a3704de6074ca80d4941459c44539fb1e80d2fbfd8d42e7c30d204bf797af70b

Analysis

max time kernel
147s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3704de6074ca80d4941459c44539fb1e80d2fbfd8d42e7c30d204bf797af70b.exe
Size

949KB
MD5

09fcbf73081a506aa332a2227defd363
SHA1

9cc4d73503505eeafe0f29b70e37d4f34efc7613
SHA256

a3704de6074ca80d4941459c44539fb1e80d2fbfd8d42e7c30d204bf797af70b
SHA512

9ea60b2158f2f71940884515d3e972e2802d0b3e553257a775af2c93904c458f000258d6cf0ecc32c7f8fbd37700df2a46c3a5a101c8225e02543c92734abc24
SSDEEP

12288:h1OgLdaOktPXN/S0YNynhdujKHZOJVJ7NDIPeRUEXSCUXTzoq39Mrjh1:h1OYdaOYDYQnT7S7NsPeRbSCUXoqtej7

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

8rK4GDwUInz0Jrv.exe

pid process

3832 8rK4GDwUInz0Jrv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

8rK4GDwUInz0Jrv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\djaoecmfnnmbmfmhmlligadpgcimhaif\2.0\manifest.json	8rK4GDwUInz0Jrv.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\djaoecmfnnmbmfmhmlligadpgcimhaif\2.0\manifest.json	8rK4GDwUInz0Jrv.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\djaoecmfnnmbmfmhmlligadpgcimhaif\2.0\manifest.json	8rK4GDwUInz0Jrv.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\djaoecmfnnmbmfmhmlligadpgcimhaif\2.0\manifest.json	8rK4GDwUInz0Jrv.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\djaoecmfnnmbmfmhmlligadpgcimhaif\2.0\manifest.json	8rK4GDwUInz0Jrv.exe

Drops file in System32 directory 4 IoCs

Processes:

8rK4GDwUInz0Jrv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	8rK4GDwUInz0Jrv.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	8rK4GDwUInz0Jrv.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	8rK4GDwUInz0Jrv.exe
File opened for modification	C:\Windows\System32\GroupPolicy	8rK4GDwUInz0Jrv.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

8rK4GDwUInz0Jrv.exe

pid	process
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe
3832	8rK4GDwUInz0Jrv.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

8rK4GDwUInz0Jrv.exe

description	pid	process
Token: SeDebugPrivilege	3832	8rK4GDwUInz0Jrv.exe
Token: SeDebugPrivilege	3832	8rK4GDwUInz0Jrv.exe
Token: SeDebugPrivilege	3832	8rK4GDwUInz0Jrv.exe
Token: SeDebugPrivilege	3832	8rK4GDwUInz0Jrv.exe
Token: SeDebugPrivilege	3832	8rK4GDwUInz0Jrv.exe
Token: SeDebugPrivilege	3832	8rK4GDwUInz0Jrv.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a3704de6074ca80d4941459c44539fb1e80d2fbfd8d42e7c30d204bf797af70b.exe

description	pid	process	target process
PID 1664 wrote to memory of 3832	1664	a3704de6074ca80d4941459c44539fb1e80d2fbfd8d42e7c30d204bf797af70b.exe	8rK4GDwUInz0Jrv.exe
PID 1664 wrote to memory of 3832	1664	a3704de6074ca80d4941459c44539fb1e80d2fbfd8d42e7c30d204bf797af70b.exe	8rK4GDwUInz0Jrv.exe
PID 1664 wrote to memory of 3832	1664	a3704de6074ca80d4941459c44539fb1e80d2fbfd8d42e7c30d204bf797af70b.exe	8rK4GDwUInz0Jrv.exe

C:\Users\Admin\AppData\Local\Temp\a3704de6074ca80d4941459c44539fb1e80d2fbfd8d42e7c30d204bf797af70b.exe
"C:\Users\Admin\AppData\Local\Temp\a3704de6074ca80d4941459c44539fb1e80d2fbfd8d42e7c30d204bf797af70b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\8rK4GDwUInz0Jrv.exe
.\8rK4GDwUInz0Jrv.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\8rK4GDwUInz0Jrv.dat
Filesize
1KB

