60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a.exe
Size

2.1MB
MD5

dcaf0153cc1364a332bd0b533c6dca5b
SHA1

88c78f4f6f97ef2588b2bbd53ae5dbbcecdb6cbf
SHA256

60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a
SHA512

999bf47e3f7fcdc8b074fc807f31f2331866cf520e765c67d0062bb98a6924568d791a12f2cfd3c2d810b16e4ba97e33e528857436f085940a6385bc8d1e4090
SSDEEP

49152:h1OsWPtqGqK2M8f3h4UO2sEYYQvLZwQE5m4oE:h1O5HoxLYYaQ

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1536	SC55uFAIFl6enDc.exe

Loads dropped DLL 4 IoCs

pid	Process
1504	60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a.exe
1536	SC55uFAIFl6enDc.exe
964	regsvr32.exe
1724	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjogomkfakejefcnennkjmgmnhgahabi\200\manifest.json	SC55uFAIFl6enDc.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjogomkfakejefcnennkjmgmnhgahabi\200\manifest.json	SC55uFAIFl6enDc.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjogomkfakejefcnennkjmgmnhgahabi\200\manifest.json	SC55uFAIFl6enDc.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	SC55uFAIFl6enDc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	SC55uFAIFl6enDc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	SC55uFAIFl6enDc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	SC55uFAIFl6enDc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	SC55uFAIFl6enDc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.tlb	SC55uFAIFl6enDc.exe
File opened for modification	C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.tlb	SC55uFAIFl6enDc.exe
File created	C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.dat	SC55uFAIFl6enDc.exe
File opened for modification	C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.dat	SC55uFAIFl6enDc.exe
File created	C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.x64.dll	SC55uFAIFl6enDc.exe
File opened for modification	C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.x64.dll	SC55uFAIFl6enDc.exe
File created	C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.dll	SC55uFAIFl6enDc.exe
File opened for modification	C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.dll	SC55uFAIFl6enDc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1536	1504	60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a.exe	26
PID 1504 wrote to memory of 1536	1504	60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a.exe	26
PID 1504 wrote to memory of 1536	1504	60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a.exe	26
PID 1504 wrote to memory of 1536	1504	60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a.exe	26
PID 1536 wrote to memory of 964	1536	SC55uFAIFl6enDc.exe	27
PID 1536 wrote to memory of 964	1536	SC55uFAIFl6enDc.exe	27
PID 1536 wrote to memory of 964	1536	SC55uFAIFl6enDc.exe	27
PID 1536 wrote to memory of 964	1536	SC55uFAIFl6enDc.exe	27
PID 1536 wrote to memory of 964	1536	SC55uFAIFl6enDc.exe	27
PID 1536 wrote to memory of 964	1536	SC55uFAIFl6enDc.exe	27
PID 1536 wrote to memory of 964	1536	SC55uFAIFl6enDc.exe	27
PID 964 wrote to memory of 1724	964	regsvr32.exe	28
PID 964 wrote to memory of 1724	964	regsvr32.exe	28
PID 964 wrote to memory of 1724	964	regsvr32.exe	28
PID 964 wrote to memory of 1724	964	regsvr32.exe	28
PID 964 wrote to memory of 1724	964	regsvr32.exe	28
PID 964 wrote to memory of 1724	964	regsvr32.exe	28
PID 964 wrote to memory of 1724	964	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a.exe
"C:\Users\Admin\AppData\Local\Temp\60b9d52c8c4bf25feff7498606e2abc862cd1368d07b7596823b85cae7c5bb1a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\SC55uFAIFl6enDc.exe
  .\SC55uFAIFl6enDc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.dat

Filesize
6KB

MD5
469637b4803115be85ebe4c997bf4b14

SHA1
8f5cac19d1156fe1405431fe588daacc595dc505

SHA256
b2f76c27d11f9ce2267a127aefd88d852b96c34baaa0be1a2f7bfca6567e25ec

SHA512
55a4c96188a9fe26631e14edffe57b9003aa8121e6b965cf385194dd8141c64b9a028a5cc17e5437dcc80c14bca0409eeab3980f64c367b7ffb7d578ed3b83d0

Download Submit
C:\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\6a8NEMkcKaDojU.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\6a8NEMkcKaDojU.tlb

