Analysis

  • max time kernel
    24s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2022 23:36

General

  • Target

    cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe

  • Size

    2.0MB

  • MD5

    d81dfb9f339bbe8a32041d9f8f775bad

  • SHA1

    74a1fcd9cd67b72ce65b5c5a596c1a71c42677f5

  • SHA256

    cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632

  • SHA512

    716c16c8bd9f22fe257bcb9a83ccd23cfd1df8c92643f1cb23e9d73eca526a37ad2764ffe94978b1311253b0763b7af5d8b62c5b13a3e93d545d8a4a3f5b5059

  • SSDEEP

    49152:h1Os+Cn3b0sdq9tVkWMq0vdovSHhXXruY:h1OOnL0sitVkWX0vVld

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 8 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe
    "C:\Users\Admin\AppData\Local\Temp\cd4bb507a980ccd97b6e44dcf9037c20d8fff9bf2137e78bc5ebe9f9d391a632.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\Yt5sBMJ2usOtXYk.exe
      .\Yt5sBMJ2usOtXYk.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops Chrome extension
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s "C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.x64.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.x64.dll"
          4⤵
          • Loads dropped DLL
          • Installs/modifies Browser Helper Object
          PID:996

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.dat

    Filesize

    6KB

    MD5

    51e53891d04092eee6b090da8472e7cb

    SHA1

    67d8458c8d337a7d9e51adb1005347b2e389c9a1

    SHA256

    559ae005dbc54e69ab4bb451f501a6964a06d68c4238f2ffdfebf91bc34c0568

    SHA512

    c4b7848705976e72cefb6a198382df0291ac991cd1ad0f036378ff0c7a6f443cec259b43190c2a4ad3cc7db397a274409f7dc70f9bf7129ad728e03250e36e7c

  • C:\Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.x64.dll

    Filesize

    693KB

    MD5

    2be2d271d3ab4d63bb6642af32722936

    SHA1

    c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

    SHA256

    ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

    SHA512

    08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\[email protected]\bootstrap.js

    Filesize

    2KB

    MD5

    df13f711e20e9c80171846d4f2f7ae06

    SHA1

    56d29cda58427efe0e21d3880d39eb1b0ef60bee

    SHA256

    6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

    SHA512

    6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\[email protected]\chrome.manifest

    Filesize

    35B

    MD5

    0afb4b21abbce5f55b9f0bf9ac2e1564

    SHA1

    7ad41f5149fd6a0ef1bc3eff6d25cd27f2b11216

    SHA256

    2902c2a782ea2db84dc26bca796806ba2eaab9266175d10885baf00787a5828d

    SHA512

    1aa931c4a1fe1a6139d67b7b3304dd7ffc9714587fee92c0035e88522772360800505e938770ff786085fd9ccd6c76e3f131c57a139efa301f29c04c4d849f23

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\[email protected]\content\bg.js

    Filesize

    7KB

    MD5

    9714621b1754f51880f8edafd791d243

    SHA1

    cfcd859af5d05939ddb303dabb98159f4c681bc2

    SHA256

    5d0b68cb3769964f1703ad612bdb8b49af609ba84bb33be59716897a4994ead2

    SHA512

    f66d2669c70a060bb2cbc68c159be865afa8ac053de25f9f9c807344e59cd6ba386e02f63a98ea3a66780cb36b2cd49b3edfa18cf36cca930a393d6773a36b7c

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\[email protected]\install.rdf

    Filesize

    599B

    MD5

    8d949123eb79207ca2daeeba9b82159d

    SHA1

    4fb3dbece29fe21168ba4dc0cc7a23e062647734

    SHA256

    8313005f786496d3418ccbef87fc874d1ac7355ed604e74b9722e1b9118a2c24

    SHA512

    ea3eff912bd53b9ea29c40cbaf3ec4627817cf98548e2e98890f28ee6bdd58718abe4c146bbeeb46a27d967cfe8f0f50782e5a1a01fbc3d4f5d2c7e3eb785a38

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\Yt5sBMJ2usOtXYk.dat

    Filesize

    6KB

    MD5

    51e53891d04092eee6b090da8472e7cb

    SHA1

    67d8458c8d337a7d9e51adb1005347b2e389c9a1

    SHA256

    559ae005dbc54e69ab4bb451f501a6964a06d68c4238f2ffdfebf91bc34c0568

    SHA512

    c4b7848705976e72cefb6a198382df0291ac991cd1ad0f036378ff0c7a6f443cec259b43190c2a4ad3cc7db397a274409f7dc70f9bf7129ad728e03250e36e7c

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\Yt5sBMJ2usOtXYk.exe

    Filesize

    622KB

    MD5

    e6bafde32b2c77cdffaf64e854b36411

    SHA1

    7483c84b4014ddc44738a94af326b0c36fc7ee20

    SHA256

    5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

    SHA512

    260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\Yt5sBMJ2usOtXYk.exe

    Filesize

    622KB

    MD5

    e6bafde32b2c77cdffaf64e854b36411

    SHA1

    7483c84b4014ddc44738a94af326b0c36fc7ee20

    SHA256

    5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

    SHA512

    260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\clbmjnddngihpelhjllmghomlgleaoon\WHHRsloe1.js

