6a77f338d09f9cc905e69704ffc9cb34cd3ffa29393eb113f1a297eb8b6e7587

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a77f338d09f9cc905e69704ffc9cb34cd3ffa29393eb113f1a297eb8b6e7587.exe
Size

789KB
MD5

9cad1b8a2c8c9d025ff26e923f629832
SHA1

7d5032dee0967f90c208a8e55c31a00906ec9ebb
SHA256

6a77f338d09f9cc905e69704ffc9cb34cd3ffa29393eb113f1a297eb8b6e7587
SHA512

a347d103a004e7356ef8c04c404761520d7b2287fdd7c57a915edf0295f4fa3b302ef3ef7764573e6524157979e7504a8a41341b498ea76068e384b248ade036
SSDEEP

24576:h1OYdaOyObOGM9WKfwIBWe9IWK7f6jd9YMhKTOoRx:h1OsiYIGWkf6jd9YMhKKS

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
868	bzi8YU610zh6BiL.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohgdeakodpagmllpkojbgdipoimokpke\2.0\manifest.json	bzi8YU610zh6BiL.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohgdeakodpagmllpkojbgdipoimokpke\2.0\manifest.json	bzi8YU610zh6BiL.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohgdeakodpagmllpkojbgdipoimokpke\2.0\manifest.json	bzi8YU610zh6BiL.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohgdeakodpagmllpkojbgdipoimokpke\2.0\manifest.json	bzi8YU610zh6BiL.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ohgdeakodpagmllpkojbgdipoimokpke\2.0\manifest.json	bzi8YU610zh6BiL.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	bzi8YU610zh6BiL.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	bzi8YU610zh6BiL.exe
File opened for modification	C:\Windows\System32\GroupPolicy	bzi8YU610zh6BiL.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	bzi8YU610zh6BiL.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
868	bzi8YU610zh6BiL.exe
868	bzi8YU610zh6BiL.exe
868	bzi8YU610zh6BiL.exe
868	bzi8YU610zh6BiL.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 868	4732	6a77f338d09f9cc905e69704ffc9cb34cd3ffa29393eb113f1a297eb8b6e7587.exe	81
PID 4732 wrote to memory of 868	4732	6a77f338d09f9cc905e69704ffc9cb34cd3ffa29393eb113f1a297eb8b6e7587.exe	81
PID 4732 wrote to memory of 868	4732	6a77f338d09f9cc905e69704ffc9cb34cd3ffa29393eb113f1a297eb8b6e7587.exe	81

C:\Users\Admin\AppData\Local\Temp\6a77f338d09f9cc905e69704ffc9cb34cd3ffa29393eb113f1a297eb8b6e7587.exe
"C:\Users\Admin\AppData\Local\Temp\6a77f338d09f9cc905e69704ffc9cb34cd3ffa29393eb113f1a297eb8b6e7587.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\bzi8YU610zh6BiL.exe
  .\bzi8YU610zh6BiL.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\bzi8YU610zh6BiL.dat

Filesize
1KB

MD5
ac8e562568afcab26c81fbc3869576ca

SHA1
85b36304ffaf49cbd571f88d6bec95993170846f

SHA256
6628abafc0ceb4b5390fb044ea184a4a17af6ae86ddfd62e55119814ecb32bfa

SHA512
0582efa9eb991089abbc83fca2cc53029acaa1f8522060dae417f5e4f245de71ea001a401559141c80eb40b5c400821d6feb4b22ed1bb7e37231fd4982bce6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\bzi8YU610zh6BiL.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\bzi8YU610zh6BiL.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\ohgdeakodpagmllpkojbgdipoimokpke\bRBe2Vaa7m.js

Filesize
6KB

MD5
1f1fbafa7db44f439bc830720b40228c

SHA1
456194f9af89a7432a1a9c27706b894062d57ace

SHA256
045495cc60ac5c7323006d39f321a49d8286c4a92a2366bcfcf8ae9dbeb49f76

SHA512
1f79cb898786725fdc282b607f6ca8702327ef91dd5a2a018903b3130a39e71ebddd419241a45afa22c671df8c2c4f8d868468338b3ddee871cf1d00e85c36c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\ohgdeakodpagmllpkojbgdipoimokpke\background.html

Filesize
147B

MD5
13b6b40282b5fdb2dff589c957319aa6

SHA1
d4a36a2a431237ce6ee83415f6fa770d04e5910b

SHA256
ed6cee4775c8eca5d7f6bf98c5bb7aa2924d8d3d70dc5a06d8f678873825927d

SHA512
42fbf3d7ff6c21cfcf78523d69d85af204724cabb7cea2a84996ddfe3a31337214ff6e75ab4ea07bd08587f214d2b1d1b244c1f3a6178bbab8ee483f3317d36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\ohgdeakodpagmllpkojbgdipoimokpke\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\ohgdeakodpagmllpkojbgdipoimokpke\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\ohgdeakodpagmllpkojbgdipoimokpke\manifest.json

Filesize
500B

MD5
77e263bdd0c3a459e214ba7638ea5c7b

SHA1
0411201ea1d913601eb2262f6e5d6d8d0987f84d

SHA256
fa249a96db0ee287c1d4f68207d42dff1cb8378551e31109ec49fe7efeb94083

SHA512
61e5b1f85e59a2b0c9b93b242aeb7caa17b0b782e97c67324f4ec151a68008b258ca475e2ed6d563e22b898f50b1cc91bbe398649d7e7d1f9667d25736e97372

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
d7dd999f8b04c246d8f8c83f9873fc9c

SHA1
65db1cdf3b733ab11e3ca1225b8fb3fe733be494

SHA256
66d7b4c102dad4c66b620ff5a7fb6f235053a95635924bc7bc289ec370e797c2

SHA512
05c879fc95c82dbab51d89ab760ea93b4f631d155d7b475a981c37e203e3e9b385b5bf456ca50b78161f4454b89c643194df4821b0adb0e892ef57960c7ec0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
907fd48ed896ae73f6e76968ad53723e

SHA1
c0fd109b2df4220f39389d01f22a4c6b865c9d64

SHA256
24890b960420b266cf369e38d7103f654e1d8a5c3430d1cfda2c860758be4a3f

SHA512
5d227e1eb58daa1e3e0313ac72705b044b0199a46c21efeb2f49c1a309c68680ed539de0647dafea12f58f2d8426c73610de302dfdf1666c6d2f4ff5fe45c422

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0F8.tmp\[email protected]\install.rdf

Filesize
600B

MD5
5dba90eb1e138fd9e4c1d3df0afd47e8

SHA1
ce6f12a89fe7d4663d486a2b4d43262a050ca41e

SHA256
eb9e6c596e8ff5589e7f5564f0bfdef9224910cf8a06046818b9817839b3e758

SHA512
a533e96f8fe7e3869720d0520d58a84394d1f8765ba6b55a613b09a1f9f55715c91f0ba57f44fa8e272c2c722b4887bd6ffea44fa9700b672b969e48bd64382d

Download Submit