a77f78d1ab82842c4f95a1e00b7df3c23824a1b71b391c85f94c3e8442063e79

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a77f78d1ab82842c4f95a1e00b7df3c23824a1b71b391c85f94c3e8442063e79.exe
Size

919KB
MD5

a6e7f511de6b3523b5ebfa7a6ca22cc1
SHA1

570df58cc6530e42b67a28b01697288f4a9bbe8b
SHA256

a77f78d1ab82842c4f95a1e00b7df3c23824a1b71b391c85f94c3e8442063e79
SHA512

a188b492b980abdca1b4ac49fd6169a37c6ae997bdb9c83e77c5c18aa81b23b9ca24e9544b1f9548d079daae9360e4a50ee0a64a2a2411fd0182eebc2aa084a8
SSDEEP

24576:h1OYdaOdMtdHAqcdDVhYwiei7+EpFAh/kKA:h1OswPHVmVhYwiLtKkKA

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2WFpPxpsPgaKoAt.exe

pid process

4620 2WFpPxpsPgaKoAt.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

2WFpPxpsPgaKoAt.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmelfbighopoefnbemlmophnbcakdmba\2.0\manifest.json	2WFpPxpsPgaKoAt.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmelfbighopoefnbemlmophnbcakdmba\2.0\manifest.json	2WFpPxpsPgaKoAt.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmelfbighopoefnbemlmophnbcakdmba\2.0\manifest.json	2WFpPxpsPgaKoAt.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmelfbighopoefnbemlmophnbcakdmba\2.0\manifest.json	2WFpPxpsPgaKoAt.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmelfbighopoefnbemlmophnbcakdmba\2.0\manifest.json	2WFpPxpsPgaKoAt.exe

Drops file in System32 directory 4 IoCs

Processes:

2WFpPxpsPgaKoAt.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	2WFpPxpsPgaKoAt.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	2WFpPxpsPgaKoAt.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	2WFpPxpsPgaKoAt.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	2WFpPxpsPgaKoAt.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

2WFpPxpsPgaKoAt.exe

pid	process
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe
4620	2WFpPxpsPgaKoAt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2WFpPxpsPgaKoAt.exe

description	pid	process
Token: SeDebugPrivilege	4620	2WFpPxpsPgaKoAt.exe
Token: SeDebugPrivilege	4620	2WFpPxpsPgaKoAt.exe
Token: SeDebugPrivilege	4620	2WFpPxpsPgaKoAt.exe
Token: SeDebugPrivilege	4620	2WFpPxpsPgaKoAt.exe
Token: SeDebugPrivilege	4620	2WFpPxpsPgaKoAt.exe
Token: SeDebugPrivilege	4620	2WFpPxpsPgaKoAt.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a77f78d1ab82842c4f95a1e00b7df3c23824a1b71b391c85f94c3e8442063e79.exe

description	pid	process	target process
PID 3112 wrote to memory of 4620	3112	a77f78d1ab82842c4f95a1e00b7df3c23824a1b71b391c85f94c3e8442063e79.exe	2WFpPxpsPgaKoAt.exe
PID 3112 wrote to memory of 4620	3112	a77f78d1ab82842c4f95a1e00b7df3c23824a1b71b391c85f94c3e8442063e79.exe	2WFpPxpsPgaKoAt.exe
PID 3112 wrote to memory of 4620	3112	a77f78d1ab82842c4f95a1e00b7df3c23824a1b71b391c85f94c3e8442063e79.exe	2WFpPxpsPgaKoAt.exe

C:\Users\Admin\AppData\Local\Temp\a77f78d1ab82842c4f95a1e00b7df3c23824a1b71b391c85f94c3e8442063e79.exe
"C:\Users\Admin\AppData\Local\Temp\a77f78d1ab82842c4f95a1e00b7df3c23824a1b71b391c85f94c3e8442063e79.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\2WFpPxpsPgaKoAt.exe
.\2WFpPxpsPgaKoAt.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\2WFpPxpsPgaKoAt.dat
Filesize
1KB

MD5
012bbab1e99d2eabd4d975b3eb142af0

SHA1
da0b1f84dbe8b388f5505e685e933ce851871083

SHA256
2d8b62bd24e42db5ce70efd34fe800a3c8bc22cdf2ad4917a835471c78dd559c

SHA512
1a1eaab10788ba5ed8b3cc3b692ed9f41afbef1c47d861d3933f87696500335b695d1e13d8d93733a65b674593a8c1abb63172a1d2ae0c6dfc3011fc83443021

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\2WFpPxpsPgaKoAt.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\2WFpPxpsPgaKoAt.exe
Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
2779207c46fdd7b5950520e41a857e32

SHA1
338c7d465a69f83e89eb666fddfb344e52b6726d

SHA256
7c6deb31671c70bf490f0cace71e4425a633c2feeb839ec232e69de2e4448e9f

SHA512
97b4dc39f32aa347d8e738e6215e9af21b98b5315d074a3b48ad5a64bc50ec43cae61ab86c13d3e13a6f8ea3bc23ef185e2d157106c728a7791e4796feb60235

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\[email protected]\content\bg.js
Filesize
8KB

MD5
f70b219b85dfbddc6b3695a972427cd2

SHA1
9691e6369d465b191867ee04d696aab6e2c5c44b

SHA256
6b16f826c5107e16e4d3481f138952ff3df163fc177eba3e8b096d3b612fbc42

SHA512
47ac1fd3878f497c70e926ff45e254c64e18a1513aa796f74c41faf9216eeaebfdae1939d2d33ac0ab7d9500684616f8192f5bb320e0e50ce6b9e0c421dfceb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\[email protected]\install.rdf
Filesize
591B

MD5
f585832e077dafd015932a418b6caceb

SHA1
a5558f6b8e111eeb2bf27e00907b61801b365322

SHA256
3d4f688d8f57b3a4c522f3700f3ff9f8483f9536e89ab18b546b53f67fb4f7ff

SHA512
1062c73bfbf7f8f208bc9e151094b2375b339067df55f460b9ac266d79c5afed8920a183a9f024e0270a1e26f0baf93abd1a45248d57703b20f513b4d22d0745

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\cmelfbighopoefnbemlmophnbcakdmba\background.html
Filesize
138B

MD5
7a912a60f22ea7551c8963bfca69c34e

SHA1
b442b0fee4040c584faf43f12fb785f0c604779e

SHA256
04070a18d838fd9651aaaaa2ce216d2b9feb53b24de8a4d3aaf874b3654a8c4c

SHA512
162e96381f3c06be4b765d9475decbfc3037efcfffb115a11665e4a656bc9bc6ef9c574817c5fd358d3720d6dff28796447500be042157e982f73bb2d9d85a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\cmelfbighopoefnbemlmophnbcakdmba\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\cmelfbighopoefnbemlmophnbcakdmba\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\cmelfbighopoefnbemlmophnbcakdmba\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS82D1.tmp\cmelfbighopoefnbemlmophnbcakdmba\p.js
Filesize
6KB

MD5
0ba9759032c6da44df3c03560bdbf267

SHA1
5f11aa970701f54006e2617a91d6a39da695f657

SHA256
8054c1cfeff979bfe224be05f644c7635ab00e75b819adb95d2df57d5c2234a2

SHA512
854ca8208fc46943fb1ebbebf13a1cb01a79cd6dc56dc9823520a0b365e28ce8f3db429e559a29f69afb16c338d502474006bd744bac0831ce9916028e9b2bd9

Download Submit
memory/4620-132-0x0000000000000000-mapping.dmp

Download