576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da

Analysis

max time kernel
47s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da.exe
Size

2.1MB
MD5

4f09d6f6f0050aefe2a6e52540ea0bd2
SHA1

c64452ca7eb2cce98c680075382da1f9f370984c
SHA256

576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da
SHA512

48c97965a2dd62f39245ea1719690358732cf26b8d7a409a71c433ba9c94bce61464c62277afc571805a1682321025793e77e939faa12ab076570d984433eb14
SSDEEP

49152:h1OsYPtqGqK2M8f3h4UO2sEYYQvLZwQE5m4oG:h1OzHoxLYYay

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
840	izX52qFJE2gkXNl.exe

Loads dropped DLL 4 IoCs

pid	Process
1364	576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da.exe
840	izX52qFJE2gkXNl.exe
472	regsvr32.exe
812	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhabljonhigomlfimflelefmlbjhkfm\200\manifest.json	izX52qFJE2gkXNl.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhabljonhigomlfimflelefmlbjhkfm\200\manifest.json	izX52qFJE2gkXNl.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhabljonhigomlfimflelefmlbjhkfm\200\manifest.json	izX52qFJE2gkXNl.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	izX52qFJE2gkXNl.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	izX52qFJE2gkXNl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	izX52qFJE2gkXNl.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	izX52qFJE2gkXNl.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	izX52qFJE2gkXNl.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.dll	izX52qFJE2gkXNl.exe
File created	C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.tlb	izX52qFJE2gkXNl.exe
File opened for modification	C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.tlb	izX52qFJE2gkXNl.exe
File created	C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.dat	izX52qFJE2gkXNl.exe
File opened for modification	C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.dat	izX52qFJE2gkXNl.exe
File created	C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.x64.dll	izX52qFJE2gkXNl.exe
File opened for modification	C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.x64.dll	izX52qFJE2gkXNl.exe
File created	C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.dll	izX52qFJE2gkXNl.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 840	1364	576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da.exe	26
PID 1364 wrote to memory of 840	1364	576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da.exe	26
PID 1364 wrote to memory of 840	1364	576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da.exe	26
PID 1364 wrote to memory of 840	1364	576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da.exe	26
PID 840 wrote to memory of 472	840	izX52qFJE2gkXNl.exe	27
PID 840 wrote to memory of 472	840	izX52qFJE2gkXNl.exe	27
PID 840 wrote to memory of 472	840	izX52qFJE2gkXNl.exe	27
PID 840 wrote to memory of 472	840	izX52qFJE2gkXNl.exe	27
PID 840 wrote to memory of 472	840	izX52qFJE2gkXNl.exe	27
PID 840 wrote to memory of 472	840	izX52qFJE2gkXNl.exe	27
PID 840 wrote to memory of 472	840	izX52qFJE2gkXNl.exe	27
PID 472 wrote to memory of 812	472	regsvr32.exe	28
PID 472 wrote to memory of 812	472	regsvr32.exe	28
PID 472 wrote to memory of 812	472	regsvr32.exe	28
PID 472 wrote to memory of 812	472	regsvr32.exe	28
PID 472 wrote to memory of 812	472	regsvr32.exe	28
PID 472 wrote to memory of 812	472	regsvr32.exe	28
PID 472 wrote to memory of 812	472	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da.exe
"C:\Users\Admin\AppData\Local\Temp\576594d8747034917abba186cb3766737b35f2d88f95dc0104c189c2949da3da.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\izX52qFJE2gkXNl.exe
  .\izX52qFJE2gkXNl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.dat

Filesize
6KB

MD5
aa0bc5a2601d49e1a8fa7865a4fe0f34

SHA1
207af28b50b7d555abc666958fb6fa27acb6fab1

SHA256
5dd6f4dbf505ea96ee78ef649155448d38ec880611b1b65bb92b26ae87a12d13

SHA512
5cad3ae6d9a621d76c429e4c0b3f1a3899451507a4a346f6bf341242974bf930993adeefcd1f33041ff5896ffc9c0337d7669967d1a1aef71192d30230d068c3

Download Submit
C:\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\cnhabljonhigomlfimflelefmlbjhkfm\background.html

Filesize
142B

MD5
af0101e570dcc92619a8d39f6a68976d

SHA1
2742692017d592e28866b619f356e185270b5b3b

SHA256
6d35dcbce7b3f02f6fe6fa9b32f705b019f015795c590b377aa42cc9a2ed6a5e

SHA512
37483b366af8361c2a48c9b395c955744bc5587019f8c7d96b9a013964667ee0b2987f5e1561c05dc520f0122f99169bba727281a30bccb48a93c0bb54cec6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\cnhabljonhigomlfimflelefmlbjhkfm\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\cnhabljonhigomlfimflelefmlbjhkfm\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\cnhabljonhigomlfimflelefmlbjhkfm\manifest.json

