a5668422fa0c673c998e446ad9224d1e366c889eca103a89bbab432b0de7bcf4

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5668422fa0c673c998e446ad9224d1e366c889eca103a89bbab432b0de7bcf4.exe
Size

931KB
MD5

cb17f3ede5d138fe895a1ed7ecf4e16c
SHA1

276ee76c29b409a8ec4a6ea5dac95213d9e4cdd7
SHA256

a5668422fa0c673c998e446ad9224d1e366c889eca103a89bbab432b0de7bcf4
SHA512

3eaa98fdf93062b8de211bfe2b22c373f2ea7bdb5fa3fb8e6b0a5c1a3c1fb932aa2332dbb802fb952c198a02c06417ce3d00da75c3d269d138c8d63f74b5a72a
SSDEEP

24576:h1OYdaO1CZ/iWCvu/2sWsJA/jlt+DHhsy:h1OsPCpYO/dJJDHhsy

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ibeJmUvH7tl6qnb.exe

pid process

4736 ibeJmUvH7tl6qnb.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

ibeJmUvH7tl6qnb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhjgeaehhngehkcaogjaldejajkoadbi\2.0\manifest.json	ibeJmUvH7tl6qnb.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhjgeaehhngehkcaogjaldejajkoadbi\2.0\manifest.json	ibeJmUvH7tl6qnb.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhjgeaehhngehkcaogjaldejajkoadbi\2.0\manifest.json	ibeJmUvH7tl6qnb.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhjgeaehhngehkcaogjaldejajkoadbi\2.0\manifest.json	ibeJmUvH7tl6qnb.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhjgeaehhngehkcaogjaldejajkoadbi\2.0\manifest.json	ibeJmUvH7tl6qnb.exe

Drops file in System32 directory 4 IoCs

Processes:

ibeJmUvH7tl6qnb.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	ibeJmUvH7tl6qnb.exe
File opened for modification	C:\Windows\System32\GroupPolicy	ibeJmUvH7tl6qnb.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	ibeJmUvH7tl6qnb.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	ibeJmUvH7tl6qnb.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

ibeJmUvH7tl6qnb.exe

pid	process
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe
4736	ibeJmUvH7tl6qnb.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ibeJmUvH7tl6qnb.exe

description	pid	process
Token: SeDebugPrivilege	4736	ibeJmUvH7tl6qnb.exe
Token: SeDebugPrivilege	4736	ibeJmUvH7tl6qnb.exe
Token: SeDebugPrivilege	4736	ibeJmUvH7tl6qnb.exe
Token: SeDebugPrivilege	4736	ibeJmUvH7tl6qnb.exe
Token: SeDebugPrivilege	4736	ibeJmUvH7tl6qnb.exe
Token: SeDebugPrivilege	4736	ibeJmUvH7tl6qnb.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a5668422fa0c673c998e446ad9224d1e366c889eca103a89bbab432b0de7bcf4.exe

description	pid	process	target process
PID 3464 wrote to memory of 4736	3464	a5668422fa0c673c998e446ad9224d1e366c889eca103a89bbab432b0de7bcf4.exe	ibeJmUvH7tl6qnb.exe
PID 3464 wrote to memory of 4736	3464	a5668422fa0c673c998e446ad9224d1e366c889eca103a89bbab432b0de7bcf4.exe	ibeJmUvH7tl6qnb.exe
PID 3464 wrote to memory of 4736	3464	a5668422fa0c673c998e446ad9224d1e366c889eca103a89bbab432b0de7bcf4.exe	ibeJmUvH7tl6qnb.exe

C:\Users\Admin\AppData\Local\Temp\a5668422fa0c673c998e446ad9224d1e366c889eca103a89bbab432b0de7bcf4.exe
"C:\Users\Admin\AppData\Local\Temp\a5668422fa0c673c998e446ad9224d1e366c889eca103a89bbab432b0de7bcf4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\ibeJmUvH7tl6qnb.exe
.\ibeJmUvH7tl6qnb.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
015a716e9b34c6bf4d43211de95b9ac5

SHA1
6d1f9877d0891492740ab60e73422ea5b05eedad

SHA256
dec9047d4ee593ba0547a030c937c853cae935af2a20c820ab614a60635dbb2d

SHA512
6a1ea0eeeeecd8707c7437544c07ac3479490c3c54489caa96abb79d23f057370278f3d651bac184ede87ac4936f635f31bbb3d037863da151652b8e642d168c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
4866d35864c3afeb113aaef7b96818e1

SHA1
a4d54d473ecc1da9e01b630518381a85348309ba

SHA256
9cec22f8a8a9a455284652b5a22b5f22a525fc19c03ee24a8a74f1fda7b02291

SHA512
ae51f7316ba3b5911ac289231b2da1d0262f359a18cc8e55005a120d489503cf80215bbaa1c34182314943ac45710d97dd085be9f55cdc1564995e7bcde96720

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\[email protected]\install.rdf

Filesize
597B

MD5
f8c1426da31caecf4de2bc47b8857f65

SHA1
331337a72e0ca25afbf96d85846eb25c9927175c

SHA256
5cde3247542e77c385bfd091d0390047f39554994648ab397c33913f463bf5d9

SHA512
450402fe809b8279c038d3c148da53fb50c261c02eb93c96d7e48cf518aaef868114349ecbd1d5d89970a1f9e68c1ea0a232310741ac7a07011c4fb1d164854a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\dhjgeaehhngehkcaogjaldejajkoadbi\background.html

Filesize
138B

MD5
7e04afb945ad240306eb4382e62174ee

SHA1
a899f8f4444f356e504b4558d81b6df9e892937a

SHA256
fea6cd40ada053115cdf38077dafee4e95840b3837d3c2796ee6f9fa0320ae73

SHA512
8f7577ccb548c2bca83285dde49b1b8fb1ae73c4b706c7df88c2936456c48ae2c2afb9ecb5b35ee8a77bbd35e651bad5b14e7e651e81e35b35a9ade3c5314363

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\dhjgeaehhngehkcaogjaldejajkoadbi\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\dhjgeaehhngehkcaogjaldejajkoadbi\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\dhjgeaehhngehkcaogjaldejajkoadbi\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\dhjgeaehhngehkcaogjaldejajkoadbi\v.js

Filesize
6KB

MD5
d6441b5844f87a402abe9b317919f172

SHA1
8b9ec5abd738abcc07e533bc0200ae80b40ecdd3

SHA256
efbc4d67432b20b35556d61ece174eb912c1cc0829d3ccc8a066958e4f76e14a

SHA512
36e2c26301e9d76ce0fb5de76dcf03d38b9af96f64c01b0ab75b8212876c85a745ac65b2f625cc65d88a2f85ce2bed9afef316c1684e0e2146a853716a04bfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\ibeJmUvH7tl6qnb.dat

Filesize
1KB

MD5
f5668963778a76f4e80d920f6d355b25

SHA1
5d84136519bf92ddc6798f5ba46eca317e29bf42

SHA256
2d61ee4715a9a7683a84c7ec1dbc3129378129ae6cdc598e41e9ca164d0e1900

SHA512
17492b9b6d5dc6bde7ae044e17ed99efde0f16f96331f6a2fa22920e7832bcd94a063608fd97d5d3cb3699f7b1b9f793e16e67debe0a0bfb6c41346c48ebe21d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\ibeJmUvH7tl6qnb.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F85.tmp\ibeJmUvH7tl6qnb.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
memory/4736-132-0x0000000000000000-mapping.dmp

Download