a59339c4cf8d6816c15b45282368a4f9c74cc5af3b05239a2479e9c49d4985ad

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a59339c4cf8d6816c15b45282368a4f9c74cc5af3b05239a2479e9c49d4985ad.exe
Size

931KB
MD5

540ae493ec4580a55427311c48c64dbd
SHA1

68f1489c430ffe10bbdafa288827216bdee1b913
SHA256

a59339c4cf8d6816c15b45282368a4f9c74cc5af3b05239a2479e9c49d4985ad
SHA512

8481e26b11c086e0c21283ae07c92641a0b486e658838437b1f0f637bc9e6c6050d4e92dbd062cf42a0999802918e9d187533db1a1f0558d5327db3e703b3a97
SSDEEP

24576:h1OYdaOZCZ/iWCvu/2sWsJA/jlt+DHhs1:h1OsbCpYO/dJJDHhs1

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

WFQo9R8TrhPGSP5.exe

pid process

1708 WFQo9R8TrhPGSP5.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

WFQo9R8TrhPGSP5.exe

description	ioc	process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmmamjbpefhdnmhfoeifncgbjpmckopb\1.3\manifest.json	WFQo9R8TrhPGSP5.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmmamjbpefhdnmhfoeifncgbjpmckopb\1.3\manifest.json	WFQo9R8TrhPGSP5.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmmamjbpefhdnmhfoeifncgbjpmckopb\1.3\manifest.json	WFQo9R8TrhPGSP5.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmmamjbpefhdnmhfoeifncgbjpmckopb\1.3\manifest.json	WFQo9R8TrhPGSP5.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmmamjbpefhdnmhfoeifncgbjpmckopb\1.3\manifest.json	WFQo9R8TrhPGSP5.exe

Drops file in System32 directory 4 IoCs

Processes:

WFQo9R8TrhPGSP5.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	WFQo9R8TrhPGSP5.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	WFQo9R8TrhPGSP5.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	WFQo9R8TrhPGSP5.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	WFQo9R8TrhPGSP5.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

WFQo9R8TrhPGSP5.exe

pid	process
1708	WFQo9R8TrhPGSP5.exe
1708	WFQo9R8TrhPGSP5.exe
1708	WFQo9R8TrhPGSP5.exe
1708	WFQo9R8TrhPGSP5.exe
1708	WFQo9R8TrhPGSP5.exe
1708	WFQo9R8TrhPGSP5.exe
1708	WFQo9R8TrhPGSP5.exe
1708	WFQo9R8TrhPGSP5.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a59339c4cf8d6816c15b45282368a4f9c74cc5af3b05239a2479e9c49d4985ad.exe

description	pid	process	target process
PID 3364 wrote to memory of 1708	3364	a59339c4cf8d6816c15b45282368a4f9c74cc5af3b05239a2479e9c49d4985ad.exe	WFQo9R8TrhPGSP5.exe
PID 3364 wrote to memory of 1708	3364	a59339c4cf8d6816c15b45282368a4f9c74cc5af3b05239a2479e9c49d4985ad.exe	WFQo9R8TrhPGSP5.exe
PID 3364 wrote to memory of 1708	3364	a59339c4cf8d6816c15b45282368a4f9c74cc5af3b05239a2479e9c49d4985ad.exe	WFQo9R8TrhPGSP5.exe

C:\Users\Admin\AppData\Local\Temp\a59339c4cf8d6816c15b45282368a4f9c74cc5af3b05239a2479e9c49d4985ad.exe
"C:\Users\Admin\AppData\Local\Temp\a59339c4cf8d6816c15b45282368a4f9c74cc5af3b05239a2479e9c49d4985ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\WFQo9R8TrhPGSP5.exe
.\WFQo9R8TrhPGSP5.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\WFQo9R8TrhPGSP5.dat
Filesize
1KB

