Analysis
-
max time kernel
214s -
max time network
230s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 01:59
Static task
static1
Behavioral task
behavioral1
Sample
4914ce75958376d9601785456e55037a4772dccd426313d86f3c6641bae303c4.exe
Resource
win7-20221111-en
General
-
Target
4914ce75958376d9601785456e55037a4772dccd426313d86f3c6641bae303c4.exe
-
Size
931KB
-
MD5
96ec63e688f8183c07d3302c374b8937
-
SHA1
43a5e8a0f054caf76590e0af756f544c82c188a3
-
SHA256
4914ce75958376d9601785456e55037a4772dccd426313d86f3c6641bae303c4
-
SHA512
43e0e45556f53b8ef1ea6c4cb193184a8cce7e87ab1a78589e7241dfd65dfbf30eecfac9c4f025a1f0a9543aa493767155d364a4947f35305aec420dcac542a4
-
SSDEEP
24576:h1OYdaOTCZ/iWCvu/2sWsJA/jlt+DHhsV:h1OspCpYO/dJJDHhsV
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mZcjwYaRV7g3L5L.exepid process 4140 mZcjwYaRV7g3L5L.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
mZcjwYaRV7g3L5L.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjkamogbheenoedfoegiobbnnfbooin\2.0\manifest.json mZcjwYaRV7g3L5L.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjkamogbheenoedfoegiobbnnfbooin\2.0\manifest.json mZcjwYaRV7g3L5L.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjkamogbheenoedfoegiobbnnfbooin\2.0\manifest.json mZcjwYaRV7g3L5L.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjkamogbheenoedfoegiobbnnfbooin\2.0\manifest.json mZcjwYaRV7g3L5L.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijjkamogbheenoedfoegiobbnnfbooin\2.0\manifest.json mZcjwYaRV7g3L5L.exe -
Drops file in System32 directory 4 IoCs
Processes:
mZcjwYaRV7g3L5L.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy mZcjwYaRV7g3L5L.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini mZcjwYaRV7g3L5L.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol mZcjwYaRV7g3L5L.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI mZcjwYaRV7g3L5L.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
mZcjwYaRV7g3L5L.exepid process 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe 4140 mZcjwYaRV7g3L5L.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
mZcjwYaRV7g3L5L.exedescription pid process Token: SeDebugPrivilege 4140 mZcjwYaRV7g3L5L.exe Token: SeDebugPrivilege 4140 mZcjwYaRV7g3L5L.exe Token: SeDebugPrivilege 4140 mZcjwYaRV7g3L5L.exe Token: SeDebugPrivilege 4140 mZcjwYaRV7g3L5L.exe Token: SeDebugPrivilege 4140 mZcjwYaRV7g3L5L.exe Token: SeDebugPrivilege 4140 mZcjwYaRV7g3L5L.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4914ce75958376d9601785456e55037a4772dccd426313d86f3c6641bae303c4.exedescription pid process target process PID 4520 wrote to memory of 4140 4520 4914ce75958376d9601785456e55037a4772dccd426313d86f3c6641bae303c4.exe mZcjwYaRV7g3L5L.exe PID 4520 wrote to memory of 4140 4520 4914ce75958376d9601785456e55037a4772dccd426313d86f3c6641bae303c4.exe mZcjwYaRV7g3L5L.exe PID 4520 wrote to memory of 4140 4520 4914ce75958376d9601785456e55037a4772dccd426313d86f3c6641bae303c4.exe mZcjwYaRV7g3L5L.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4914ce75958376d9601785456e55037a4772dccd426313d86f3c6641bae303c4.exe"C:\Users\Admin\AppData\Local\Temp\4914ce75958376d9601785456e55037a4772dccd426313d86f3c6641bae303c4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\mZcjwYaRV7g3L5L.exe.\mZcjwYaRV7g3L5L.exe2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\[email protected]\chrome.manifestFilesize
