51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f

Analysis

max time kernel
6s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f.exe
Size

2.1MB
MD5

3290e42e4c96ffec7ad2f9aed6081cc1
SHA1

adf469736a182e4eb9076279bb59c3108a291a41
SHA256

51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f
SHA512

7b89a96627e01884df11d3ba2414297049a695fd8b5aba5b4bb2b0ed43ba46acc67ce0aa310b8c46aa3b2fd2844095cb53c338e8dab641423dd9ef0b42747e90
SSDEEP

49152:h1OsZr4lSVHMdhSEM+5Rz8yH+zzBuTivFk:h1OOxchSEP7jMzkivq

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1416	OuaPOToDZSZ0HxS.exe

Loads dropped DLL 4 IoCs

pid	Process
2036	51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f.exe
1416	OuaPOToDZSZ0HxS.exe
1204	regsvr32.exe
884	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfohheidnhhehnnlldiokioodokdpmog\1.0\manifest.json	OuaPOToDZSZ0HxS.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfohheidnhhehnnlldiokioodokdpmog\1.0\manifest.json	OuaPOToDZSZ0HxS.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfohheidnhhehnnlldiokioodokdpmog\1.0\manifest.json	OuaPOToDZSZ0HxS.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	OuaPOToDZSZ0HxS.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	OuaPOToDZSZ0HxS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	OuaPOToDZSZ0HxS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	OuaPOToDZSZ0HxS.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	OuaPOToDZSZ0HxS.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.x64.dll	OuaPOToDZSZ0HxS.exe
File opened for modification	C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.x64.dll	OuaPOToDZSZ0HxS.exe
File created	C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.dll	OuaPOToDZSZ0HxS.exe
File opened for modification	C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.dll	OuaPOToDZSZ0HxS.exe
File created	C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.tlb	OuaPOToDZSZ0HxS.exe
File opened for modification	C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.tlb	OuaPOToDZSZ0HxS.exe
File created	C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.dat	OuaPOToDZSZ0HxS.exe
File opened for modification	C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.dat	OuaPOToDZSZ0HxS.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1416	2036	51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f.exe	28
PID 2036 wrote to memory of 1416	2036	51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f.exe	28
PID 2036 wrote to memory of 1416	2036	51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f.exe	28
PID 2036 wrote to memory of 1416	2036	51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f.exe	28
PID 1416 wrote to memory of 1204	1416	OuaPOToDZSZ0HxS.exe	29
PID 1416 wrote to memory of 1204	1416	OuaPOToDZSZ0HxS.exe	29
PID 1416 wrote to memory of 1204	1416	OuaPOToDZSZ0HxS.exe	29
PID 1416 wrote to memory of 1204	1416	OuaPOToDZSZ0HxS.exe	29
PID 1416 wrote to memory of 1204	1416	OuaPOToDZSZ0HxS.exe	29
PID 1416 wrote to memory of 1204	1416	OuaPOToDZSZ0HxS.exe	29
PID 1416 wrote to memory of 1204	1416	OuaPOToDZSZ0HxS.exe	29
PID 1204 wrote to memory of 884	1204	regsvr32.exe	30
PID 1204 wrote to memory of 884	1204	regsvr32.exe	30
PID 1204 wrote to memory of 884	1204	regsvr32.exe	30
PID 1204 wrote to memory of 884	1204	regsvr32.exe	30
PID 1204 wrote to memory of 884	1204	regsvr32.exe	30
PID 1204 wrote to memory of 884	1204	regsvr32.exe	30
PID 1204 wrote to memory of 884	1204	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f.exe
"C:\Users\Admin\AppData\Local\Temp\51bd741797ddcacacc8e9711c3843c9ccd1ac862662c683d2c6bc49c19ca2d5f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\OuaPOToDZSZ0HxS.exe
  .\OuaPOToDZSZ0HxS.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.dat

Filesize
6KB

MD5
b9fbca472e95749ed54fe04e5de1940d

SHA1
5d603bfbb9075cb974093dd01370de58f4d055ba

SHA256
967af4418f79b93b7ba70a38b42239c442547d5b131a670513b1c7ef528bc6af

SHA512
ef02652fd8572c120384eb6d57c62a7dbad6fb3ced86d5b96d416d52841b50015e26f0c0208190b535be62e5bfbf28a7cb6edffebf31aee816d1d81693587aa6

Download Submit
C:\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.x64.dll

Filesize
695KB

MD5
132599fbce10c08be6ebec9473a27d9e

SHA1
03932abc447bdee8dc565f28a05ff0d37352c761

SHA256
3933d02d30adfac55b4505e50a1a484a3a4c1cd6413496b4973befaef2aab2a9

SHA512
f150803390cd35dffb1cfbf9fd703d845598dd3d029b5ced7cbd2d60cfbe2a467f0e3585b592549796724238b40a7b0251c38f351e6e10b3384a452da323f89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\OuaPOToDZSZ0HxS.dat

