Analysis
-
max time kernel
24s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 23:36
Static task
static1
Behavioral task
behavioral1
Sample
cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe
Resource
win7-20221111-en
General
-
Target
cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe
-
Size
2.0MB
-
MD5
d81dfb9f339bbe8a32041d9f8f775bad
-
SHA1
74a1fcd9cd67b72ce65b5c5a596c1a71c42677f5
-
SHA256
cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632
-
SHA512
716c16c8bd9f22fe257bcb9a83ccd23cfd1df8c92643f1cb23e9d73eca526a37ad2764ffe94978b1311253b0763b7af5d8b62c5b13a3e93d545d8a4a3f5b5059
-
SSDEEP
49152:h1Os+Cn3b0sdq9tVkWMq0vdovSHhXXruY:h1OOnL0sitVkWX0vVld
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1064 Yt5sBMJ2usOtXYk.exe -
Loads dropped DLL 4 IoCs
pid Process 1476 cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe 1064 Yt5sBMJ2usOtXYk.exe 1100 regsvr32.exe 996 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\clbmjnddngihpelhjllmghomlgleaoon\200\manifest.json Yt5sBMJ2usOtXYk.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\clbmjnddngihpelhjllmghomlgleaoon\200\manifest.json Yt5sBMJ2usOtXYk.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\clbmjnddngihpelhjllmghomlgleaoon\200\manifest.json Yt5sBMJ2usOtXYk.exe -
Installs/modifies Browser Helper Object 2 TTPs 11 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} Yt5sBMJ2usOtXYk.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects Yt5sBMJ2usOtXYk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ Yt5sBMJ2usOtXYk.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} Yt5sBMJ2usOtXYk.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} Yt5sBMJ2usOtXYk.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.dll Yt5sBMJ2usOtXYk.exe File created C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.tlb Yt5sBMJ2usOtXYk.exe File opened for modification C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.tlb Yt5sBMJ2usOtXYk.exe File created C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.dat Yt5sBMJ2usOtXYk.exe File opened for modification C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.dat Yt5sBMJ2usOtXYk.exe File created C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.x64.dll Yt5sBMJ2usOtXYk.exe File opened for modification C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.x64.dll Yt5sBMJ2usOtXYk.exe File created C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.dll Yt5sBMJ2usOtXYk.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1476 wrote to memory of 1064 1476 cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe 27 PID 1476 wrote to memory of 1064 1476 cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe 27 PID 1476 wrote to memory of 1064 1476 cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe 27 PID 1476 wrote to memory of 1064 1476 cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe 27 PID 1064 wrote to memory of 1100 1064 Yt5sBMJ2usOtXYk.exe 28 PID 1064 wrote to memory of 1100 1064 Yt5sBMJ2usOtXYk.exe 28 PID 1064 wrote to memory of 1100 1064 Yt5sBMJ2usOtXYk.exe 28 PID 1064 wrote to memory of 1100 1064 Yt5sBMJ2usOtXYk.exe 28 PID 1064 wrote to memory of 1100 1064 Yt5sBMJ2usOtXYk.exe 28 PID 1064 wrote to memory of 1100 1064 Yt5sBMJ2usOtXYk.exe 28 PID 1064 wrote to memory of 1100 1064 Yt5sBMJ2usOtXYk.exe 28 PID 1100 wrote to memory of 996 1100 regsvr32.exe 29 PID 1100 wrote to memory of 996 1100 regsvr32.exe 29 PID 1100 wrote to memory of 996 1100 regsvr32.exe 29 PID 1100 wrote to memory of 996 1100 regsvr32.exe 29 PID 1100 wrote to memory of 996 1100 regsvr32.exe 29 PID 1100 wrote to memory of 996 1100 regsvr32.exe 29 PID 1100 wrote to memory of 996 1100 regsvr32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe"C:\Users\Admin\AppData\Local\Temp\cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\Yt5sBMJ2usOtXYk.exe.\Yt5sBMJ2usOtXYk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:996
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD551e53891d04092eee6b090da8472e7cb
SHA167d8458c8d337a7d9e51adb1005347b2e389c9a1
SHA256559ae005dbc54e69ab4bb451f501a6964a06d68c4238f2ffdfebf91bc34c0568
SHA512c4b7848705976e72cefb6a198382df0291ac991cd1ad0f036378ff0c7a6f443cec259b43190c2a4ad3cc7db397a274409f7dc70f9bf7129ad728e03250e36e7c
-
Filesize
693KB
MD52be2d271d3ab4d63bb6642af32722936
SHA1c3eb0dd1d280018ab15a44c65c6b1b23dcef1552
SHA256ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9
SHA51208106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f
-
C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\[email protected]\bootstrap.js