35B
MD5e08ec328ea02a52a922b098d755189a0
SHA1b92360d6c4347fe6539fca65c6ff0801adb957c0
SHA256763ef4e2fc795ca3e4bc0b20c41b589da480c638dbe9c93f26d996771f896ce6
SHA512f6c53e7075a07848f82f53625558eb08172e572c90aee7d0a300c15aee819725a338293dc3d76331f60d9473747240035de005a7f5c7a24697740fddbc45612d
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\[email protected]\content\bg.jsFilesize
8KB
MD588684ee37b3ab5c86f1fb8a6f3be2b76
SHA1f016156f38ee1d25eb378e0c82799e064c838393
SHA256b614ae9c26143e6ad98ec0c2824b5418f4a758d233764772ba0fddd86d77853a
SHA512ad80d29ee313ba92d2445c70e4c172126ff149778f33b8fd2ab322109246c4875cee68f6e206e6fc1ba97a3de20027134402df9d332058e5169a59b7d03903c8
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\[email protected]\install.rdfFilesize
597B
MD518d89e22444891468b85912dd1161756
SHA1378267f18cc0f733603813b74189eacfdadf45f3
SHA2569aff294c3ad848c0e37d90e265b0c97fd25d8bcdbb0a017c071b318a92caa638
SHA512a63be1d58c07d0077edcf1cf2dad6a6e58f0f1348804e54be5f2aba391064d09624491b08818599573e4ee26af4e416e49faaef11d57bf1f23c9b968317037e3
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\ijjkamogbheenoedfoegiobbnnfbooin\K452.jsFilesize
6KB
MD5e82e42975371bd8a2efe76dc3d34bad7
SHA1b98b794ff8ee7cdce6c5f32e2ea3a77cca449aef
SHA256ee5a0ec821b427cb314fb701e3ae7236fb0f4a4cdeaf15289de6cbb7483706d4
SHA5127ac340941b9786faa2432da36953baf7ccaf5560bd914079e4902d98c839b587dbe261af07950d1ad3921501eb05d31928c262bd9ee2b89f7b5c4b74490c2420
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\ijjkamogbheenoedfoegiobbnnfbooin\background.htmlFilesize
141B
MD51334e5d484b09fda455f1c5f47dbf085
SHA162fb66fd3596663d40ae401c962e5f29edc5308c
SHA256b889d42c1a4f2ff04fe5e7036354eb439cc8289cd692710be355effb540ed3ba
SHA512ed0490d61f230e11369c1ed62af5ec708344771560ec14594024844e2985144c58a91775e57d3a0041f4d5246134bc0f876f2cce168e400f73cbf9585c5bcb53
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\ijjkamogbheenoedfoegiobbnnfbooin\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\ijjkamogbheenoedfoegiobbnnfbooin\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\ijjkamogbheenoedfoegiobbnnfbooin\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\mZcjwYaRV7g3L5L.datFilesize
1KB
MD5e84d301a55c4a7a15702ea30b55988d0
SHA124999f87d6a58125d7692bdb616ea922b9ab90db
SHA256c4a8f857dacf8457526ce817e4109883ed37d0a43d5ea98cc5f09d066669af07
SHA5125cb2e2eed949b962a10bf881654f5c3b5f86ab52888ff85def737a278f16860fccfc89543ef22a792bb8c39d1f278ebc7f1c5e98f6ddcb2bef7ec22079ba95c9
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\mZcjwYaRV7g3L5L.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
C:\Users\Admin\AppData\Local\Temp\7zSB3BF.tmp\mZcjwYaRV7g3L5L.exeFilesize
772KB
MD55ed7019dcd0008dbcd8e54017b8c7dd9
SHA17e4457da2ff06c2170bad636c9eb7c1bb436fd06
SHA2567f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7
SHA51210cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db
-
memory/4140-132-0x0000000000000000-mapping.dmp