Filesize
506B

MD5
fac7a23421450cb103a55b3e35e1e025

SHA1
bd5c96a258e7e35c35b31d7f5593ac346a48ecfa

SHA256
03e2b6fb0c346be8af7198c48831f0a5822036a66ef3e82a5e4ae185270ed940

SHA512
33fec05d5de8d676bd33e684a47249aa29e932daf34f81b3b050139d9907fd2fdb3152e209acd6d3d47a43489ae2537de7d9e7b201cb900c349a38f0e49a0242

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\cnhabljonhigomlfimflelefmlbjhkfm\uinXG.js

Filesize
5KB

MD5
2508acc7992a2b7ad11e460e1b85947a

SHA1
4872ad7420039c86d77ac63c92b1a93a9c78b08b

SHA256
86f3cf6cbe47b8ac081d5ff1be7b711505cb71a83c4a066d184de8c7a6506714

SHA512
90ab9bcf892348e59362c2f9b9e928a94c43a2a71a7fc012dbbc47023a0c2dda22c94936b365476d8edc404e3c1439754ac14424a8a731f3827f6be60a57956b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\ddmrg0FxmTfO0t.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\ddmrg0FxmTfO0t.tlb

Filesize
3KB

MD5
713ab144897857b45ce9515c2a1e2d52

SHA1
607a46adbfe1892276898fb6b00e7c62dbf82772

SHA256
3ec756ec9b8c4b03cc723127bc372b67c406a4915fa0a82597b0fb29685096e6

SHA512
b54c6eaf989d9e51ba66278a0991daa14bde0f56e86c8c2fce67f2118e9557307b409fbc9ae48921c37c1869634b2801028d728f4cf3b871ad8971965e3004b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\ddmrg0FxmTfO0t.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\izX52qFJE2gkXNl.dat

Filesize
6KB

MD5
aa0bc5a2601d49e1a8fa7865a4fe0f34

SHA1
207af28b50b7d555abc666958fb6fa27acb6fab1

SHA256
5dd6f4dbf505ea96ee78ef649155448d38ec880611b1b65bb92b26ae87a12d13

SHA512
5cad3ae6d9a621d76c429e4c0b3f1a3899451507a4a346f6bf341242974bf930993adeefcd1f33041ff5896ffc9c0337d7669967d1a1aef71192d30230d068c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\izX52qFJE2gkXNl.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\izX52qFJE2gkXNl.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
407dc9c79bf1e915db52be155da4199f

SHA1
39c0565f061c43a66c503d69d75a88afac180119

SHA256
aa23b4164a1c16d2030191d0466ee7f510229117656961804001466319dcfdf9

SHA512
1b186a96c9ed0e9358f8d410b704d6ec99328302b5f79d55b7b612429e3670e0be3bab56686e1a653d14ae852b8d66f59058dee13a0570dc2733b9e90ea54950

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
17dd5eb94c97de563ef9092ee3becb5e

SHA1
beea50eb6fb3508802c1d8ef6c9bd5e86283dec2

SHA256
b379a47bc20364ea050217312904351fff5cc93e4a5fef25b2cfd9857a3deece

SHA512
ff01ee6cd34c6e27f5aa717ee89791f8253c00b52e177070111a92779d10a23e8709a7292187ca4268cae0c02d56c1e684917a0ce40680e30a1aa0be4129226d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\[email protected]\install.rdf

Filesize
602B

MD5
93885f74e47b71fa30f936d2bd6518c9

SHA1
9c8f1a40841e6c984634e31c05153ed59c10a5a3

SHA256
f7d462d1448b793ef1a5bf16bc5a46b4a01cc3cf55a45e798eb1a083912221a0

SHA512
77350bda031a18d637f58a373de006a9412005632df31d9692cfa7e5db62653c0a212b3ae2d0ad26062c723d3394b60fa129e9caef6f94ca3d2fa6f39efe898f

Download Submit
\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
\Program Files (x86)\BBrowsereShopp\ddmrg0FxmTfO0t.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS34A8.tmp\izX52qFJE2gkXNl.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
memory/472-73-0x0000000000000000-mapping.dmp

Download
memory/812-77-0x0000000000000000-mapping.dmp

Download
memory/812-78-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/840-56-0x0000000000000000-mapping.dmp

Download
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download