    Filesize

    5KB

    MD5

    6db8b4534cf29792a4c0c8b14255b1c4

    SHA1

    c3c4e0f7a034b5bda84b487aee71c86a6fe17084

    SHA256

    b2f147baab0eb9efef1f6a5ddfab8719bbdd246bfe59339f0fad2921ce5daf26

    SHA512

    39ac4b5c2764dcd308216baa83d404f167940f12dd318618217e3fae40116563c9e732f81bcd88b354978c7bd99cf41318df1a1d12ec726fa38375b7fb4882cf

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\clbmjnddngihpelhjllmghomlgleaoon\background.html

    Filesize

    146B

    MD5

    776c86570dba41c3e8258d7059f2fa78

    SHA1

    0ab14169596ac0e3749251c7c8d4b7b9ca4870a1

    SHA256

    62d2e563241ddc1755110bc0fff2aee7389ec8f45c358d5964bfccc0988b5c93

    SHA512

    a703e5ab996c76fe9babd063a75ff6f29530c953dfa720f7b01414571de522fde65d1a280f24ff6b85103ee9281f4b34964af8349cc2dc234dbad2c42a9fd7a6

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\clbmjnddngihpelhjllmghomlgleaoon\content.js

    Filesize

    144B

    MD5

    fca19198fd8af21016a8b1dec7980002

    SHA1

    fd01a47d14004e17a625efe66cc46a06c786cf40

    SHA256

    332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

    SHA512

    60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\clbmjnddngihpelhjllmghomlgleaoon\lsdb.js

    Filesize

    531B

    MD5

    36d98318ab2b3b2585a30984db328afb

    SHA1

    f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

    SHA256

    ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

    SHA512

    6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\clbmjnddngihpelhjllmghomlgleaoon\manifest.json

    Filesize

    505B

    MD5

    09fb6f6642d7098b0d84c1bf7e553774

    SHA1

    019d80f19eeee5b8c1e5d57da1d2c2fad3569d10

    SHA256

    73fec424fe3fd2a9b0781ef400c6ceba31c3bb6117f7209b10ac1c95df0de3a3

    SHA512

    7bc452b16d12caf4a23b0a8e94a5e2a3845bf39ebe496f079712f827c438cb0ab0d7c97543116a46945cb66cc0e91b277ba19cc1d59a1a47ee01e799fc768b97

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\rNLFVDLpfjy41y.dll

    Filesize

    613KB

    MD5

    c547ac330285a0ea3ab373fbf632e095

    SHA1

    1c7a20d9bf6104c3c3343f0c4061107441348787

    SHA256

    8ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0

    SHA512

    b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\rNLFVDLpfjy41y.tlb

    Filesize

    3KB

    MD5

    b09701113a6fa6b7ce61cef1f5b3dc70

    SHA1

    752190cbbd25d899b48f6fc2caa9cedd3baff7df

    SHA256

    a8a8b11da1822ce3d93baa6d3711969425dd4ccbe05bf348899320659b07e9d1

    SHA512

    9436a606e8ced02094374e5d603bc4bfb63a079259fa10c1fd82b9a30c40fa64c54b4bc3f7d5c0634dc4584c18e3accadd5df536e37367a7b3ea9f6597eb547a

  • C:\Users\Admin\AppData\Local\Temp\7zS35A2.tmp\rNLFVDLpfjy41y.x64.dll

    Filesize

    693KB

    MD5

    2be2d271d3ab4d63bb6642af32722936

    SHA1

    c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

    SHA256

    ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

    SHA512

    08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

  • \Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.dll

    Filesize

    613KB

    MD5

    c547ac330285a0ea3ab373fbf632e095

    SHA1

    1c7a20d9bf6104c3c3343f0c4061107441348787

    SHA256

    8ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0

    SHA512

    b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2

  • \Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.x64.dll

    Filesize

    693KB

    MD5

    2be2d271d3ab4d63bb6642af32722936

    SHA1

    c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

    SHA256

    ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

    SHA512

    08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

  • \Program Files (x86)\BrowsseriShop\rNLFVDLpfjy41y.x64.dll

    Filesize

    693KB

    MD5

    2be2d271d3ab4d63bb6642af32722936

    SHA1

    c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

    SHA256

    ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

    SHA512

    08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

  • \Users\Admin\AppData\Local\Temp\7zS35A2.tmp\Yt5sBMJ2usOtXYk.exe

    Filesize

    622KB

    MD5

    e6bafde32b2c77cdffaf64e854b36411

    SHA1

    7483c84b4014ddc44738a94af326b0c36fc7ee20

    SHA256

    5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

    SHA512

    260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

  • memory/996-78-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

    Filesize

    8KB

  • memory/996-77-0x0000000000000000-mapping.dmp

  • memory/1064-56-0x0000000000000000-mapping.dmp

  • memory/1100-73-0x0000000000000000-mapping.dmp

  • memory/1476-54-0x0000000076161000-0x0000000076163000-memory.dmp

    Filesize

    8KB