c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563

Analysis

max time kernel
89s
max time network
166s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe
Size

931KB
MD5

5ab2b8d728ec11a956d1ecb1002e3cd6
SHA1

ee90f2b369abd86076094a0ada3d0704dc186a2b
SHA256

c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563
SHA512

41b750b5c22e3c66626d06a0666878c892039c533e14416e658075ea507ea1bc582d1d94c3e54447fe7b83c40266a0a84f67cf2f39532a08f6d0d76cb5b1232b
SSDEEP

24576:h1OYdaOACZ/iWCvu/2sWsJA/jlt+DHhsp:h1OsmCpYO/dJJDHhsp

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CWItuIv4aV3jgjr.exe

pid process

1080 CWItuIv4aV3jgjr.exe
Loads dropped DLL 1 IoCs

Processes:

c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe

pid process

1708 c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1708	c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe

Drops Chrome extension 3 IoCs

Processes:

CWItuIv4aV3jgjr.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceoejhdhkfdcfecilaclmcgadaakcehg\2.0\manifest.json	CWItuIv4aV3jgjr.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceoejhdhkfdcfecilaclmcgadaakcehg\2.0\manifest.json	CWItuIv4aV3jgjr.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceoejhdhkfdcfecilaclmcgadaakcehg\2.0\manifest.json	CWItuIv4aV3jgjr.exe

Drops file in System32 directory 4 IoCs

Processes:

CWItuIv4aV3jgjr.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	CWItuIv4aV3jgjr.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	CWItuIv4aV3jgjr.exe
File opened for modification	C:\Windows\System32\GroupPolicy	CWItuIv4aV3jgjr.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	CWItuIv4aV3jgjr.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

CWItuIv4aV3jgjr.exe

pid	process
1080	CWItuIv4aV3jgjr.exe
1080	CWItuIv4aV3jgjr.exe
1080	CWItuIv4aV3jgjr.exe
1080	CWItuIv4aV3jgjr.exe
1080	CWItuIv4aV3jgjr.exe
1080	CWItuIv4aV3jgjr.exe
1080	CWItuIv4aV3jgjr.exe
1080	CWItuIv4aV3jgjr.exe
1080	CWItuIv4aV3jgjr.exe
1080	CWItuIv4aV3jgjr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

CWItuIv4aV3jgjr.exe

description	pid	process
Token: SeDebugPrivilege	1080	CWItuIv4aV3jgjr.exe
Token: SeDebugPrivilege	1080	CWItuIv4aV3jgjr.exe
Token: SeDebugPrivilege	1080	CWItuIv4aV3jgjr.exe
Token: SeDebugPrivilege	1080	CWItuIv4aV3jgjr.exe
Token: SeDebugPrivilege	1080	CWItuIv4aV3jgjr.exe
Token: SeDebugPrivilege	1080	CWItuIv4aV3jgjr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe

description	pid	process	target process
PID 1708 wrote to memory of 1080	1708	c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe	CWItuIv4aV3jgjr.exe
PID 1708 wrote to memory of 1080	1708	c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe	CWItuIv4aV3jgjr.exe
PID 1708 wrote to memory of 1080	1708	c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe	CWItuIv4aV3jgjr.exe
PID 1708 wrote to memory of 1080	1708	c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe	CWItuIv4aV3jgjr.exe

C:\Users\Admin\AppData\Local\Temp\c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe
"C:\Users\Admin\AppData\Local\Temp\c0e35e4982baaca03145868ad53067366446a1b780791d9c95539fb29cfa6563.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\CWItuIv4aV3jgjr.exe
.\CWItuIv4aV3jgjr.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\CWItuIv4aV3jgjr.dat
Filesize
1KB

MD5
4e59ac339bfbe76b3c0ae3d36a9e19e4

SHA1
3254695fb81f1f8c952d88758f23b47ea6f66968

SHA256
18cc196979acd1f836bb08e1ff92e12d9f5870e8d1ee86ad8d058cf8243d1de5

SHA512
720f805323dbc65ddff766df90b569f692d5270ea5710729abd74a764e5e739e29feebb2559b22a082707bb0ecc9b4e6db5260303b6203ebf8ca58ea38d65baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\CWItuIv4aV3jgjr.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\ceoejhdhkfdcfecilaclmcgadaakcehg\A1OL.js
Filesize
6KB

MD5
6a5b55e7b177ecbf124530a373de63d9

SHA1
c9d22f38ee8c60b424e700103caa23362d9e7874

SHA256
5697e0024da0ff72762dbc25e3bc00f13c37c42ed9e0c01e41660e4cf744726d

SHA512
7be71f78ee7b34d6feed9eb26276f495cc99cb7fb40652ea8a97801a80dfb64b2ac136028ae4957a3c0c7074d235148bdc5ce4a437859a5d698248fed0500344

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\ceoejhdhkfdcfecilaclmcgadaakcehg\background.html
Filesize
141B

MD5
f856637d064d30288a8fc8c3914386ba

SHA1
3d839a6e53b7edd903d24f69ad0ac6b1c168ef8b

SHA256
6d9b2d23c936e23a25e150b02a70fd50ab9460535c700c0d218cfdde7301ad6a

SHA512
1b55f8e4e90da8f6929594767dfd57e307bfaad356280e21fb5ef1bb13e9f464e0ad4eb9e09c4f503b765d1bb4278b6a5a3a17f008ed1184c1803d3545c4d7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\ceoejhdhkfdcfecilaclmcgadaakcehg\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\ceoejhdhkfdcfecilaclmcgadaakcehg\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\ceoejhdhkfdcfecilaclmcgadaakcehg\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
beb5bbc50871614fad6f97dd932f300c

SHA1
642833e772bd2e81d36c5d83ee7cc2d048ac8948

SHA256
e12576ce4e70a8a5be5f4b54e660cdebbfc5aa87cd1a76a644bcbaf3e3b3461d

SHA512
a927769278ccbbdad731c8b21f08f61b17e46ab04b00dd43cddba9dac0cbce67892f1cde8d93c104f87d01aad6f0e038bc331e217f39181168f5fa44ad3064de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
b3862b9b8743ce6b15638dc2a1b9a9ad

SHA1
30d7d9c8e00dbe7810f8ddb2edf6f1c1dc49fe89

SHA256
aabd7e4825956aebd2cb06ec23733a0ed917a89524d6c680089745f0dda17a0e

SHA512
8fa5c7660213326a70e31a939db3411bc30923418daffc36d8607a9675e097ea10b9931a86297b9b6722f8893f57ba363d0257d9208cbbd3487e87fcfe21d719

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\[email protected]\install.rdf
Filesize
593B

MD5
fc53c52ff9fccec387a47a098c9cb0a0

SHA1
975991bb2db5dd51d9dc31ae38d567381d3a118c

SHA256
d10ce1b820eb888cc948f39c2fee62aca134ff1db35e3f7e87ccd417ed490d47

SHA512
b51ce2566be55f0f2cb4f2f30e0597c1b80da25ee3871affdf02c6580b70ee81c1d44f1f86a17426bcde3c4af6a399a36b8ff0dd05307706c7eb400a48fe15f7

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFEF9.tmp\CWItuIv4aV3jgjr.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/1080-56-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads