c4a162e6c5c1fa4d3a2b8d6728f627149221189f828b81ae13060e9d6ba055ad

Analysis

max time kernel
156s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a162e6c5c1fa4d3a2b8d6728f627149221189f828b81ae13060e9d6ba055ad.exe
Size

931KB
MD5

fd38629ef19a88a7877e11eac521b7b9
SHA1

db20ec794d2649e6010785753050f39004de585a
SHA256

c4a162e6c5c1fa4d3a2b8d6728f627149221189f828b81ae13060e9d6ba055ad
SHA512

7f8a2e8ed2db1cbf89f84e7a0e7ac040e50719f3488f027551ef2b7e94e707524f4103e61917c398bdac86c67ee41dda13ee14b6e6ea13caac3c7acfe22e3072
SSDEEP

24576:h1OYdaOexWhxWcMWSUbvCXEQKSqGv8VWumF6RmcJozyPvpfA:h1Os7MWyUQ+GUVFIcHPvpfA

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2408	38in0p3cHOpJRaV.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgkpddmmmlkpjficfeaafmfjllajnmoj\2.0\manifest.json	38in0p3cHOpJRaV.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgkpddmmmlkpjficfeaafmfjllajnmoj\2.0\manifest.json	38in0p3cHOpJRaV.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgkpddmmmlkpjficfeaafmfjllajnmoj\2.0\manifest.json	38in0p3cHOpJRaV.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgkpddmmmlkpjficfeaafmfjllajnmoj\2.0\manifest.json	38in0p3cHOpJRaV.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgkpddmmmlkpjficfeaafmfjllajnmoj\2.0\manifest.json	38in0p3cHOpJRaV.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	38in0p3cHOpJRaV.exe
File opened for modification	C:\Windows\System32\GroupPolicy	38in0p3cHOpJRaV.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	38in0p3cHOpJRaV.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	38in0p3cHOpJRaV.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe
2408	38in0p3cHOpJRaV.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	38in0p3cHOpJRaV.exe
Token: SeDebugPrivilege	2408	38in0p3cHOpJRaV.exe
Token: SeDebugPrivilege	2408	38in0p3cHOpJRaV.exe
Token: SeDebugPrivilege	2408	38in0p3cHOpJRaV.exe
Token: SeDebugPrivilege	2408	38in0p3cHOpJRaV.exe
Token: SeDebugPrivilege	2408	38in0p3cHOpJRaV.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2408	4888	c4a162e6c5c1fa4d3a2b8d6728f627149221189f828b81ae13060e9d6ba055ad.exe	83
PID 4888 wrote to memory of 2408	4888	c4a162e6c5c1fa4d3a2b8d6728f627149221189f828b81ae13060e9d6ba055ad.exe	83
PID 4888 wrote to memory of 2408	4888	c4a162e6c5c1fa4d3a2b8d6728f627149221189f828b81ae13060e9d6ba055ad.exe	83

C:\Users\Admin\AppData\Local\Temp\c4a162e6c5c1fa4d3a2b8d6728f627149221189f828b81ae13060e9d6ba055ad.exe
"C:\Users\Admin\AppData\Local\Temp\c4a162e6c5c1fa4d3a2b8d6728f627149221189f828b81ae13060e9d6ba055ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\38in0p3cHOpJRaV.exe
  .\38in0p3cHOpJRaV.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\38in0p3cHOpJRaV.dat

Filesize
1KB

MD5
a577e7f6278382226504a7377df48d22

SHA1
de8530c9d3d112e512bd6d601553b6be9aae2975

SHA256
ece0cf037128bd9aad45d1cae74a43a9ca98cd896c3ed255e9bea295742161a6

SHA512
e01f482b5c94b3469fe3993f4f43952cbd601601e8ee2bc82ced6015c49ec9837e5e169fd35979bfdb8fa995c3c9832d4242a5a7daac562361266eac39b0692f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\38in0p3cHOpJRaV.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\38in0p3cHOpJRaV.exe

Filesize
771KB

MD5
e8ef8ed232808bfa240b33b376bb74a8

SHA1
b7ebfbda42fb24594210d3f97921c5b33b88585d

SHA256
a4265c00fc8eb9371329ddbc19e760b433ea9f4ab4e16d4d95682031940ad6c9

SHA512
24a4de7ba07c5712a94cb8334764b6d23799dc4bb7153acf4eb7289ec4577b79bc9bf4adf6e0c65b13441d7783314ec4d9a13a61cf447124c43c44ff55fa8ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
c913d024d1310f288e49a910c58cb391

SHA1
0078e683f98f1f1d2f2c8a175c69f255df34f3b1

SHA256
7cea0c8763f0fd4a3f88ef3c43d5328a1193134451cbd102f2d38d344c86202a

SHA512
1e4c61ae113f7a4b990914e00dc09c49af7489d1721c8e679e5d6ca07d31a6174c60d07f8400b6c938079a20bf673123dd0bd09081529bb3271f2daf89bd1630

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
3866c5485e3e8a4586f6cf98baf43f3c

SHA1
6ebed7f0ccb2cbc8a0c728af5cd21d6e381701c6

SHA256
e4095d94b9ea1d59f47da54748679f2fd27a06e782d840daab94762ac3693a2e

SHA512
8ff2b2d424f6db9d7b2cb63cdabda108d532d9a5d474d7f43e365286aa46322261a888e7b5facc63577243fb47f4063fc6bc705eee89c473ca80cc7e33c80b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\[email protected]\install.rdf

Filesize
591B

MD5
10ad08c3bdadf32901a12052cee204db

SHA1
c5bfd6105f831cd8790463241ad4932250429d2e

SHA256
1504af88d2848236a12ac9d82a5623811b0da90781ba93166101693ccb566b3b

SHA512
af1e459a11e642844fb69639656d5b2dac02018c2557026ef83b65f446b1176e738478bcfd9cd58857231920219e59153a466335a7fce2ef9388107d0ccf8a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\jgkpddmmmlkpjficfeaafmfjllajnmoj\b9Zoj8.js

Filesize
6KB

MD5
dbbe89c4a86879364114e608c17f8c73

SHA1
d5b0e399d59b0b190c5a10db2c80c315fa9564e6

SHA256
962b011d5dcffea7923107254f5d196eff67bf9b155979efbb3abfe9a0d94860

SHA512
6141c9533da8575ec6e65f1b582c01d5128ac7750adb3e57b97203b03bd7e2f5859cab629f2e320a96ebdf1adbc4978bbcbea8cba1202b0938163a68189fecf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\jgkpddmmmlkpjficfeaafmfjllajnmoj\background.html

Filesize
143B

MD5
01dc522fa8b1cc6d3bc6d01aa441fdcc

SHA1
a8edce9511484c87e4a13c869d6b0eb94e7de464

SHA256
a4ee9ff17e535676b8f0a61dc8d5cfd3a15dffb99c84e7a5e504189cd0eca37b

SHA512
dc562b668701e10b76a9225481f6eeccbe990083f339a7bf95da75f2404d55bdeb1a97a15e7055a591483b1326210af25bd9789b05a9157050fce7c664a3a303

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\jgkpddmmmlkpjficfeaafmfjllajnmoj\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\jgkpddmmmlkpjficfeaafmfjllajnmoj\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA935.tmp\jgkpddmmmlkpjficfeaafmfjllajnmoj\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/2408-132-0x0000000000000000-mapping.dmp

Download