Filesize
6KB

MD5
b9fbca472e95749ed54fe04e5de1940d

SHA1
5d603bfbb9075cb974093dd01370de58f4d055ba

SHA256
967af4418f79b93b7ba70a38b42239c442547d5b131a670513b1c7ef528bc6af

SHA512
ef02652fd8572c120384eb6d57c62a7dbad6fb3ced86d5b96d416d52841b50015e26f0c0208190b535be62e5bfbf28a7cb6edffebf31aee816d1d81693587aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\OuaPOToDZSZ0HxS.exe

Filesize
623KB

MD5
84732b41d5fc6660d9a30a43ad4398c2

SHA1
0afe25c3651aa0da868df654a39c0e34c909090a

SHA256
83d4d9d37a153b742deaf66cf7e628abb8ea592c8fb2b0ba5eaf669dcbe5c688

SHA512
6216a8a3428c7eadf49eee6204d1294a15fb4801b22dceb982f2feb3ced249a02ce9945001cab2b19012133228ac276bf02526953b75ecb3e3731c8bec4ff3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\OuaPOToDZSZ0HxS.exe

Filesize
623KB

MD5
84732b41d5fc6660d9a30a43ad4398c2

SHA1
0afe25c3651aa0da868df654a39c0e34c909090a

SHA256
83d4d9d37a153b742deaf66cf7e628abb8ea592c8fb2b0ba5eaf669dcbe5c688

SHA512
6216a8a3428c7eadf49eee6204d1294a15fb4801b22dceb982f2feb3ced249a02ce9945001cab2b19012133228ac276bf02526953b75ecb3e3731c8bec4ff3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\USdC4VRWWb3Nml.dll

Filesize
616KB

MD5
e9332601d3a49395156fc2a68bc9e0fc

SHA1
93d0a64766f13c64961cc095e29265c141277a5e

SHA256
2f1487ddd10c7ae59ed3abeb50382e5733a6aed9def3f227f2e5641f0ede7da0

SHA512
5c70de3057f145db98c007ee0b4b9e6cec57ef81c660c85ed5fb39384a8dbdae665eb1ba34c486a648f5d93e526c850e7e2dfa496c5471ff710dd7d559c46ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\USdC4VRWWb3Nml.tlb

Filesize
3KB

MD5
eec93149067789c941497138f5422741

SHA1
aad1991b9b8f568255707de7a0d101115dc65501

SHA256
63f49ab03606822625fec5331ed40e271577b245b720e22d051212d6936d7d55

SHA512
969517f1d3e4360787a9919c0a78694a932bfc911127959ac345864faf77d5526e3ddf8ebb31d56f9b2a859f45eae192f274f68374267c1eb6c64368d204f4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\USdC4VRWWb3Nml.x64.dll

Filesize
695KB

MD5
132599fbce10c08be6ebec9473a27d9e

SHA1
03932abc447bdee8dc565f28a05ff0d37352c761

SHA256
3933d02d30adfac55b4505e50a1a484a3a4c1cd6413496b4973befaef2aab2a9

SHA512
f150803390cd35dffb1cfbf9fd703d845598dd3d029b5ced7cbd2d60cfbe2a467f0e3585b592549796724238b40a7b0251c38f351e6e10b3384a452da323f89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
442c3e76a31ff8bc7216ba7455a6556d

SHA1
60f1bee1ee2b12e92e57bf3b8ddaa9425c8263dd

SHA256
c8f7e40557a05136f4d31f8cf8ddd827e860e0309cd69049e34aa835b6be0ab4

SHA512
ffabd4a5de543ff7c2156806e59938a1b71f1994c78c614e973a3f8c1a33068ff33cfb17a4559338378d20638bb5bb6fa75dc69c2f8b5cf2daa2fc837c651939

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
384ab854f2669d0ca48c61b08fe340d1

SHA1
e82eda218b25a6be22e80dd0e39503534e552448

SHA256
a630a5b9f56bac8c5a700f1b41b2f4a7e2a9e012ca5dabde83e9cdfd4fa4e712

SHA512
b27ea5131845c299131851175bac88c115d9fbb643d1db117aa7c45de793e596f817f5f460577961382eb8a5b8a644114e6d6bab245c45feb90096b90e071d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\[email protected]\install.rdf

