a4cf96d7cad495d9c6d37e82e4a1b94e89d5d4e6f341835a78ec586d232d2677

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4cf96d7cad495d9c6d37e82e4a1b94e89d5d4e6f341835a78ec586d232d2677.exe
Size

919KB
MD5

e7270aa6a8d428e980cc7d5f3f830433
SHA1

d8d7d55bd76502d0fe20a8b002d818c2e109f9d7
SHA256

a4cf96d7cad495d9c6d37e82e4a1b94e89d5d4e6f341835a78ec586d232d2677
SHA512

bc4eed6aa98fb225538793f672237c3cc0b2a82c909f5c68ebac4e87af439ed915e3d4fc751dddedb659f189f582f70a35576d0a1296a92cf8c7a645380e0722
SSDEEP

24576:h1OYdaONMtdHAqcdDVhYwiei7+EpFAh/kKJ:h1OscPHVmVhYwiLtKkKJ

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

FA20SouZjghfYox.exe

pid process

832 FA20SouZjghfYox.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

FA20SouZjghfYox.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpnlifacpgckceomijajfafjjccjbfge\2.0\manifest.json	FA20SouZjghfYox.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpnlifacpgckceomijajfafjjccjbfge\2.0\manifest.json	FA20SouZjghfYox.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpnlifacpgckceomijajfafjjccjbfge\2.0\manifest.json	FA20SouZjghfYox.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpnlifacpgckceomijajfafjjccjbfge\2.0\manifest.json	FA20SouZjghfYox.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpnlifacpgckceomijajfafjjccjbfge\2.0\manifest.json	FA20SouZjghfYox.exe

Drops file in System32 directory 4 IoCs

Processes:

FA20SouZjghfYox.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	FA20SouZjghfYox.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	FA20SouZjghfYox.exe
File opened for modification	C:\Windows\System32\GroupPolicy	FA20SouZjghfYox.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	FA20SouZjghfYox.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

FA20SouZjghfYox.exe

pid	process
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe
832	FA20SouZjghfYox.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

FA20SouZjghfYox.exe

description	pid	process
Token: SeDebugPrivilege	832	FA20SouZjghfYox.exe
Token: SeDebugPrivilege	832	FA20SouZjghfYox.exe
Token: SeDebugPrivilege	832	FA20SouZjghfYox.exe
Token: SeDebugPrivilege	832	FA20SouZjghfYox.exe
Token: SeDebugPrivilege	832	FA20SouZjghfYox.exe
Token: SeDebugPrivilege	832	FA20SouZjghfYox.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a4cf96d7cad495d9c6d37e82e4a1b94e89d5d4e6f341835a78ec586d232d2677.exe

description	pid	process	target process
PID 3016 wrote to memory of 832	3016	a4cf96d7cad495d9c6d37e82e4a1b94e89d5d4e6f341835a78ec586d232d2677.exe	FA20SouZjghfYox.exe
PID 3016 wrote to memory of 832	3016	a4cf96d7cad495d9c6d37e82e4a1b94e89d5d4e6f341835a78ec586d232d2677.exe	FA20SouZjghfYox.exe
PID 3016 wrote to memory of 832	3016	a4cf96d7cad495d9c6d37e82e4a1b94e89d5d4e6f341835a78ec586d232d2677.exe	FA20SouZjghfYox.exe

C:\Users\Admin\AppData\Local\Temp\a4cf96d7cad495d9c6d37e82e4a1b94e89d5d4e6f341835a78ec586d232d2677.exe
"C:\Users\Admin\AppData\Local\Temp\a4cf96d7cad495d9c6d37e82e4a1b94e89d5d4e6f341835a78ec586d232d2677.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\FA20SouZjghfYox.exe
.\FA20SouZjghfYox.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\FA20SouZjghfYox.dat

Filesize
1KB

MD5
80fd493ab30e2c3aa0e13b7f1e9f1a95

SHA1
62640fc753fddfdaff2371ce19ea3313fa023169

SHA256
ab91a9639592ad66467f9cd7ee565be197dfa8045e7e624276f55680eabed4de

SHA512
86a924dd332e2b0049b458fe03069b13b7f0d978d93ec8062aa7e5fcf6ecffae7174ea99122de66e7a6a340faa0d479b3df5c76fbdbbd42f16b01f53cdf4d2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\FA20SouZjghfYox.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\FA20SouZjghfYox.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
1b207c647644a2c6622a3e16e697bd84

SHA1
5339a6ec3549ee2311307aa10fbb14cff4e910f0

SHA256
9f4f8b9aa8f0f2d451befaec3794e59508677d0b81ef5194ccb717a3b0f50152

SHA512
8e57d501895945e51b49caac6025b974b6069e3c0a53732baf046e41804816926d76e3c8226992b432482f3b19c5c41feb82774c8cd3fa3ee445442aba6d8d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
34dcf0da06085ae6c12241ab4ee3ebed

SHA1
357415b2b25eb735ed084a77dc6471034ed1d404

SHA256
602f113857d75d83448dce848b1dc51c7622e3ab1500eb0dd6680ba6f553749b

SHA512
123547f59fbe38c3c2f4b1ade4c8d98c3e20f60a9bacb75e6e5cab381ae6a80514c3ebbcb1def4e96b57e22ffb181d9fd8d6c4e88add452009f48e58da343110

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\[email protected]\install.rdf

Filesize
595B

MD5
a4196d9b92eb667bb26df78dfd7a7a57

SHA1
4c11e66f390a473ed424b1e1dd956cba5d6cf88f

SHA256
201fa90e92316b9072fb180ed3da53dfeefb420e215b57f91a4f3a7a44ed6751

SHA512
d0ab6f22cd3c36b3e8008ff8023c55e2bb4cfa4085bee760f2c6ddd041b4d8d595c7b1804bae5eab7883488b0c3d40808fc1ba28ae59ae28d5cf83a5c5b62d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\bpnlifacpgckceomijajfafjjccjbfge\background.html

Filesize
138B

MD5
b566a7b485f09aa71608552679b7bdfb

SHA1
fcdc8805206820a2cd7d43d31b104088de594f4b

SHA256
fbcf0e9cbb35c1133503b638b1d971099cd542daee708dc4ccc13908fea9f5f6

SHA512
5a27fd0c21a282cd034ce7ec848966259f5e5d7ba077404399bb7ff7f2d189354e3c25c5c4eb6f5e9f5a9b16bb4a139db375cd9d21de68e9e2cbbd104844b333

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\bpnlifacpgckceomijajfafjjccjbfge\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\bpnlifacpgckceomijajfafjjccjbfge\k.js

Filesize
6KB

MD5
ce55547164506befd333d5989d65faf7

SHA1
9367c99dcc4c734dae53819cd3d57c6d07de9a1c

SHA256
ad5b699b704f8755db6e51340077b27d9bb9dd8298afd1a9d1d67559c2446f11

SHA512
f395443640dc85bc7a885377d2217bdead473e7b2ee1bb5fa099deb23468ac975705895f32c4d77427839779e7ae6f237d9360e1c99e388f3a045d65fbfe98c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\bpnlifacpgckceomijajfafjjccjbfge\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE97A.tmp\bpnlifacpgckceomijajfafjjccjbfge\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/832-132-0x0000000000000000-mapping.dmp

Download