fa3fc0a7f73329ce1d9f9a6bc388640ccea41969516b56b9836e29188309c4b5

Analysis

max time kernel
172s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 07:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fa3fc0a7f73329ce1d9f9a6bc388640ccea41969516b56b9836e29188309c4b5.exe
Size

948KB
MD5

1d0416ba11316e4bbb721d974a06c474
SHA1

41a847de7811f9118f8363deafa3dc6fdb7adc71
SHA256

fa3fc0a7f73329ce1d9f9a6bc388640ccea41969516b56b9836e29188309c4b5
SHA512

203ca2ce9ac118bf7041a2320041d96503da6bf80095b066e7d6804435f9097728464c64f40e8a04c9fd10ff494c152e9bbff14a700c67bfa06c2336ab5bcf0a
SSDEEP

12288:h1OgLdaOYs2Unj9a6rFQbLOYX1jtsI+KqUTGkuqMRT82ZnqNjilbd162v1aIahq:h1OYdaOYwJa6r61j04Gk1CjOy7T1aIaY

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5104	PvAtS7zTaYwzVHt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgolhdlooecbplmkgaamakaadeihmmlo\1.3\manifest.json	PvAtS7zTaYwzVHt.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgolhdlooecbplmkgaamakaadeihmmlo\1.3\manifest.json	PvAtS7zTaYwzVHt.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgolhdlooecbplmkgaamakaadeihmmlo\1.3\manifest.json	PvAtS7zTaYwzVHt.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgolhdlooecbplmkgaamakaadeihmmlo\1.3\manifest.json	PvAtS7zTaYwzVHt.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgolhdlooecbplmkgaamakaadeihmmlo\1.3\manifest.json	PvAtS7zTaYwzVHt.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	PvAtS7zTaYwzVHt.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	PvAtS7zTaYwzVHt.exe
File opened for modification	C:\Windows\System32\GroupPolicy	PvAtS7zTaYwzVHt.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	PvAtS7zTaYwzVHt.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5104	PvAtS7zTaYwzVHt.exe
5104	PvAtS7zTaYwzVHt.exe
5104	PvAtS7zTaYwzVHt.exe
5104	PvAtS7zTaYwzVHt.exe
5104	PvAtS7zTaYwzVHt.exe
5104	PvAtS7zTaYwzVHt.exe
5104	PvAtS7zTaYwzVHt.exe
5104	PvAtS7zTaYwzVHt.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 5104	4724	fa3fc0a7f73329ce1d9f9a6bc388640ccea41969516b56b9836e29188309c4b5.exe	82
PID 4724 wrote to memory of 5104	4724	fa3fc0a7f73329ce1d9f9a6bc388640ccea41969516b56b9836e29188309c4b5.exe	82
PID 4724 wrote to memory of 5104	4724	fa3fc0a7f73329ce1d9f9a6bc388640ccea41969516b56b9836e29188309c4b5.exe	82

C:\Users\Admin\AppData\Local\Temp\fa3fc0a7f73329ce1d9f9a6bc388640ccea41969516b56b9836e29188309c4b5.exe
"C:\Users\Admin\AppData\Local\Temp\fa3fc0a7f73329ce1d9f9a6bc388640ccea41969516b56b9836e29188309c4b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\PvAtS7zTaYwzVHt.exe
  .\PvAtS7zTaYwzVHt.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
76160555942edf2ed02c19f30e6beaa4

SHA1
ca575ecea71f8b598b6c9954a4d2cb6a1be1fb0e

SHA256
17d35987c1eb8ab20598fdf5dbf6175d9d26027bccdcb40c1a946144ee0a62f7

SHA512
ea9495c06b10daab78bd857439ad50d39be35b84c392d1c903eec59ef1def30e9e88b6691a7a9c3d9627023c20c81a7fb64598fd88749d14363e0f55dca8d4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
654fc0211449f49f44858e585dec82d6

SHA1
fe26bc73c2cd59031a7dfa8582f8c600cc81991f

SHA256
3325ed70df0106d158f79b162cb3b04117f0cf6fde27df277119368a4c742140

SHA512
c1b45de42f969a7383ccc7559d7d0ee464db0407da6d927cf8e098c63ccce2db48c233a056a87f81c71a86ed7b3c5ddd3c560951925b6f9ea12815edabc277ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\[email protected]\install.rdf

