55754cf5a5728edbebf18da0805ecbf1893ce44138e0e60a9e91efdc224e1b0b

Analysis

max time kernel
185s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55754cf5a5728edbebf18da0805ecbf1893ce44138e0e60a9e91efdc224e1b0b.exe
Size

799KB
MD5

d3aa0f287e10093b38d7ebc2d666a3f2
SHA1

275556fb3cb99a169b564d92e8de89939435d7c8
SHA256

55754cf5a5728edbebf18da0805ecbf1893ce44138e0e60a9e91efdc224e1b0b
SHA512

aa44d3a357f0ce76751ea8ab1c7ce0b2a28791ac675d7b7280c3699c615bfa531e21e480ca658f7759d8685a90aa07a7605798a874b7cd0770c5b38a589b29ac
SSDEEP

24576:h1OYdaOwSF5ve9uhPmFZO3htj3sqMEsIg2dHMLbDpdUJ4uKGv5NCPCoupDxkxoKg:h1Os+Fo42dYDe4NCD

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4892	5vMFghjy9rmuou7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\peaggocpligmfhjiakomddphfipcbmga\2.0\manifest.json	5vMFghjy9rmuou7.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\peaggocpligmfhjiakomddphfipcbmga\2.0\manifest.json	5vMFghjy9rmuou7.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\peaggocpligmfhjiakomddphfipcbmga\2.0\manifest.json	5vMFghjy9rmuou7.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\peaggocpligmfhjiakomddphfipcbmga\2.0\manifest.json	5vMFghjy9rmuou7.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\peaggocpligmfhjiakomddphfipcbmga\2.0\manifest.json	5vMFghjy9rmuou7.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	5vMFghjy9rmuou7.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	5vMFghjy9rmuou7.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	5vMFghjy9rmuou7.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	5vMFghjy9rmuou7.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4892	5vMFghjy9rmuou7.exe
4892	5vMFghjy9rmuou7.exe
4892	5vMFghjy9rmuou7.exe
4892	5vMFghjy9rmuou7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 4892	4868	55754cf5a5728edbebf18da0805ecbf1893ce44138e0e60a9e91efdc224e1b0b.exe	79
PID 4868 wrote to memory of 4892	4868	55754cf5a5728edbebf18da0805ecbf1893ce44138e0e60a9e91efdc224e1b0b.exe	79
PID 4868 wrote to memory of 4892	4868	55754cf5a5728edbebf18da0805ecbf1893ce44138e0e60a9e91efdc224e1b0b.exe	79

C:\Users\Admin\AppData\Local\Temp\55754cf5a5728edbebf18da0805ecbf1893ce44138e0e60a9e91efdc224e1b0b.exe
"C:\Users\Admin\AppData\Local\Temp\55754cf5a5728edbebf18da0805ecbf1893ce44138e0e60a9e91efdc224e1b0b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\5vMFghjy9rmuou7.exe
  .\5vMFghjy9rmuou7.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
48006b1fe64495b9777f6755a03604a1

SHA1
51ee2952bddd1f437d2176739be7324c868edd33

SHA256
aa1edd77986daccf571109a57a26e22d3fc7524ec8a07295cc0571cde5d726b4

SHA512
1909bf35f26cd40a749b55a8467216cb044d4bc041464352c07657f0a496ab63183ab016c0e2ccdf8ef427f446721c95a2b7e4cf1d8ac425354e94aba7befa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
85065fd806d66c1dae2da38254c07ccb

SHA1
9848aa2daeaed903636d8fb331e69368faae0fa8

SHA256
1dee3fb347cd5ae7f54cc5075f1cc2517313263cdf515778c78f9326dd539a4e

SHA512
3833da4a269ec9174b0cb2656e54066a164775afab87e1f9e2baa2a1db1f0d9a6179ae10a7fcf9f1ec6ab87dee9d971e61bf31a35914d6f5f666b9d899db7e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\[email protected]\install.rdf