MD5
43c87c30cd571a5157728580c14378ee

SHA1
2d26222c024dc6ffd748090526b93ee9a560b6c1

SHA256
247e621b94c606e56c31af99cac0089b777dbd1d8393fab349534802eaaa4183

SHA512
4ecadf3cf27491cead9cf2786e13251ac694df416c1761999d6a50f90b4956a14d0ad3c61df5859530324f195f94431d463286ce716df1239a43d326c58982de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\8rK4GDwUInz0Jrv.exe
Filesize
791KB

MD5
8e78cd4b1c05327f9ce03f037eb2bfd0

SHA1
381caf0ead67c72ed9cb5c72fcfbf94b54627c41

SHA256
91160eda6fbf13634821b1d73a99ed6348581b31f7d76e888c759139e066baac

SHA512
7eeb6945d6fbed1a598d4de34317fc955032382f52457eb9eb8681227a15e22c233d9a2d9d90ceea87535e2dc46d1851aaa0fb3cf69d39e76768e500ec81f249

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\8rK4GDwUInz0Jrv.exe
Filesize
791KB

MD5
8e78cd4b1c05327f9ce03f037eb2bfd0

SHA1
381caf0ead67c72ed9cb5c72fcfbf94b54627c41

SHA256
91160eda6fbf13634821b1d73a99ed6348581b31f7d76e888c759139e066baac

SHA512
7eeb6945d6fbed1a598d4de34317fc955032382f52457eb9eb8681227a15e22c233d9a2d9d90ceea87535e2dc46d1851aaa0fb3cf69d39e76768e500ec81f249

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\djaoecmfnnmbmfmhmlligadpgcimhaif\background.html
Filesize
145B

MD5
4c2f1bf988f1d1675aee87104159efe9

SHA1
5119e7b841fecf17055ae6373da37de8b77762b4

SHA256
654a5df3957813ca616bbd49629bdb33fa6b76890629f9e698e46ec8c6fdb01b

SHA512
0ba4d5e775dc42fa1e755c2196f9a2b036307b5817a28687f4084f85c92cc44b2abff95c3d5dd04f8f447e7b6e95b0fec4b27bf227202564688c21a7b3d20aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\djaoecmfnnmbmfmhmlligadpgcimhaif\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\djaoecmfnnmbmfmhmlligadpgcimhaif\isLW17Gy.js
Filesize
5KB

MD5
891f3d16e18505ad5f192758ee75506d

SHA1
4227c2890214c4da341d9d96acbf50c46bfb07ee

SHA256
fd5d94b591a93260dab043724e62f1c884a15e2cf7cf6bbb25fee8d679614be3

SHA512
af9d6b5ab33d806640481beb63718a03f0c3a7676706e094f36589bd72fe7058c9bfa37be7bde685aa36629e2dd8b9a40d25b22a13561d3768937cd3041be7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\djaoecmfnnmbmfmhmlligadpgcimhaif\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\djaoecmfnnmbmfmhmlligadpgcimhaif\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
0c196a94d92bd90fc0f199c1afc0e723

SHA1
1e2ecccf23e33188afbc19c312d6bc07255ee88d

SHA256
99c1ebe426f21bb85838c80959080425b507dcf0ef4c8db0e10bbf3048aaabce

SHA512
dc8e10b97c01dcd54952ca474114f2d5981222c3cbe97eb3ffba97e8f5614054fecfe03a22ffa66e1ec3dd594c1d05541a7e7bc33817f650f45c0fc56bdbdf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
aae81ddc3f86078f58d558d92103428f

SHA1
ad1dd9ef9c3b5be9acbc5bd78b523b16e80abe07

SHA256
6be6fb8ad1b5429df1e7c1f6f7a5e0ec52d18932f9a2eac836c53fd5cf1c30de

SHA512
4e8f2c6771afcccb9b7d1664c43aae032229e2de65f0f0eb386aa2ceaf49ef1a432eda79e559960ceb06fd563b5eab1900f8a2881b5db8dbcab19a22211310f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBF7C.tmp\[email protected]\install.rdf
Filesize
590B

MD5
481913646e5625d1583abd3fa9831fdd

SHA1
191cf07b72697b71b21ae97f2ad324db178ac377

SHA256
1ab3355343824e09a32fb12026e2b35b7737e85dffb9805cb66b4744398ff350

SHA512
352b3899b0aea5bca0f6a23e1a94a7d7ceabdc1d6552b43c2df9fbc8783512ed5a6b070a33bdadba24d30742999cdccdc4f917bbdea9ec1cb765d9edf5e81d09

Download Submit
memory/3832-133-0x0000000000000000-mapping.dmp

Download