a7aa68f5e0659482784e004b3f6bfdd37334695b5ef7db5bc9b8e5dc1bc8a7c1

Analysis

max time kernel
158s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7aa68f5e0659482784e004b3f6bfdd37334695b5ef7db5bc9b8e5dc1bc8a7c1.exe
Size

931KB
MD5

8eeaac64b8a3c6674f3ff04e20563a66
SHA1

df092861a21456111d1e2bd18bb892f4c503fdea
SHA256

a7aa68f5e0659482784e004b3f6bfdd37334695b5ef7db5bc9b8e5dc1bc8a7c1
SHA512

18798c8119fb5e6ae9b0d00255f1c9a09e31f17c45167d1f13bd2163be4ac6959395940e6462089614972a29ca4eadec3c072c17b8e1a489b883b288acd35f44
SSDEEP

24576:h1OYdaOVCZ/iWCvu/2sWsJA/jlt+DHhsH:h1OsDCpYO/dJJDHhsH

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2T9McVbajOVW4Zs.exe

pid process

4512 2T9McVbajOVW4Zs.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

2T9McVbajOVW4Zs.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpcdpnejgffnjgcmimofghjckjhaihph\1.3\manifest.json	2T9McVbajOVW4Zs.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpcdpnejgffnjgcmimofghjckjhaihph\1.3\manifest.json	2T9McVbajOVW4Zs.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpcdpnejgffnjgcmimofghjckjhaihph\1.3\manifest.json	2T9McVbajOVW4Zs.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpcdpnejgffnjgcmimofghjckjhaihph\1.3\manifest.json	2T9McVbajOVW4Zs.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpcdpnejgffnjgcmimofghjckjhaihph\1.3\manifest.json	2T9McVbajOVW4Zs.exe

Drops file in System32 directory 4 IoCs

Processes:

2T9McVbajOVW4Zs.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	2T9McVbajOVW4Zs.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	2T9McVbajOVW4Zs.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	2T9McVbajOVW4Zs.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	2T9McVbajOVW4Zs.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

2T9McVbajOVW4Zs.exe

pid	process
4512	2T9McVbajOVW4Zs.exe
4512	2T9McVbajOVW4Zs.exe
4512	2T9McVbajOVW4Zs.exe
4512	2T9McVbajOVW4Zs.exe
4512	2T9McVbajOVW4Zs.exe
4512	2T9McVbajOVW4Zs.exe
4512	2T9McVbajOVW4Zs.exe
4512	2T9McVbajOVW4Zs.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a7aa68f5e0659482784e004b3f6bfdd37334695b5ef7db5bc9b8e5dc1bc8a7c1.exe

description	pid	process	target process
PID 2256 wrote to memory of 4512	2256	a7aa68f5e0659482784e004b3f6bfdd37334695b5ef7db5bc9b8e5dc1bc8a7c1.exe	2T9McVbajOVW4Zs.exe
PID 2256 wrote to memory of 4512	2256	a7aa68f5e0659482784e004b3f6bfdd37334695b5ef7db5bc9b8e5dc1bc8a7c1.exe	2T9McVbajOVW4Zs.exe
PID 2256 wrote to memory of 4512	2256	a7aa68f5e0659482784e004b3f6bfdd37334695b5ef7db5bc9b8e5dc1bc8a7c1.exe	2T9McVbajOVW4Zs.exe

C:\Users\Admin\AppData\Local\Temp\a7aa68f5e0659482784e004b3f6bfdd37334695b5ef7db5bc9b8e5dc1bc8a7c1.exe
"C:\Users\Admin\AppData\Local\Temp\a7aa68f5e0659482784e004b3f6bfdd37334695b5ef7db5bc9b8e5dc1bc8a7c1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\2T9McVbajOVW4Zs.exe
.\2T9McVbajOVW4Zs.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\2T9McVbajOVW4Zs.dat

