c04c75b7bf899eb6d2a10af48229d7e32014176385b6b8bc6a9443b7c0b5c0a2

Analysis

max time kernel
151s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c04c75b7bf899eb6d2a10af48229d7e32014176385b6b8bc6a9443b7c0b5c0a2.exe
Size

932KB
MD5

1780380ab652681613831cb621501504
SHA1

252c25e65e6fdf882d262c0e823ef7f7fcf47e11
SHA256

c04c75b7bf899eb6d2a10af48229d7e32014176385b6b8bc6a9443b7c0b5c0a2
SHA512

fda0bb978b70937b4645955e40b7b9c2d69b178485d310f67420c2c07abd0b826e1efa8a6619864df182edf9cfc3a9da01e7499ca6497e6fb9b3a151549f2da8
SSDEEP

24576:h1OYdaO6CZ/iWCvu/2sWsJA/jlt+DHhsf:h1OskCpYO/dJJDHhsf

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

K9msxc2Q0IsgBhn.exe

pid process

1820 K9msxc2Q0IsgBhn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

K9msxc2Q0IsgBhn.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkcaeodbchcanlnpmlbjeaddmgemohie\2.0\manifest.json	K9msxc2Q0IsgBhn.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkcaeodbchcanlnpmlbjeaddmgemohie\2.0\manifest.json	K9msxc2Q0IsgBhn.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkcaeodbchcanlnpmlbjeaddmgemohie\2.0\manifest.json	K9msxc2Q0IsgBhn.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkcaeodbchcanlnpmlbjeaddmgemohie\2.0\manifest.json	K9msxc2Q0IsgBhn.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkcaeodbchcanlnpmlbjeaddmgemohie\2.0\manifest.json	K9msxc2Q0IsgBhn.exe

Drops file in System32 directory 4 IoCs

Processes:

K9msxc2Q0IsgBhn.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	K9msxc2Q0IsgBhn.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	K9msxc2Q0IsgBhn.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	K9msxc2Q0IsgBhn.exe
File opened for modification	C:\Windows\System32\GroupPolicy	K9msxc2Q0IsgBhn.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

K9msxc2Q0IsgBhn.exe

pid	process
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe
1820	K9msxc2Q0IsgBhn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

K9msxc2Q0IsgBhn.exe

description	pid	process
Token: SeDebugPrivilege	1820	K9msxc2Q0IsgBhn.exe
Token: SeDebugPrivilege	1820	K9msxc2Q0IsgBhn.exe
Token: SeDebugPrivilege	1820	K9msxc2Q0IsgBhn.exe
Token: SeDebugPrivilege	1820	K9msxc2Q0IsgBhn.exe
Token: SeDebugPrivilege	1820	K9msxc2Q0IsgBhn.exe
Token: SeDebugPrivilege	1820	K9msxc2Q0IsgBhn.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c04c75b7bf899eb6d2a10af48229d7e32014176385b6b8bc6a9443b7c0b5c0a2.exe

description	pid	process	target process
PID 4676 wrote to memory of 1820	4676	c04c75b7bf899eb6d2a10af48229d7e32014176385b6b8bc6a9443b7c0b5c0a2.exe	K9msxc2Q0IsgBhn.exe
PID 4676 wrote to memory of 1820	4676	c04c75b7bf899eb6d2a10af48229d7e32014176385b6b8bc6a9443b7c0b5c0a2.exe	K9msxc2Q0IsgBhn.exe
PID 4676 wrote to memory of 1820	4676	c04c75b7bf899eb6d2a10af48229d7e32014176385b6b8bc6a9443b7c0b5c0a2.exe	K9msxc2Q0IsgBhn.exe

C:\Users\Admin\AppData\Local\Temp\c04c75b7bf899eb6d2a10af48229d7e32014176385b6b8bc6a9443b7c0b5c0a2.exe
"C:\Users\Admin\AppData\Local\Temp\c04c75b7bf899eb6d2a10af48229d7e32014176385b6b8bc6a9443b7c0b5c0a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\K9msxc2Q0IsgBhn.exe
  .\K9msxc2Q0IsgBhn.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\K9msxc2Q0IsgBhn.dat