Filesize
607B

MD5
b2b4ff85d546ed227f720eb57cb68704

SHA1
54402b966c782ff5c9e8cc2de3cd59ecc39585f1

SHA256
eb1c823328f9a0a00ee7c82c3a41554935137362767fa063264174545e611523

SHA512
215fa80eb46246ef69690f36a57a984b4357655f3bebf450e24474575cf7efc3fd6737ffc9b7c6abb8b47a0bc96e7895da14f680d40361769d5893e70fd137ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\jfohheidnhhehnnlldiokioodokdpmog\background.html

Filesize
144B

MD5
5b909bf76ceda138b515e4271be3d53f

SHA1
83ba4a04673b3d423ea339ecf9cd453a7c0d3b45

SHA256
f217b65c26d9b855afa4d7abb9154382245cabf1b8ab0a2936b7653fa4777e5b

SHA512
23743adb445cb294e1c2ba0e404a233d951a323faeb7494e733e4e27a64e0b12637f04551dbb008df60fc99db829e9414e8b4a8c2a966addc6e6b59d307c7080

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\jfohheidnhhehnnlldiokioodokdpmog\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\jfohheidnhhehnnlldiokioodokdpmog\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\jfohheidnhhehnnlldiokioodokdpmog\manifest.json

Filesize
510B

MD5
3e96aab8a1e6b361ba979e0039d5bbd3

SHA1
c65aec00cf58ed70a4a768f8883669470a8fb5d2

SHA256
17620b4299b894009aa1e33e0fd786d373311560723f78f1b6f1638129af061c

SHA512
4b4ce22b2e88bb07bdd292fd0e8e72d0e92125430b105c0fb4937e8bee08dc48d52d92302a09c019a234223479902cb6a65a892be725a6114f4c81163bfa5664

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6365.tmp\jfohheidnhhehnnlldiokioodokdpmog\ndJfM9u.js

Filesize
5KB

MD5
c344f9bab93289008d81a08d381e66ab

SHA1
b918efa5a4b6ce5d46164729377894ffb9674c41

SHA256
c791b31abd1029d9258c3630be9641c892f05043304a14784696851a14ec8bd1

SHA512
bcf4bb10a08afa96b8663c6c63b886bbb91c874a6dbc0d8910f8193e86a7491a4f7d9bdb7f86a3a3cd92d2c46d54bf2c024469ebfb36c72843ae128bd515e136

Download Submit
\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.dll

Filesize
616KB

MD5
e9332601d3a49395156fc2a68bc9e0fc

SHA1
93d0a64766f13c64961cc095e29265c141277a5e

SHA256
2f1487ddd10c7ae59ed3abeb50382e5733a6aed9def3f227f2e5641f0ede7da0

SHA512
5c70de3057f145db98c007ee0b4b9e6cec57ef81c660c85ed5fb39384a8dbdae665eb1ba34c486a648f5d93e526c850e7e2dfa496c5471ff710dd7d559c46ad6

Download Submit
\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.x64.dll

Filesize
695KB

MD5
132599fbce10c08be6ebec9473a27d9e

SHA1
03932abc447bdee8dc565f28a05ff0d37352c761

SHA256
3933d02d30adfac55b4505e50a1a484a3a4c1cd6413496b4973befaef2aab2a9

SHA512
f150803390cd35dffb1cfbf9fd703d845598dd3d029b5ced7cbd2d60cfbe2a467f0e3585b592549796724238b40a7b0251c38f351e6e10b3384a452da323f89b

Download Submit
\Program Files (x86)\YoutuubeAdBleocKei\USdC4VRWWb3Nml.x64.dll

Filesize
695KB

MD5
132599fbce10c08be6ebec9473a27d9e

SHA1
03932abc447bdee8dc565f28a05ff0d37352c761

SHA256
3933d02d30adfac55b4505e50a1a484a3a4c1cd6413496b4973befaef2aab2a9

SHA512
f150803390cd35dffb1cfbf9fd703d845598dd3d029b5ced7cbd2d60cfbe2a467f0e3585b592549796724238b40a7b0251c38f351e6e10b3384a452da323f89b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6365.tmp\OuaPOToDZSZ0HxS.exe

Filesize
623KB

MD5
84732b41d5fc6660d9a30a43ad4398c2

SHA1
0afe25c3651aa0da868df654a39c0e34c909090a

SHA256
83d4d9d37a153b742deaf66cf7e628abb8ea592c8fb2b0ba5eaf669dcbe5c688

SHA512
6216a8a3428c7eadf49eee6204d1294a15fb4801b22dceb982f2feb3ced249a02ce9945001cab2b19012133228ac276bf02526953b75ecb3e3731c8bec4ff3b0

Download Submit
memory/884-78-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/2036-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download