aa709b146668fe1854c9c6847b0e15c9f793325c5d190e914647008f4a0a1fb4

Analysis

max time kernel
168s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa709b146668fe1854c9c6847b0e15c9f793325c5d190e914647008f4a0a1fb4.exe
Size

931KB
MD5

99b52f20a207fb48a5e3b1d761c84a33
SHA1

b01d1b6edea1ca85117380a1266339b5a7546a70
SHA256

aa709b146668fe1854c9c6847b0e15c9f793325c5d190e914647008f4a0a1fb4
SHA512

5e2b8b26ea7108fa49868ac56c1503f035dce0a8670e664dc52cd8d43318542b34b225385a70e2c25151e4d733bbec2f66b4662bc24f072b9db373ca695d8f0a
SSDEEP

24576:h1OYdaODCZ/iWCvu/2sWsJA/jlt+DHhsm:h1OshCpYO/dJJDHhsm

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

EltbNJe6tpA5brF.exe

pid process

3752 EltbNJe6tpA5brF.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

EltbNJe6tpA5brF.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngchemhenacefgemcakbkoidopffaijf\2.0\manifest.json	EltbNJe6tpA5brF.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngchemhenacefgemcakbkoidopffaijf\2.0\manifest.json	EltbNJe6tpA5brF.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngchemhenacefgemcakbkoidopffaijf\2.0\manifest.json	EltbNJe6tpA5brF.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngchemhenacefgemcakbkoidopffaijf\2.0\manifest.json	EltbNJe6tpA5brF.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngchemhenacefgemcakbkoidopffaijf\2.0\manifest.json	EltbNJe6tpA5brF.exe

Drops file in System32 directory 4 IoCs

Processes:

EltbNJe6tpA5brF.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	EltbNJe6tpA5brF.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	EltbNJe6tpA5brF.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	EltbNJe6tpA5brF.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	EltbNJe6tpA5brF.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

EltbNJe6tpA5brF.exe

pid	process
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe
3752	EltbNJe6tpA5brF.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

EltbNJe6tpA5brF.exe

description	pid	process
Token: SeDebugPrivilege	3752	EltbNJe6tpA5brF.exe
Token: SeDebugPrivilege	3752	EltbNJe6tpA5brF.exe
Token: SeDebugPrivilege	3752	EltbNJe6tpA5brF.exe
Token: SeDebugPrivilege	3752	EltbNJe6tpA5brF.exe
Token: SeDebugPrivilege	3752	EltbNJe6tpA5brF.exe
Token: SeDebugPrivilege	3752	EltbNJe6tpA5brF.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

aa709b146668fe1854c9c6847b0e15c9f793325c5d190e914647008f4a0a1fb4.exe

description	pid	process	target process
PID 2576 wrote to memory of 3752	2576	aa709b146668fe1854c9c6847b0e15c9f793325c5d190e914647008f4a0a1fb4.exe	EltbNJe6tpA5brF.exe
PID 2576 wrote to memory of 3752	2576	aa709b146668fe1854c9c6847b0e15c9f793325c5d190e914647008f4a0a1fb4.exe	EltbNJe6tpA5brF.exe
PID 2576 wrote to memory of 3752	2576	aa709b146668fe1854c9c6847b0e15c9f793325c5d190e914647008f4a0a1fb4.exe	EltbNJe6tpA5brF.exe

C:\Users\Admin\AppData\Local\Temp\aa709b146668fe1854c9c6847b0e15c9f793325c5d190e914647008f4a0a1fb4.exe
"C:\Users\Admin\AppData\Local\Temp\aa709b146668fe1854c9c6847b0e15c9f793325c5d190e914647008f4a0a1fb4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\EltbNJe6tpA5brF.exe
.\EltbNJe6tpA5brF.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\EltbNJe6tpA5brF.dat
Filesize
1KB

MD5
c1925b053a4225353e960de8d598a971

SHA1
e18035357a69bfc1f8b608b4cc5b8dda1474a759

SHA256
d39352eeefb5a9928dd7a18f9e31b35ea64bd872d32b9f43af4d29620461038a

SHA512
5c00fce58513f3fa3ef904bd0d86abb59930f3e9d04f2c4379b2854d43d8ba04962773e185d3f8b8f85fd8f9e6994bce6ff93115f3c01f82f606eeda1b2139bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\EltbNJe6tpA5brF.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\EltbNJe6tpA5brF.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
7001c8fe1918baf25d175974c03cb912

SHA1
dd7ea1db393d8dd0e7a23d2ae60b023f57449464

SHA256
eda4ea5c451632fd4b02b4682a43eea1e84f6c249cdf4591ba0968c48209cb03

SHA512
f04711b4abcc7e6f6a0b9c20aeaa5be19e0c47e93458ac8bf37551df9cf17f1e5c35e55ad1ec72d36d5610b226c0c8bddae997106d6ea49410b2f65c38e5fe5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
dc0148b61fc7c071ec1da7841f6a53d8

SHA1
63ae48cf8ddb22294fe236b8ae7836e29adc323f

SHA256
9354fe71bec80a9e44fef935c2b7318e3f99a8725261ec0f0ed0a608bf747f85

SHA512
29f0c73a5e5da04cd0a1d5be71c9ea7ce8dc3984b0751468c24004f2d869badccb97b57315c41118a6a2b6daca2d5ea142a45e513325da284ae15eeca781ad4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\[email protected]\install.rdf
Filesize
596B

MD5
14237ad0a745797d60e4891b31518dee

SHA1
12d7d0138d7c77b1195b02bac8843a9426831c6d

SHA256
54a1486b1ea23dcee936bf120cdaae65be2d99fca631d73104bab177f275ecb8

SHA512
a0763cb822ec6fb052926d572414c8bd0ea03054e4a4751dbbe80e616147e1f773d9456ffe0f3481047a5a4a2c24dde7ed33a816c410f30a6ca221fc15e07eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\ngchemhenacefgemcakbkoidopffaijf\IHd4mur.js
Filesize
6KB

MD5
2faaec63a6de893f0bd2624fbb094ada

SHA1
ac9e3553ed85674b64d9a765e0130edbf0ab5425

SHA256
ab0343568343af06b77d96155265ef43b601fe2e13f81a22b00e9c82713a6527

SHA512
4919b94a6ff2c905a74ee4583513f81a004a4355a65f53ca0323b4de4ce29f6bc680e18f36d33844e1232abdd253ac24e2cb1c61e71a687097420ac816fdc4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\ngchemhenacefgemcakbkoidopffaijf\background.html
Filesize
144B

MD5
593179b0216c2bf4966c9453568b54f6

SHA1
770524c3b4d8aa58a6d41deec71e1e03f72a560c

SHA256
7dd5734d5ca1f1038fb2389f2b7ea0fa281e0565dbc70cab83b0692d64465166

SHA512
9eaea328e6eb208f7a407a63dc4f2c872a2bf21505164544b671c1af469baf63bffc31c50c1dad75f4edd110ddaf2441695f564f757fed2561765cb7b6bc751a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\ngchemhenacefgemcakbkoidopffaijf\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\ngchemhenacefgemcakbkoidopffaijf\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\ngchemhenacefgemcakbkoidopffaijf\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/3752-132-0x0000000000000000-mapping.dmp

Download