Filesize2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\[email protected]\chrome.manifest
Filesize35B
MD50afb4b21abbce5f55b9f0bf9ac2e1564
SHA17ad41f5149fd6a0ef1bc3eff6d25cd27f2b11216
SHA2562902c2a782ea2db84dc26bca796806ba2eaab9266175d10885baf00787a5828d
SHA5121aa931c4a1fe1a6139d67b7b3304dd7ffc9714587fee92c0035e88522772360800505e938770ff786085fd9ccd6c76e3f131c57a139efa301f29c04c4d849f23
-
C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\[email protected]\content\bg.js
Filesize7KB
MD59714621b1754f51880f8edafd791d243
SHA1cfcd859af5d05939ddb303dabb98159f4c681bc2
SHA2565d0b68cb3769964f1703ad612bdb8b49af609ba84bb33be59716897a4994ead2
SHA512f66d2669c70a060bb2cbc68c159be865afa8ac053de25f9f9c807344e59cd6ba386e02f63a98ea3a66780cb36b2cd49b3edfa18cf36cca930a393d6773a36b7c
-
C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\[email protected]\install.rdf
Filesize599B
MD58d949123eb79207ca2daeeba9b82159d
SHA14fb3dbece29fe21168ba4dc0cc7a23e062647734
SHA2568313005f786496d3418ccbef87fc874d1ac7355ed604e74b9722e1b9118a2c24
SHA512ea3eff912bd53b9ea29c40cbaf3ec4627817cf98548e2e98890f28ee6bdd58718abe4c146bbeeb46a27d967cfe8f0f50782e5a1a01fbc3d4f5d2c7e3eb785a38
-
Filesize
6KB
MD551e53891d04092eee6b090da8472e7cb
SHA167d8458c8d337a7d9e51adb1005347b2e389c9a1
SHA256559ae005dbc54e69ab4bb451f501a6964a06d68c4238f2ffdfebf91bc34c0568
SHA512c4b7848705976e72cefb6a198382df0291ac991cd1ad0f036378ff0c7a6f443cec259b43190c2a4ad3cc7db397a274409f7dc70f9bf7129ad728e03250e36e7c
-
Filesize
622KB
MD5e6bafde32b2c77cdffaf64e854b36411
SHA17483c84b4014ddc44738a94af326b0c36fc7ee20
SHA2565390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0
SHA512260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b
-
Filesize
622KB
MD5e6bafde32b2c77cdffaf64e854b36411
SHA17483c84b4014ddc44738a94af326b0c36fc7ee20
SHA2565390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0
SHA512260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b
-
Filesize
5KB
MD56db8b4534cf29792a4c0c8b14255b1c4
SHA1c3c4e0f7a034b5bda84b487aee71c86a6fe17084
SHA256b2f147baab0eb9efef1f6a5ddfab8719bbdd246bfe59339f0fad2921ce5daf26
SHA51239ac4b5c2764dcd308216baa83d404f167940f12dd318618217e3fae40116563c9e732f81bcd88b354978c7bd99cf41318df1a1d12ec726fa38375b7fb4882cf
-
Filesize
146B
MD5776c86570dba41c3e8258d7059f2fa78
SHA10ab14169596ac0e3749251c7c8d4b7b9ca4870a1
SHA25662d2e563241ddc1755110bc0fff2aee7389ec8f45c358d5964bfccc0988b5c93
SHA512a703e5ab996c76fe9babd063a75ff6f29530c953dfa720f7b01414571de522fde65d1a280f24ff6b85103ee9281f4b34964af8349cc2dc234dbad2c42a9fd7a6
-
Filesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
Filesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
Filesize
505B
MD509fb6f6642d7098b0d84c1bf7e553774
SHA1019d80f19eeee5b8c1e5d57da1d2c2fad3569d10
SHA25673fec424fe3fd2a9b0781ef400c6ceba31c3bb6117f7209b10ac1c95df0de3a3
SHA5127bc452b16d12caf4a23b0a8e94a5e2a3845bf39ebe496f079712f827c438cb0ab0d7c97543116a46945cb66cc0e91b277ba19cc1d59a1a47ee01e799fc768b97
-
Filesize
613KB
MD5c547ac330285a0ea3ab373fbf632e095
SHA11c7a20d9bf6104c3c3343f0c4061107441348787
SHA2568ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0
SHA512b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2
-
Filesize
3KB
MD5b09701113a6fa6b7ce61cef1f5b3dc70
SHA1752190cbbd25d899b48f6fc2caa9cedd3baff7df
SHA256a8a8b11da1822ce3d93baa6d3711969425dd4ccbe05bf348899320659b07e9d1
SHA5129436a606e8ced02094374e5d603bc4bfb63a079259fa10c1fd82b9a30c40fa64c54b4bc3f7d5c0634dc4584c18e3accadd5df536e37367a7b3ea9f6597eb547a
-
Filesize
693KB
MD52be2d271d3ab4d63bb6642af32722936
SHA1c3eb0dd1d280018ab15a44c65c6b1b23dcef1552
SHA256ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9
SHA51208106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f
-
Filesize
613KB
MD5c547ac330285a0ea3ab373fbf632e095
SHA11c7a20d9bf6104c3c3343f0c4061107441348787
SHA2568ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0
SHA512b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2
-
Filesize
693KB
MD52be2d271d3ab4d63bb6642af32722936
SHA1c3eb0dd1d280018ab15a44c65c6b1b23dcef1552
SHA256ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9
SHA51208106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f
-
Filesize
693KB
MD52be2d271d3ab4d63bb6642af32722936
SHA1c3eb0dd1d280018ab15a44c65c6b1b23dcef1552
SHA256ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9
SHA51208106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f
-
Filesize
622KB
MD5e6bafde32b2c77cdffaf64e854b36411
SHA17483c84b4014ddc44738a94af326b0c36fc7ee20
SHA2565390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0
SHA512260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b