Filesize
592B

MD5
761a4d9f8bfbd24252ff6bcf14853c99

SHA1
4466626fa313fd390adcc0101d65300f29769c79

SHA256
9d8f406c278301639f799ef7de70433f4939efa6291655c1fcc401815dad5b71

SHA512
aabe71661b753fc2a323214b7afb07311439da0a0e4de5fc7728caaa6b9a80dd08410b63427edef8651a77a2b06eb8f9a7424eb0509aab004959d2f204444a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\PvAtS7zTaYwzVHt.dat

Filesize
1KB

MD5
1e3e5fbb06b0f19cc82d0e59d61973bf

SHA1
72b3d38e1614ee05d9bdbc8a7e7e4024c1356224

SHA256
76286a7bc946fdacf8b6a033c1ff26f3958be10e3b8cab51927f3e099925e455

SHA512
fc0f63a08c92ee19353efe19b9cb2e46797ec553ea9a133d45c3264d4023b6a9227a4a5107dacab54e66f37ed33a3100a8e729e9ec8988772f79743fd31656a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\PvAtS7zTaYwzVHt.exe

Filesize
790KB

MD5
4848f336cba8531989a71c9cf95e7cfd

SHA1
ee261cea146367cbbbb13f7ef5106f346375f8ff

SHA256
b76f451b4542794bb551bfa04b821d68fed0242ac83c1396ac4ef4168b0a2f6d

SHA512
a27bcfd157e3a8d8d609c5da100d29cc6c8bd611bc3bf8470c2999baa57d70cd22fbacd57fae66b2630f6e2cd34011a5e47685b532f628f5c6ca1371981af58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\PvAtS7zTaYwzVHt.exe

Filesize
790KB

MD5
4848f336cba8531989a71c9cf95e7cfd

SHA1
ee261cea146367cbbbb13f7ef5106f346375f8ff

SHA256
b76f451b4542794bb551bfa04b821d68fed0242ac83c1396ac4ef4168b0a2f6d

SHA512
a27bcfd157e3a8d8d609c5da100d29cc6c8bd611bc3bf8470c2999baa57d70cd22fbacd57fae66b2630f6e2cd34011a5e47685b532f628f5c6ca1371981af58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\kgolhdlooecbplmkgaamakaadeihmmlo\GNm.js

Filesize
6KB

MD5
431dd4a5c59da3955be223c34c4f292c

SHA1
75075f15935a53a171edc47ed3e1b11edb6e6ecf

SHA256
ec155462072dd237ac22d10fae265c513164037a2e5df79408921a80865f92b5

SHA512
f799bf0d5b1c18824a42c13a1d3378ef83aafdf7cff651c4dcce412a671dd45af77ec5ba659c0b6be16f14fb90212535dba46cc238342d83f9b382c8a9ebe80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\kgolhdlooecbplmkgaamakaadeihmmlo\background.html

Filesize
140B

MD5
28da76092f92d81d430679c00f3114ad

SHA1
7165dc94ef5322f9590df702401ce1de95d537b0

SHA256
a96c711615bd5e7a3b5cf3af31af8ec1e6f340f2e45e75688bc486a00072bac3

SHA512
102838cdc4f2d75d778ce69f2ca67fcb43afab86edfa2b1b9efb7911963b24946cbfca5be298873886a22a37f528724424eb9635fea05c780cae7afd3166f6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\kgolhdlooecbplmkgaamakaadeihmmlo\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\kgolhdlooecbplmkgaamakaadeihmmlo\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF206.tmp\kgolhdlooecbplmkgaamakaadeihmmlo\manifest.json

Filesize
498B

MD5
664e2884e17f23553a19eee317642194

SHA1
a28ccc088d6b6692646150f3e8f111e568723fb4

SHA256
ee4ef853224cde2aa7e54351c02bc811af939202b82e19cbd1cc011fc3565191

SHA512
b2cef8c4dfb6a0648f21c53393b982c9171d8a0344a94970c13866ebd2870de2cd99dab5984000b10802c54a748230104c7997c3d2cd3ac5e97c9355a4cb7ecb

Download Submit