Analysis
-
max time kernel
183s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 01:57
Static task
static1
Behavioral task
behavioral1
Sample
49708bd52625240f0b7fd7ef37e76f990f5442267a60a8439e23a81fad3dcc98.exe
Resource
win7-20220812-en
General
-
Target
49708bd52625240f0b7fd7ef37e76f990f5442267a60a8439e23a81fad3dcc98.exe
-
Size
920KB
-
MD5
ce01b43beee068099fe14f09740bcd67
-
SHA1
831279411ff4b4260c664604c6f8435e4655471a
-
SHA256
49708bd52625240f0b7fd7ef37e76f990f5442267a60a8439e23a81fad3dcc98
-
SHA512
9e096dabbcb68d6e38d6617cf0571bfab02d704779a7bd1c8281628d33c60ae7cb66bf3226ee00c3928f5fabd55166ad45d366f0b587fb7414a866587acef17f
-
SSDEEP
24576:h1OYdaOyMtdHAqcdDVhYwiei7+EpFAh/kK5:h1OsfPHVmVhYwiLtKkK5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
TPTx76TFoPUjMuf.exepid process 4440 TPTx76TFoPUjMuf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
TPTx76TFoPUjMuf.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\leaciiceikaahjakhknehcdgiiolbekl\2.0\manifest.json TPTx76TFoPUjMuf.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\leaciiceikaahjakhknehcdgiiolbekl\2.0\manifest.json TPTx76TFoPUjMuf.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\leaciiceikaahjakhknehcdgiiolbekl\2.0\manifest.json TPTx76TFoPUjMuf.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\leaciiceikaahjakhknehcdgiiolbekl\2.0\manifest.json TPTx76TFoPUjMuf.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\leaciiceikaahjakhknehcdgiiolbekl\2.0\manifest.json TPTx76TFoPUjMuf.exe -
Drops file in System32 directory 4 IoCs
Processes:
TPTx76TFoPUjMuf.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy TPTx76TFoPUjMuf.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini TPTx76TFoPUjMuf.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol TPTx76TFoPUjMuf.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI TPTx76TFoPUjMuf.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
TPTx76TFoPUjMuf.exepid process 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe 4440 TPTx76TFoPUjMuf.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
TPTx76TFoPUjMuf.exedescription pid process Token: SeDebugPrivilege 4440 TPTx76TFoPUjMuf.exe Token: SeDebugPrivilege 4440 TPTx76TFoPUjMuf.exe Token: SeDebugPrivilege 4440 TPTx76TFoPUjMuf.exe Token: SeDebugPrivilege 4440 TPTx76TFoPUjMuf.exe Token: SeDebugPrivilege 4440 TPTx76TFoPUjMuf.exe Token: SeDebugPrivilege 4440 TPTx76TFoPUjMuf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
49708bd52625240f0b7fd7ef37e76f990f5442267a60a8439e23a81fad3dcc98.exedescription pid process target process PID 1328 wrote to memory of 4440 1328 49708bd52625240f0b7fd7ef37e76f990f5442267a60a8439e23a81fad3dcc98.exe TPTx76TFoPUjMuf.exe PID 1328 wrote to memory of 4440 1328 49708bd52625240f0b7fd7ef37e76f990f5442267a60a8439e23a81fad3dcc98.exe TPTx76TFoPUjMuf.exe PID 1328 wrote to memory of 4440 1328 49708bd52625240f0b7fd7ef37e76f990f5442267a60a8439e23a81fad3dcc98.exe TPTx76TFoPUjMuf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49708bd52625240f0b7fd7ef37e76f990f5442267a60a8439e23a81fad3dcc98.exe"C:\Users\Admin\AppData\Local\Temp\49708bd52625240f0b7fd7ef37e76f990f5442267a60a8439e23a81fad3dcc98.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\TPTx76TFoPUjMuf.exe.\TPTx76TFoPUjMuf.exe2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\TPTx76TFoPUjMuf.datFilesize
