c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476

Analysis

max time kernel
39s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe
Size

920KB
MD5

5a0b1c0dc4df09c0b4f235b3c9f6b02c
SHA1

3de243e93a8445541b2cb0ac4db6b1649cd0778f
SHA256

c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476
SHA512

590ded88d0bfb7ab3c3875e01c21930d034efec42f47b0911f87aafca3311748cb02bd3457cbd864ca00017cbde2bcf7daeaed261fca89a64a08e98836a20e3e
SSDEEP

24576:h1OYdaO9MtdHAqcdDVhYwiei7+EpFAh/kK7:h1OsEPHVmVhYwiLtKkK7

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

YlBYlXYoKvbzBSk.exe

pid process

1728 YlBYlXYoKvbzBSk.exe
Loads dropped DLL 1 IoCs

Processes:

c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe

pid process

1848 c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1848	c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe

Drops Chrome extension 3 IoCs

Processes:

YlBYlXYoKvbzBSk.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifmiabhppofhnbdkfmfmaekglghkkile\2.0\manifest.json	YlBYlXYoKvbzBSk.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifmiabhppofhnbdkfmfmaekglghkkile\2.0\manifest.json	YlBYlXYoKvbzBSk.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifmiabhppofhnbdkfmfmaekglghkkile\2.0\manifest.json	YlBYlXYoKvbzBSk.exe

Drops file in System32 directory 4 IoCs

Processes:

YlBYlXYoKvbzBSk.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	YlBYlXYoKvbzBSk.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	YlBYlXYoKvbzBSk.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	YlBYlXYoKvbzBSk.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	YlBYlXYoKvbzBSk.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

YlBYlXYoKvbzBSk.exe

pid	process
1728	YlBYlXYoKvbzBSk.exe
1728	YlBYlXYoKvbzBSk.exe
1728	YlBYlXYoKvbzBSk.exe
1728	YlBYlXYoKvbzBSk.exe
1728	YlBYlXYoKvbzBSk.exe
1728	YlBYlXYoKvbzBSk.exe
1728	YlBYlXYoKvbzBSk.exe
1728	YlBYlXYoKvbzBSk.exe
1728	YlBYlXYoKvbzBSk.exe
1728	YlBYlXYoKvbzBSk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

YlBYlXYoKvbzBSk.exe

description	pid	process
Token: SeDebugPrivilege	1728	YlBYlXYoKvbzBSk.exe
Token: SeDebugPrivilege	1728	YlBYlXYoKvbzBSk.exe
Token: SeDebugPrivilege	1728	YlBYlXYoKvbzBSk.exe
Token: SeDebugPrivilege	1728	YlBYlXYoKvbzBSk.exe
Token: SeDebugPrivilege	1728	YlBYlXYoKvbzBSk.exe
Token: SeDebugPrivilege	1728	YlBYlXYoKvbzBSk.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe

description	pid	process	target process
PID 1848 wrote to memory of 1728	1848	c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe	YlBYlXYoKvbzBSk.exe
PID 1848 wrote to memory of 1728	1848	c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe	YlBYlXYoKvbzBSk.exe
PID 1848 wrote to memory of 1728	1848	c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe	YlBYlXYoKvbzBSk.exe
PID 1848 wrote to memory of 1728	1848	c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe	YlBYlXYoKvbzBSk.exe

C:\Users\Admin\AppData\Local\Temp\c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe
"C:\Users\Admin\AppData\Local\Temp\c0c148abd5ee342011254aed83e221044d6ef16f7a8860eaca59c05170c5f476.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\YlBYlXYoKvbzBSk.exe
.\YlBYlXYoKvbzBSk.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\YlBYlXYoKvbzBSk.dat
Filesize
1KB

MD5
05dfed4f26546477e2c88a09ec067adc

SHA1
c992e1842a2ee1e269a5365930665f16f9c1d11a

SHA256
bb84878722c2326eaa94b11ec3ca6c0ce1ceab114e211cf6370fba3ec6bd56c6

SHA512
1a6096d0152dd076d4e7898233b0d0f434421b641c917ed61ddd3edbae320cd44445ec4c29f4bd40e2b396584cea424d0390ba79247530ca57d55d1bddbd0fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\YlBYlXYoKvbzBSk.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\ifmiabhppofhnbdkfmfmaekglghkkile\Jiun.js
Filesize
6KB

MD5
d9f0d568c26d821e94bb800b5b68763f

SHA1
b632f7ae08baa2fdd4898ceb3603f95c803f9e8e

SHA256
af500b11d96d94729f3b225c2bf432828ad001b041b888ef6d7718a6f9ad95e0

SHA512
e40d49c7432c8e2ca83d9a3fa2abf7a24ef8a8c92b343ec1092013975ddbfe75d52f733d5c99c899a3fb11f88dcf8ae66d3dbc639a6329e0dda228cc9361ad24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\ifmiabhppofhnbdkfmfmaekglghkkile\background.html
Filesize
141B

MD5
7983b3795be46160019c50970085bd79

SHA1
fc60155619a4caeb4a047286a94f63e81ae42654

SHA256
e70d53339e66016b75d100c95ccf2802207e2417707d13df0768e8f7735804a7

SHA512
150b76aff76e6027c4138880b9ea13f907b654d4897e6d28057bc49a68da7ef32c2f7f89023abbe6fa15bcd5eeb777ca96494b539d5171eac2ff68aa4c6cfadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\ifmiabhppofhnbdkfmfmaekglghkkile\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\ifmiabhppofhnbdkfmfmaekglghkkile\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\ifmiabhppofhnbdkfmfmaekglghkkile\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
0cb36fea2959041a6423349552417b23

SHA1
d3a1950379c3cae773974a8348cd043aff57f203

SHA256
e4613e8c985927dda0cc4c12570c0ce6fe40c61c2a0e18b09fbd0aa414f96418

SHA512
17a7fad3bad7152a9a4f03bf08bf53616a489493b8a4a0ba2ad94fba3b427faa893e585a2506d199e7675838050533540bea57774540ced7e182ac604fbff3cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
e6f8d2138df018fb57f5006bfa08db3d

SHA1
07db2a894582cc2e441e23e483b0320f7a32f7ea

SHA256
a85e9cc2621bed5e412695ff4b3302e0eebde6b979671520d49816cccb4f96a3

SHA512
c1ce3e6f05ec49a5b53b0e07f4c471fa16ad7fe6097ec98a079dc8ac0e69f462354115e58a38d9c9d9d10cba7b9432013ccf9ee9f22259c0f1e64bfcdad6223c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\[email protected]\install.rdf
Filesize
596B

MD5
141b34c31705af764409bd035445e417

SHA1
569d087b9c3654a06e34b0d5218e7cf7a3093e08

SHA256
d08c39244a428e2a60609f51bcbeb7e4a6e705746e6a3ee77b71f497c51cafd7

SHA512
12350d3efe87da4cf66885a905c89d5ff55841fdf37a3824a2d5f9cce927a35e3620c26d75420a2460a7dffd1059949dfc4a241040ade8969fc81d976790aa13

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFDA1.tmp\YlBYlXYoKvbzBSk.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
memory/1728-56-0x0000000000000000-mapping.dmp

Download
memory/1848-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads