2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\6zCboaJAS2HnCXM.datFilesize
1KB
MD5d5cbf5c1f1f964a9e01c1f38fdac31c4
SHA1e3dc245cfd4d7ca3cf1e1f7145ca5a1fa3ed782b
SHA25698a3b33bc930e08fb0f932d436b9f84fc41a199892b1f7437b96957df8e01ca5
SHA5121a9e32cbcf0b4180b53e4ed1324094163ec960b64b77f29cad43ae3386617fbe36c649427567f52f6898d8905a3c4f4024b33f6aba95ceca6b09173b12233727
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\6zCboaJAS2HnCXM.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\6zCboaJAS2HnCXM.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\OkF@bZ4.edu\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\OkF@bZ4.edu\chrome.manifestFilesize
35B
MD5d96cda1116550b7aefcef4ff1f8f6a3b
SHA1a375b949a77cd982a40fbdf294f408f8cb414d77
SHA25687e058c8d86db3aad3434016b3c7e35c53ccb904125aa93ae5273b9161d42ca3
SHA5123b0242523163ad7d8c0de4201a583ef68efbe54e094829c4bcbe5d5ca738e30c3949f0c3898de4d45d1370195ad33808acd14e1a4ad4653e949b7e8b5fdc935e
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\OkF@bZ4.edu\content\bg.jsFilesize
9KB
MD535d20461a34d51e2f98fad4e3c74b110
SHA1738708f96dab0bb4451739025a366aafef23db39
SHA256405b5a990f4c0f6c5c8ed24b3fd6d3a36a5e04590423d7a5a71e4a3dba851585
SHA512bfdfc14d1aa229c5ef0d2c713ae5ef8705dba36f50f74ab8f3f42726941d3521998564daf9561fe1f069b0fec8ac609460149fbdc954ddfa180d30547e391af6
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\OkF@bZ4.edu\install.rdfFilesize
593B
MD54695733da871744bb7f7ada679749c87
SHA10be1d89058cc0432c535a954397e751b0fb1181d
SHA256243fa4cd5c44180a0d816fe939415d7b74b3ca99cafe6b5b6f9ab34593d5148f
SHA512e0e96fcbe53f3b1bb07d395c2665e17de56acddb026b6a37554f77d3de3115d015b48e87ffd8312f22e8cae87e2f046aaee7cc9b3abe8996ff23425663b154a7
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\bgmcbbakkdjhdmhobjpmmboncennmhdj\B.jsFilesize
6KB
MD564eed53f43163e4b6c3e47d0e0e29d46
SHA1daff863b1fd8e39f526116042d19b0af27decbef
SHA256954016cdb255d7f6c2b16764b35a3bccc6a81b82638da91b2c32bd6964b1dc6f
SHA512a2dfee31796f9bc2e29464c32ed83b41ff6e94dc3ec9d625b53f6e6b6e9c6b34563d49f1ef5a2b930cc319dbec6868c7f8628849c9248bbb9f6b539e874858bd
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\bgmcbbakkdjhdmhobjpmmboncennmhdj\background.htmlFilesize
138B
MD5ecc7692f5e5d2ac328b6585fbffef9bb
SHA105a55705ab0a85a481fab94ef4ab98745e0e54ae
SHA256c46d8b1e0a0b08d8eeeec335402bfdec048efc95255c26cff2cd552453b77f09
SHA512369956733c512f7174e7d51ee8f498f95b39dc3f4f8574f5c7a11ca8871f6b3855a7496d19d8d070b68f4f13e9bc745ba317ecabd92aea9b351db9957450f6de
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\bgmcbbakkdjhdmhobjpmmboncennmhdj\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\bgmcbbakkdjhdmhobjpmmboncennmhdj\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS7C97.tmp\bgmcbbakkdjhdmhobjpmmboncennmhdj\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
memory/544-132-0x0000000000000000-mapping.dmp