Filesize
594B

MD5
84a709a5f1dd60a4166f785345e8e4cb

SHA1
eba646184768a604b12f4cba4603e8e8970d7398

SHA256
93087661809787f9d0f343e0c7770073ea48e3de71439ff5bd05397fe0ea6e1a

SHA512
a435dd42b0d7d532461fcf531c9f37d820c1eb0962da622abc02090584d79e9dd9bcdb5d8ab3ecf96fc5c3f7704f481d6c491e7bf6dd997159e94a9b27f43f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\5vMFghjy9rmuou7.dat

Filesize
1KB

MD5
166e76e97f3a73006ac16594db9681b8

SHA1
8f0fdf1a05e1a372c6d1eb2c89fe96ce66d9aec9

SHA256
39aa6bbcd11824f75e817e74d413a061a7c8141f397700d31ecd17fe68af0fbf

SHA512
62dd2870b65f15b86f712826005d4d2598c5f80ee767e79a7a68523e41c4f3b4e3eca01600d1b679cf170f0f681e179b507464e97b79d3d6ac4f02def283d4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\5vMFghjy9rmuou7.exe

Filesize
641KB

MD5
1d450f8118ecfa3379fc5dcfa2c41b4a

SHA1
2f07e678ef051ba34aacc387b9aedf019d06aa12

SHA256
1d3dea1457f9ec4d083007b487ff94106ff562be4a4ed3e2ba41b8541d0037a5

SHA512
08e81e8fc03eaeb0f5635994ca05be57ac87b8d80a5be2781a95c96fae513559f940d89d23465f57064f31260969c74431108dfc87d86788b0c7b4a053914d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\5vMFghjy9rmuou7.exe

Filesize
641KB

MD5
1d450f8118ecfa3379fc5dcfa2c41b4a

SHA1
2f07e678ef051ba34aacc387b9aedf019d06aa12

SHA256
1d3dea1457f9ec4d083007b487ff94106ff562be4a4ed3e2ba41b8541d0037a5

SHA512
08e81e8fc03eaeb0f5635994ca05be57ac87b8d80a5be2781a95c96fae513559f940d89d23465f57064f31260969c74431108dfc87d86788b0c7b4a053914d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\peaggocpligmfhjiakomddphfipcbmga\BJRtlbySio.js

Filesize
6KB

MD5
edbf2cb261cdc430f772cc6ab6d541eb

SHA1
0dbfd6e37b8bbf76b48b74577e76e9172bf65350

SHA256
4b37dd4b69aad4cc1d33ee22bcc7fa53e5826cd22bac6a35de1e8d0ec727ae93

SHA512
f15c95bc42c1dd55aaffbb99590bde3c2bacdafbd20b9c880e1f9237fb8e03f3d14807d1618ce6543aaa8453787b08b028d602c17eb0df914868aadb50c3034f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\peaggocpligmfhjiakomddphfipcbmga\background.html

Filesize
147B

MD5
e3a22df02859598061442379f25e71d0

SHA1
c75868ef43819855e5177500e3b63d0723f4a671

SHA256
10b9e85e0cff64e2f5da2a3e0f005bffccb84d4831fc1e3003abc765802de20e

SHA512
ed90b805618c045e6f59d560cf08f2d2be6ff9f0ffd4da1978f2e4a58a56b05bc3c333d3da1470fda79a1acf86437a4a2639917e2886610e98ef44b4a3a44e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\peaggocpligmfhjiakomddphfipcbmga\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\peaggocpligmfhjiakomddphfipcbmga\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS203.tmp\peaggocpligmfhjiakomddphfipcbmga\manifest.json

Filesize
498B

MD5
b121e770c886867496b2cfcc12248de7

SHA1
3f2f848a541abec9ebe9b2e6b816a6e73356b4d2

SHA256
7d06478640818cf54a9df8c6174032c998fb8e9677a5649c8b8cc2755179bd35

SHA512
7260df588c06f64c0f85608106cc832083a7199541f79b7da1cd61d9660551d239fb684e9673131a3f22c9ddccaa7c317e753e15684d573d2779d7e206add03c

Download Submit
memory/4892-132-0x0000000000000000-mapping.dmp

Download