Filesize
1KB

MD5
c6d0c136841a2f353778c495045bec5a

SHA1
6b2da1897ac8963f652b0f966b6aa49e665e8660

SHA256
b92c9f15091828a7516e56cbacb2394b344537be13761d46c71cecf0f134e24c

SHA512
326a197ff33301fe9cb900dde2e9067a111715a789bcb0119998ecc3ec033f3b3b39e42796df9cb5d9f67c2c997ca3f3e97c31adf27d14c125c1968b881ba9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\K9msxc2Q0IsgBhn.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\K9msxc2Q0IsgBhn.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
18b963f9847dd5a73d90e1eebf6e3852

SHA1
11ff8ff8c68c82eaee775b70ee19aaaf7ab88a92

SHA256
7e2ed6c12de0d4f98a6f68e5c2fc2dbba4959ef6d2f8ff69a34507ac41a4d257

SHA512
b243ff8a6a6ba6802069a82f89cac38f50ed8f45b20e5186d593be2ed3b1149b7b0e2f284747879e692c60905c6b36732d2ec80d2b9341a56d1115140d1669d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
d6706eb9024f35a1d9b49b8744dd83ad

SHA1
47b267df8a75de8f62bab4777348eb01eb84d989

SHA256
d1e521e5603618442921af909d5dbbb9231bc98e0f534bd2197c6ad5a7d2970a

SHA512
5e588b39c2165a49baaba32fb62b170f7405c26db47eb4e94c880edec5bedacca1f69bcbae1181689448677743e2aa23d54b6a2203dcc31d731e3e753d3f1733

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\[email protected]\install.rdf

Filesize
595B

MD5
d0ff29e3faa149ec2fd87bf42a565fa5

SHA1
5d41889390fdf148c571c1bd3b1ddb5360ccccc5

SHA256
15e2c8d06f8ef8563896e371a7ece4e15f98e49f4ea6d7af83bfbe725a15bd87

SHA512
7d45088dd20eed58b49736016927b4c8732dc14b22f762666bdbf6d4b32c242d42fe77839c4c83979e0d0c5ab6d4dd0df55e4b6a8bddcf593328af83f569541f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\dkcaeodbchcanlnpmlbjeaddmgemohie\background.html

Filesize
146B

MD5
60655a1a1e4280390ed6174ec16324bf

SHA1
4d95806ffed9554f1d235035479c2deb650f4a36

SHA256
93dbdc8a8fa98b8e83d40740cbdc8cd1fc01b0bdea5a9f4a5f203c84ec04f69b

SHA512
e436c0c04f9080746b6e63076f2912a442777e07ed0657d23e82656414efb95cc3f7507a28772e2b180615509dd37888a13b01b2f1a2ae2c3dc6eabb80e9e63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\dkcaeodbchcanlnpmlbjeaddmgemohie\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\dkcaeodbchcanlnpmlbjeaddmgemohie\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\dkcaeodbchcanlnpmlbjeaddmgemohie\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE796.tmp\dkcaeodbchcanlnpmlbjeaddmgemohie\yJReXq8MZ.js

Filesize
6KB

MD5
641e13503e317b313d4970e31971fbe9

SHA1
ca9450a710302b548aa5fb9c9f17e5c6d6f3678e

SHA256
aff6da473366e3e08fa5ee210d6a0b8947d91a872d3e8adb2a99c0caadc8f5c3

SHA512
ae8c980b31491569cabc1906a9b0479b96a3ae63a192a9dde2342424155c41409df50e50c5def38f9940be683ae467c53ba87152d7f8137244eaf0e8e5f26b40

Download Submit
memory/1820-132-0x0000000000000000-mapping.dmp

Download