1KB
MD50402ad1c26cfc9102a038be828c31050
SHA1fb2e0e9bde660746e127a032db8c0a8276d2f196
SHA256cd236d197ff8ef6d1079c7e167eda64d8de7268ff44eb31b291b749df02f13da
SHA51267c65b334882e59e5dfdb722a22a72298d834de8fce32049d0cd92eb8d614477b0521406b06ef2adb30320fe379e062cdef722066522f22fb5ccdad96485a5a1
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\TPTx76TFoPUjMuf.exeFilesize
760KB
MD5dcd148f6f3af3e3b0935c4fcc9f41811
SHA1ee9bdbc7c568c7832d90b85921ab20030b6734cd
SHA256f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4
SHA51234be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\TPTx76TFoPUjMuf.exeFilesize
760KB
MD5dcd148f6f3af3e3b0935c4fcc9f41811
SHA1ee9bdbc7c568c7832d90b85921ab20030b6734cd
SHA256f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4
SHA51234be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\leaciiceikaahjakhknehcdgiiolbekl\background.htmlFilesize
141B
MD531ea3f87f6cf325b76f8bd998697f1bc
SHA1665e9616f64bb0826d85a459a0b90abf0560179c
SHA256326911fd049c29ca91e3ac7588653509c98129c5f9a13e01f011dbf9e5ab010c
SHA5120f3240d946249c591a34fcc5f107250fd08daf52203b118bb1a7c3f3aac4a644c847c78a277c7ca65b14adbc121619db603983a5b0c2798c54fb04a080db59d3
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\leaciiceikaahjakhknehcdgiiolbekl\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\leaciiceikaahjakhknehcdgiiolbekl\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\leaciiceikaahjakhknehcdgiiolbekl\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\leaciiceikaahjakhknehcdgiiolbekl\sih7.jsFilesize
6KB
MD580f92f92e75e4a60299882b975dee398
SHA15e5a46f9dd55c65a33a5a0e2e384f4770ffb6356
SHA2568df361f46ce8fc59e7997b33cdc39ded1856ff3f5fb55bb07b9763cf388e9254
SHA5120bbb389aa84f57bfd48649b96250143177394d5c82b715893a5492ce4f146e2280fcabbd3eceb71f70c0a1d213842ce14e65a0aae70aa1a632977a011c4025d3
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\[email protected]\chrome.manifestFilesize
35B
MD5a1177fa9862ab5e43781625b3d8948fe
SHA1c74c94d8bc4db2af47a1452da23632f112ec8e84
SHA25623b4087d8073512b16fee77c4a78f47b05f485566e94890de49bc6966ef147a6
SHA5129e6afc5da2cdbc081ff021deb1264f3c957f427922e67b82fde0f2bf5c4a6af9e922c441ff7f25ea63c2b9ba4ae4ce6d0b344c383fb5211717dc2ce4da5b1f6c
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\[email protected]\content\bg.jsFilesize
8KB
MD5ca9fd84668b24b4e1160fbcc1735aa58
SHA1218dedb6e8b3b208396b377d35579b8c5c82e317
SHA25668157721749c4d3d78cdce258627077bb5e4a214480f218c1ea2d87d653008cd
SHA5124ebad99250973e4bd19887c6df7e730e1245db1cfe1959cf2b0279dac06e454c2485835f23dfe9ff193285063ac70042d993b0971c7a2a740d9177c392533996
-
C:\Users\Admin\AppData\Local\Temp\7zSB621.tmp\[email protected]\install.rdfFilesize
592B
MD5f47f51d69bf8725afb8ffb8b43fa3d57
SHA13934ce9f1076756d953bd71b51d897b2c9fbd501
SHA256bacb7a7b62c5b6083305932b3f1fab6303f60517fc78b6fab541bba049d0b026
SHA512204ca6a49814d1f45f3c66cad8c0ad95a16f57ccef8cc3e7d53b41e5b298bc0eac87059a3a85e991252ccaeabdeb5bdc6139553954cdead44b5dfa4ccd660a74
-
memory/4440-132-0x0000000000000000-mapping.dmp