c0e9493b49069a7ddfcc3387a5e562a716572aecafcca909a46d00f774c1af28

Analysis

max time kernel
173s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0e9493b49069a7ddfcc3387a5e562a716572aecafcca909a46d00f774c1af28.exe
Size

920KB
MD5

deabf0b75f125c75ce4c80010a98f4e2
SHA1

3bd8534eb0b9136628afc741a62ac29a44069291
SHA256

c0e9493b49069a7ddfcc3387a5e562a716572aecafcca909a46d00f774c1af28
SHA512

397b0d140db6edd4de6bf19d7518c692c8ad0d2d18caaf735a89d955b75d978c66a23f8f0afed330ddd8a37a900e01bcf6f3febf93cd67e87cb2673e7e5847fb
SSDEEP

24576:h1OYdaOoMtdHAqcdDVhYwiei7+EpFAh/kKh:h1OstPHVmVhYwiLtKkKh

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

gDI28GWHgcpqaON.exe

pid process

620 gDI28GWHgcpqaON.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

gDI28GWHgcpqaON.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iccbeaghidnhgldmblmadppnlbahfhed\2.0\manifest.json	gDI28GWHgcpqaON.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\iccbeaghidnhgldmblmadppnlbahfhed\2.0\manifest.json	gDI28GWHgcpqaON.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iccbeaghidnhgldmblmadppnlbahfhed\2.0\manifest.json	gDI28GWHgcpqaON.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\iccbeaghidnhgldmblmadppnlbahfhed\2.0\manifest.json	gDI28GWHgcpqaON.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iccbeaghidnhgldmblmadppnlbahfhed\2.0\manifest.json	gDI28GWHgcpqaON.exe

Drops file in System32 directory 4 IoCs

Processes:

gDI28GWHgcpqaON.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	gDI28GWHgcpqaON.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	gDI28GWHgcpqaON.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	gDI28GWHgcpqaON.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	gDI28GWHgcpqaON.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

gDI28GWHgcpqaON.exe

pid	process
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe
620	gDI28GWHgcpqaON.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

gDI28GWHgcpqaON.exe

description	pid	process
Token: SeDebugPrivilege	620	gDI28GWHgcpqaON.exe
Token: SeDebugPrivilege	620	gDI28GWHgcpqaON.exe
Token: SeDebugPrivilege	620	gDI28GWHgcpqaON.exe
Token: SeDebugPrivilege	620	gDI28GWHgcpqaON.exe
Token: SeDebugPrivilege	620	gDI28GWHgcpqaON.exe
Token: SeDebugPrivilege	620	gDI28GWHgcpqaON.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c0e9493b49069a7ddfcc3387a5e562a716572aecafcca909a46d00f774c1af28.exe

description	pid	process	target process
PID 792 wrote to memory of 620	792	c0e9493b49069a7ddfcc3387a5e562a716572aecafcca909a46d00f774c1af28.exe	gDI28GWHgcpqaON.exe
PID 792 wrote to memory of 620	792	c0e9493b49069a7ddfcc3387a5e562a716572aecafcca909a46d00f774c1af28.exe	gDI28GWHgcpqaON.exe
PID 792 wrote to memory of 620	792	c0e9493b49069a7ddfcc3387a5e562a716572aecafcca909a46d00f774c1af28.exe	gDI28GWHgcpqaON.exe

C:\Users\Admin\AppData\Local\Temp\c0e9493b49069a7ddfcc3387a5e562a716572aecafcca909a46d00f774c1af28.exe
"C:\Users\Admin\AppData\Local\Temp\c0e9493b49069a7ddfcc3387a5e562a716572aecafcca909a46d00f774c1af28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\gDI28GWHgcpqaON.exe
.\gDI28GWHgcpqaON.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\gDI28GWHgcpqaON.dat
Filesize
1KB

MD5
026d8976ab0f6f096238ada02dd6def6

SHA1
af1274f2b6b5395c79c196b37da40e4f9b134155

SHA256
eb1345387e1cabf848e3afa2f85c842b1f2e379068f481f1cc6b498ec5edefd3

SHA512
c95f4c1f367fae6369dae16f2f81a21742f15a510af41a3fe906234526211e8e2236c78bd02b46249fa3ca4266bdc9df40cfe3e89875e7944726d5f71bf6e49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\gDI28GWHgcpqaON.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\gDI28GWHgcpqaON.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\iccbeaghidnhgldmblmadppnlbahfhed\background.html
Filesize
145B

MD5
3a40bfc6cc9c09b6bce0a3f61a39f7fb

SHA1
3dbefe9e7efe482b8507bcc752873c6f1945f0d1

SHA256
1c055afc1e0d5343e581a8f9b7fe838bee0b9e7911df13d78fdc05c18273223c

SHA512
c040d63ccc492395f52d31fc6ed7d7e9394672988dda60d50c329c3a713132c2865d8034aba7ca78a3586b2267e78047ab808a8602ceabec39c07051491c21d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\iccbeaghidnhgldmblmadppnlbahfhed\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\iccbeaghidnhgldmblmadppnlbahfhed\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\iccbeaghidnhgldmblmadppnlbahfhed\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\iccbeaghidnhgldmblmadppnlbahfhed\nP3x7gI1.js
Filesize
6KB

MD5
e258f6a6ee1684a4b5176a6aff053fc7

SHA1
0c8820ed075cd25fabb371a0cd4659110bd18813

SHA256
c9cf4c87647c882a74d45cbe0b870990bdd6e22fc3b4b3fe4a18e2c1b10bb0b7

SHA512
52467b2704fa6cbc306ce91bd7dd1a86bfefbd2314289f2b9ccb7a06c7ad1b2f649383f79202ea9a225be63ab3f809ae23650eb2ca701e74de2dfc67f7651677

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
0c23e451a99418972cc60fea0bf23155

SHA1
10d60b36abe4e35c194cb6fcf0449b8f321f852a

SHA256
60cc4e177dfd9d56bb09ecb20bdbfac0107c98674c4ad56ac25b590a7ece534c

SHA512
6a09b86e66a8f93448a807e786e637fc2ae9d52662210965b3ff1804bb00a0c93036d854041b5f67f7785ba781d4004ae7e3d75ae266888289f03b69e65256d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
d5f436a02e0d15b89da06c823e1a1299

SHA1
dfd90454164a430642caa0e14be7ad9afcd7a03e

SHA256
d36b3b364a9421dd8f18472a485fbb8f8acfbcae29a675c4eead5502c7d7e4ac

SHA512
5c5c8f7bacd8dc23adcc1062ec6a50e3e85bb8fbe261a01c7ba53ce0683547624d602d730149d1037999af728ba617f1324d9b06ea418cd347c74ddc3a0117be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD1.tmp\[email protected]\install.rdf
Filesize
593B

MD5
070730d460dc4a14fefac58bbdce41a4

SHA1
3c94b00e7a317feafcd7a972c8eab884f6010463

SHA256
17df8097d838558c8d778485469101895c34891ffc480c43431b158ae41609d4

SHA512
cc9b2f71d3af30f2017160e7d7680d5a4357d57a618ff76dc7c1078402935d90d27c5cb9cb3782b175f3378ee525c32160df757abc258bed2fc3ae3f866429c7

Download Submit
memory/620-132-0x0000000000000000-mapping.dmp

Download