47e4ea14c9064327f02957a7a2ba34895f3cac775d46843d2c020e3a1c54a1ff

Analysis

max time kernel
155s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47e4ea14c9064327f02957a7a2ba34895f3cac775d46843d2c020e3a1c54a1ff.exe
Size

932KB
MD5

aac58630d07349de23375340f6e40256
SHA1

de07b060338200c39af716cc5898f505e609f104
SHA256

47e4ea14c9064327f02957a7a2ba34895f3cac775d46843d2c020e3a1c54a1ff
SHA512

d3421fc3c4c7b9b5b3a17ec66afc0f69219af033ee3f5b4de531ba2a89f35f8fd1333bb407a75e00b6fa4d40474b8a3ea9be376b02c93656a492db60a47a6320
SSDEEP

24576:h1OYdaOgCZ/iWCvu/2sWsJA/jlt+DHhsn:h1OsmCpYO/dJJDHhsn

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

260rFhqdONnCd2q.exe

pid process

2016 260rFhqdONnCd2q.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

260rFhqdONnCd2q.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjgnkclhenfehdbiinnmemhhbdlkebde\2.0\manifest.json	260rFhqdONnCd2q.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjgnkclhenfehdbiinnmemhhbdlkebde\2.0\manifest.json	260rFhqdONnCd2q.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjgnkclhenfehdbiinnmemhhbdlkebde\2.0\manifest.json	260rFhqdONnCd2q.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjgnkclhenfehdbiinnmemhhbdlkebde\2.0\manifest.json	260rFhqdONnCd2q.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjgnkclhenfehdbiinnmemhhbdlkebde\2.0\manifest.json	260rFhqdONnCd2q.exe

Drops file in System32 directory 4 IoCs

Processes:

260rFhqdONnCd2q.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	260rFhqdONnCd2q.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	260rFhqdONnCd2q.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	260rFhqdONnCd2q.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	260rFhqdONnCd2q.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

260rFhqdONnCd2q.exe

pid	process
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe
2016	260rFhqdONnCd2q.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

260rFhqdONnCd2q.exe

description	pid	process
Token: SeDebugPrivilege	2016	260rFhqdONnCd2q.exe
Token: SeDebugPrivilege	2016	260rFhqdONnCd2q.exe
Token: SeDebugPrivilege	2016	260rFhqdONnCd2q.exe
Token: SeDebugPrivilege	2016	260rFhqdONnCd2q.exe
Token: SeDebugPrivilege	2016	260rFhqdONnCd2q.exe
Token: SeDebugPrivilege	2016	260rFhqdONnCd2q.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

47e4ea14c9064327f02957a7a2ba34895f3cac775d46843d2c020e3a1c54a1ff.exe

description	pid	process	target process
PID 4204 wrote to memory of 2016	4204	47e4ea14c9064327f02957a7a2ba34895f3cac775d46843d2c020e3a1c54a1ff.exe	260rFhqdONnCd2q.exe
PID 4204 wrote to memory of 2016	4204	47e4ea14c9064327f02957a7a2ba34895f3cac775d46843d2c020e3a1c54a1ff.exe	260rFhqdONnCd2q.exe
PID 4204 wrote to memory of 2016	4204	47e4ea14c9064327f02957a7a2ba34895f3cac775d46843d2c020e3a1c54a1ff.exe	260rFhqdONnCd2q.exe

C:\Users\Admin\AppData\Local\Temp\47e4ea14c9064327f02957a7a2ba34895f3cac775d46843d2c020e3a1c54a1ff.exe
"C:\Users\Admin\AppData\Local\Temp\47e4ea14c9064327f02957a7a2ba34895f3cac775d46843d2c020e3a1c54a1ff.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\260rFhqdONnCd2q.exe
.\260rFhqdONnCd2q.exe
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\260rFhqdONnCd2q.dat
Filesize
1KB

MD5
861adb74a8c774a92cd8394d35f94f3c

SHA1
e7f3aefdf78f8779c8891fef2b88148636c6d349

SHA256
653141c82894a9dd330d40d11d24b54bf8d187063b0038d068c6aa9fb4d4f6b3

SHA512
f4c08f9b10782a4bb87f124f5ae0a2ccbbfa8fe6daf8e3590ad604c8472ab647aa70fbf4faab56fa760a735fd9dfb8438d8ac3980f5bd5b56a62ef70344be4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\260rFhqdONnCd2q.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\260rFhqdONnCd2q.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\jjgnkclhenfehdbiinnmemhhbdlkebde\background.html
Filesize
145B

MD5
2fb019a2f67dde0e6bc8ee9677d9e17e

SHA1
15d449fbc9cdfea694d12599cdee8da7c2acca79

SHA256
301cb3b9b98221c5b252f0ad001c9e353f256fe4df8cdcf22ab09b11b365b936

SHA512
a0bb4caa7a8650b4e4a546aa46769c38f5a97bc4085e951081290168675c764adbaa0b6c7cc415cfc47399be9df1fce9fdca23c3f47f64fe75448a145d493d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\jjgnkclhenfehdbiinnmemhhbdlkebde\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\jjgnkclhenfehdbiinnmemhhbdlkebde\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\jjgnkclhenfehdbiinnmemhhbdlkebde\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\jjgnkclhenfehdbiinnmemhhbdlkebde\t7OtTNMH.js
Filesize
6KB

MD5
fb702c72e347845f71a09d38d3aa91b2

SHA1
3e22a4eee94b641c7764e45e7bd179b75b6aefca

SHA256
e616ef61b7835e7e55943b3f567f4cd337972d415392e81439e6e70f9e97df3b

SHA512
99da3f3c635a668755418cf4711fc6de20b9a62416b749a8fed7431ee8e042c3b102fab3d3b1099c7d368ed7cd65b51d2cd38987a343396502f20770802e1436

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
51c3ea5020d771d91ca4baca5ae5dae9

SHA1
6e2811c64fa5412002f6ae9c375c5a2f8803fdc9

SHA256
8632d8fff0b3b30e5e276e2bc37b7c75935d069e3a5d943881b1a8694c0661d8

SHA512
e533fa77dee99faea869dda13a68697b3092c0aea9b576039990127d6efb59ecc52070eacced5b8ddd7c8c937dd012551b09177e3c52b8170836ee5d71736dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\[email protected]\content\bg.js
Filesize
9KB

MD5
9953986dec451f5410ff0d5c59394a63

SHA1
845d4a2f6a2807ec6d53b0868a9fd4f8f64911a4

SHA256
5ef424c389de5f33101f5c81fe75f65adbb77ac6c83e24e4fad278dd45cbca7c

SHA512
50622e83acfa2cf4435cbd25f28676a612bd12c3e20ecc43ab9807a1815733f6fe3b3cabbc3658d392c5282cef0203d8c3420d068d9c4010ad9e93dfdb665aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7E6.tmp\[email protected]\install.rdf
Filesize
591B

MD5
af119fe13f3243b4b6d906b9afe14a96

SHA1
bdfa7a1901cdb6432d64dc9952cc5c6cf0959673

SHA256
b2bcc803bc9729c5c92224ddbe8763e362a6201e959939548ce491e8a9d50143

SHA512
ad219572f8c43b79f3fbb1c2b23663c976f76189f80743c02c482fa66cd25d99dbb706222f78e8cc6a8c61f047d40e17d95a562f63142839e5c30241099aa051

Download Submit
memory/2016-132-0x0000000000000000-mapping.dmp

Download