MD5
ec85482ae9f0b0e12589c37cc8974bc9

SHA1
07a8407a8438f87d2281f442e273f5f426b2a194

SHA256
b8decc790c1c8d1ddd38a63246d49bf5f50e020bb3217d7d378bc55773e54b02

SHA512
9b272f17215462314bcc8ebab7a2f7fc1c297e3310e0c613731fc176ed7d0de134788b41d7f3f01b3bee6cb40143e123137ba35966469f9ad312fd7af567b761

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\WFQo9R8TrhPGSP5.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\WFQo9R8TrhPGSP5.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
22a280340aab6737b52c847e6dc929a7

SHA1
c9b5e43a3492fdc3ea6c8855e6b4be790ec7b635

SHA256
b881ccedaf1724ef151c445e451c19b7aba17dcb285ffa1d39b114cbfacb66cd

SHA512
dc4ee50ff258cc81ae50f8c8205ed33f31a143586bc85cc673f80b43097ddf477e6f5dde42e13a7a69c194eb8852b7476fe8faeb9a745ef94de2668fa4b32bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\[email protected]\content\bg.js
Filesize
9KB

MD5
df08feb889322f0fc769eecdced310b9

SHA1
e68fc252bb023e5ad13d679b5e752ba527645e4c

SHA256
7af538f17aadf38b6e8fc8d2b48bd32cde6f1c5397be2082a74ad818c836cc8c

SHA512
4cd4490646ad8ff1ae05a8819c5682ded80b349d5bf9a207283c07d23fbdd29ec7e853d74ef470d8da18863ccf7d436d98fb8088e8256f6bbb415cf4d46145d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\[email protected]\install.rdf
Filesize
594B

MD5
2ce0d7b86046749743ed1aa73b628cd3

SHA1
0d99997176389456db834d53ded83ad4d7a3972e

SHA256
4d13ddedf09b1c9d1062b317066d0f39bd07b125521b56e49a864b81a7c505b8

SHA512
c37941c2a0207574107e5947b3a410fa377eb540b4087ae74329c1caf424d5aa63fdea57371d0124f1bc3ed62b7862394ce74794115ae40a29abbd4a54c2c569

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\mmmamjbpefhdnmhfoeifncgbjpmckopb\background.html
Filesize
143B

MD5
c63b46ae5e3a9d414cf1c361f8489bb5

SHA1
104dab52f36842951fbdd74159cf5102fdf051ff

SHA256
3173e04193f9a0d9f3fc04f6b3a143e997617b3d477799bd477008853643a62c

SHA512
74facc4a77a9f34310a33958323338b1a866264ae81e5e9dc22127b9f9e2aa4def3c5aa9c78cbfecca26e583ba3c1d2e65e164e2821998d7d8cf60d00efea4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\mmmamjbpefhdnmhfoeifncgbjpmckopb\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\mmmamjbpefhdnmhfoeifncgbjpmckopb\fz8d0l.js
Filesize
6KB

MD5
772015368eae2e9d736988023dbe11b2

SHA1
66db57e2bddcb22444d66b9f86dc463487e14e88

SHA256
11b3229042c9949ac82ddea6c189f2544803ca9c7fb16f80a798cc0b4d4843a0

SHA512
1fa8c4fc83a6adef6ae742417a0c2deee0df2f431126334604642736388f6a99c19e8fb0e1c6ba6794fd6d0147f1ae2e32cbf4b624e33882bbcd6b8e801b8e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\mmmamjbpefhdnmhfoeifncgbjpmckopb\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F27.tmp\mmmamjbpefhdnmhfoeifncgbjpmckopb\manifest.json
Filesize
498B

MD5
664e2884e17f23553a19eee317642194

SHA1
a28ccc088d6b6692646150f3e8f111e568723fb4

SHA256
ee4ef853224cde2aa7e54351c02bc811af939202b82e19cbd1cc011fc3565191

SHA512
b2cef8c4dfb6a0648f21c53393b982c9171d8a0344a94970c13866ebd2870de2cd99dab5984000b10802c54a748230104c7997c3d2cd3ac5e97c9355a4cb7ecb

Download Submit
memory/1708-132-0x0000000000000000-mapping.dmp

Download