Filesize
1KB

MD5
a292f2bfd554bf4ecf283f5915d2cbe3

SHA1
672aef7b4cef60b73ed555a791198936b8a120e0

SHA256
ded3e2db41182253167cfe24728720662c8338c48c711a3dd5ab4567a12a7a08

SHA512
e2ad7897d25af645a9efd73a5844fc3cb03ca1e6f51a7420cef67594293dca5a7bfb6293121f7e0f2043814b64b5b44e9461128c23ed981d34f1d0e24ad02bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\2T9McVbajOVW4Zs.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\2T9McVbajOVW4Zs.exe

Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
93f0655531d2c3e72a2759531a0e9751

SHA1
bcc71f30ee2ab4ca9bc2aae23409e4efdb9d66d3

SHA256
0a27d458064ec2c81a18de13bec4059c0e092f227d094e289f0bf7d9533938a3

SHA512
a7677cde84623d93e48766a47ad044bc80e91d0b915048043471deaef84f3a300dd3c097005a4109bd270868683051228547e6dabb8d0449266f8829cd9604bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
02772e1b617ea42b14c42487b08f7018

SHA1
788d644461867d90955ef5059591fd4006900b73

SHA256
27664b3685a664008a5f2a10a59d5e17a58166e84823d65d636376399b68fe41

SHA512
ad451bfc066ce0d9a4665aad1961383e0b599317901a9cc3b938526a6317768dc03a81ffe3613b4335f6b02b882d2b746216b85f3f01eb8030449932f16f3a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\[email protected]\install.rdf

Filesize
593B

MD5
5b4d6dd4c74fc056bdee01638806078e

SHA1
57a3518be6e25429b899a7dc6029de23318c5e0d

SHA256
74c0fe90abb50e4f7df6a0b74dd3fa94edf92157ce215c9a5c70bb6ba975cdf4

SHA512
3380cef5b275a476383ed4272ed9e2ad3aca736758b5df491fb479805c610f8fc44b5eae9acf1d6da0578a32f2d6fcd7afaeb85cd65f36d5d04740e64c1898e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\cpcdpnejgffnjgcmimofghjckjhaihph\b.js

Filesize
6KB

MD5
68aa337aea48211df38a2e01bcdd1ff1

SHA1
ef2a37045e5c36a5b84788e51848ba649b357e4a

SHA256
ca75671ade3402929e7cb6cc8e46d6b1785c1c17c89b54c90e135ca0a8c9d8d6

SHA512
48ad928aa579afc70c0adbc6eac29ef89a0eb1b0b8b2d3ac1915f7ed73419659eb399556fe373db43ef28907f228804b17cfcc7a1b8ab9eebced3630b2ac1e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\cpcdpnejgffnjgcmimofghjckjhaihph\background.html

Filesize
138B

MD5
8da4619c91bdfa76bdf19cc7b1cf3f59

SHA1
a9a76753ad10123b20abc4612718b538c154892d

SHA256
9991c7dd05190aa6d09242263945c89496297bd2bc85d06a76fae480d44e2f9b

SHA512
b9b0f7e1d4afafb6009455727007f28cb656fe2d9f2628b31b3557184f352207ab93764acfb8e19501e3e2f5b280c41afa93be6cd81770018f80d70ad24332c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\cpcdpnejgffnjgcmimofghjckjhaihph\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\cpcdpnejgffnjgcmimofghjckjhaihph\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA00.tmp\cpcdpnejgffnjgcmimofghjckjhaihph\manifest.json

Filesize
498B

MD5
664e2884e17f23553a19eee317642194

SHA1
a28ccc088d6b6692646150f3e8f111e568723fb4

SHA256
ee4ef853224cde2aa7e54351c02bc811af939202b82e19cbd1cc011fc3565191

SHA512
b2cef8c4dfb6a0648f21c53393b982c9171d8a0344a94970c13866ebd2870de2cd99dab5984000b10802c54a748230104c7997c3d2cd3ac5e97c9355a4cb7ecb

Download Submit
memory/4512-132-0x0000000000000000-mapping.dmp

Download