Filesize
3KB

MD5
713ab144897857b45ce9515c2a1e2d52

SHA1
607a46adbfe1892276898fb6b00e7c62dbf82772

SHA256
3ec756ec9b8c4b03cc723127bc372b67c406a4915fa0a82597b0fb29685096e6

SHA512
b54c6eaf989d9e51ba66278a0991daa14bde0f56e86c8c2fce67f2118e9557307b409fbc9ae48921c37c1869634b2801028d728f4cf3b871ad8971965e3004b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\6a8NEMkcKaDojU.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\SC55uFAIFl6enDc.dat

Filesize
6KB

MD5
469637b4803115be85ebe4c997bf4b14

SHA1
8f5cac19d1156fe1405431fe588daacc595dc505

SHA256
b2f76c27d11f9ce2267a127aefd88d852b96c34baaa0be1a2f7bfca6567e25ec

SHA512
55a4c96188a9fe26631e14edffe57b9003aa8121e6b965cf385194dd8141c64b9a028a5cc17e5437dcc80c14bca0409eeab3980f64c367b7ffb7d578ed3b83d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\SC55uFAIFl6enDc.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\SC55uFAIFl6enDc.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
325e3f00486c4aa09ae46e2df599e86b

SHA1
7a8c416e3274ed4e87811efb34908cb289d450e8

SHA256
770285fcb6acd4cf2792c04f8826759edda581ddf607e9f22b674eea35ac2c36

SHA512
5d8938ea43d55fff1b8bb2cd2681990199bf372ab20917f9ec2c9fa9fa8c5ff8ce4fbc38577fbd199b005f21fd657dffe22b1aa28e1b4857c7394909f1816ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
1e823ea1070545cbef214d6dc841c5e5

SHA1
d450ead2a9bb79fff3fb69b72baba2c723a3f683

SHA256
bee68bfb7230fcad07d4b6cfea9b13abec68376e355799f9d42fa42f056e9859

SHA512
70aad7cb4bd842d58a3d0747797ae87123bc3cb79f8ada69f6b1a0be9e7821352353a74de79ec6290ce25ac9dce8d207d3fbfa0b2e28ef3d4a153857678b2411

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\[email protected]\install.rdf

Filesize
602B

MD5
4b1fe0565993d1002fcb7d0a06c0b7a3

SHA1
b730f6517f1076c4a6a8fe1533a6682a8072c820

SHA256
a177d9bd744ed5d6325c545b201a9309576332f662440c8e18b1537259509046

SHA512
726fcccc531e2b705fc5724fe6aa85f4fcf71f2f734afa9681c282743eeb095c3e50e4a7d9f53663e3ea8d9dbf9f9090d27764942826c81bf4e76ab701e1fed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\jjogomkfakejefcnennkjmgmnhgahabi\background.html

Filesize
140B

MD5
dab7c7a7ce4f92e5f6d26d9fb4d5357b

SHA1
aded88bc943852f6592275f72c76894e71b99be4

SHA256
7a27422e6003a5a8bfcb7a9b7ac327139f5eeabf08845ac3dd6722805904c8bf

SHA512
4b6c6ac89c1e769ceb6d022be04db70b724748dada79290f9bf2f857a7c2899a6659b9996c44abcc9a30c4ef1a10c414b0becd8d905f1e113c140b5982e73cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\jjogomkfakejefcnennkjmgmnhgahabi\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\jjogomkfakejefcnennkjmgmnhgahabi\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\jjogomkfakejefcnennkjmgmnhgahabi\manifest.json

Filesize
505B

MD5
2bbe707fde83dc9c71d0b992fe71284c

SHA1
a97807704da479544ccad68fed3ccec447e033fb

SHA256
890a2b254c7882390e8ceb5d40b82e0021f83bda343447cf4b0f694fbb076e60

SHA512
867ada85adc467e6911404a6e8e3d8ab999c685d91fe039a813e731541f7edca6e41f91d3ec7df616c4ce3e14698d62cd4164b039519ab42f1b12241a5b7b759

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS456A.tmp\jjogomkfakejefcnennkjmgmnhgahabi\vZi.js

Filesize
5KB

MD5
20c90ec6a0e2d2a7eca0681e917d0082

SHA1
195199ea8ce6232dd6d46f10cdffa54b0e1d24fb

SHA256
23146ee33f67d599b886067ed095deea49d01257cb3827d908357cdb0fc478ae

SHA512
bfd6ff9200b31be8d7d105621267c704c131fc0aebf8e7e64890fd607d85076674e1a3465ce719dca300197b61415d90f397b96d8d3c14a2c268991ba79c08f4

Download Submit
\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
\Program Files (x86)\BrowwSEr ShoP\6a8NEMkcKaDojU.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS456A.tmp\SC55uFAIFl6enDc.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1724-78-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download