3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4.exe
Size

2.1MB
MD5

6b3343e411143ef8f8e1c620005f4c3d
SHA1

18f6c4d4649df722e7d0997a8c77e4c1d46e2b28
SHA256

3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4
SHA512

02bd6e73ff4167277f4176817f994f49a2e8b2dbfea23e427c4ea506027191956f9be5d3f57a329ca61ec031bab13cf869800190cf267022b71ff94615dcff1a
SSDEEP

49152:h1Oswa+y5xECQXXb/tUkOHelsTTCjqYxqE:h1OztBOHSbB

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
844	GwzASQfhPr8klI0.exe

Loads dropped DLL 4 IoCs

pid	Process
1428	3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4.exe
844	GwzASQfhPr8klI0.exe
332	regsvr32.exe
1548	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\alpehocboombkpjekphjaolncehggnac\200\manifest.json	GwzASQfhPr8klI0.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\alpehocboombkpjekphjaolncehggnac\200\manifest.json	GwzASQfhPr8klI0.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\alpehocboombkpjekphjaolncehggnac\200\manifest.json	GwzASQfhPr8klI0.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	GwzASQfhPr8klI0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	GwzASQfhPr8klI0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	GwzASQfhPr8klI0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	GwzASQfhPr8klI0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	GwzASQfhPr8klI0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.tlb	GwzASQfhPr8klI0.exe
File created	C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.dat	GwzASQfhPr8klI0.exe
File opened for modification	C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.dat	GwzASQfhPr8klI0.exe
File created	C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.x64.dll	GwzASQfhPr8klI0.exe
File opened for modification	C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.x64.dll	GwzASQfhPr8klI0.exe
File created	C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.dll	GwzASQfhPr8klI0.exe
File opened for modification	C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.dll	GwzASQfhPr8klI0.exe
File created	C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.tlb	GwzASQfhPr8klI0.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 844	1428	3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4.exe	28
PID 1428 wrote to memory of 844	1428	3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4.exe	28
PID 1428 wrote to memory of 844	1428	3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4.exe	28
PID 1428 wrote to memory of 844	1428	3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4.exe	28
PID 844 wrote to memory of 332	844	GwzASQfhPr8klI0.exe	29
PID 844 wrote to memory of 332	844	GwzASQfhPr8klI0.exe	29
PID 844 wrote to memory of 332	844	GwzASQfhPr8klI0.exe	29
PID 844 wrote to memory of 332	844	GwzASQfhPr8klI0.exe	29
PID 844 wrote to memory of 332	844	GwzASQfhPr8klI0.exe	29
PID 844 wrote to memory of 332	844	GwzASQfhPr8klI0.exe	29
PID 844 wrote to memory of 332	844	GwzASQfhPr8klI0.exe	29
PID 332 wrote to memory of 1548	332	regsvr32.exe	30
PID 332 wrote to memory of 1548	332	regsvr32.exe	30
PID 332 wrote to memory of 1548	332	regsvr32.exe	30
PID 332 wrote to memory of 1548	332	regsvr32.exe	30
PID 332 wrote to memory of 1548	332	regsvr32.exe	30
PID 332 wrote to memory of 1548	332	regsvr32.exe	30
PID 332 wrote to memory of 1548	332	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4.exe
"C:\Users\Admin\AppData\Local\Temp\3933eb6834c35738d1070ee527a4fcea6747efeeeaa78e208a7cb90d37be24a4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\GwzASQfhPr8klI0.exe
  .\GwzASQfhPr8klI0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.dat

Filesize
6KB

MD5
ff20293dbd3784deaac205976acb3744

SHA1
9356b517b32a144b20a5b41908b665f7d9a1e2d9

SHA256
2b60efcae0373f39d07849af1d16136730202b74ee330952271b8fa91ed8f6b7

SHA512
9608f20b9c7ba5b710c09b08141430ebbe9685dd7b50e36d6330d1dae52075937593f3790e2cf43c39bb76a056c561e915804b928ee1caaf5b9c37710f78bade

Download Submit
C:\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\GwzASQfhPr8klI0.dat

Filesize
6KB

MD5
ff20293dbd3784deaac205976acb3744

SHA1
9356b517b32a144b20a5b41908b665f7d9a1e2d9

SHA256
2b60efcae0373f39d07849af1d16136730202b74ee330952271b8fa91ed8f6b7

SHA512
9608f20b9c7ba5b710c09b08141430ebbe9685dd7b50e36d6330d1dae52075937593f3790e2cf43c39bb76a056c561e915804b928ee1caaf5b9c37710f78bade

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\GwzASQfhPr8klI0.exe

Filesize
624KB

MD5
8440fce178bb6c85832b0fbcc81c160c

SHA1
4d9672221d8e16ad24a706d2ba02552d59e9172d

SHA256
f5778940bb1f43bdf05ed87ca14fe95026455aa35c4a71f2b6912f6ed858baaa

SHA512
8160eaff06cf00ea502e570616a4d89778163c2cf7f175801519ed38fb528a753cc32aa17cf627cd738689e213acf747836ecf42571422f2adede6026904e3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\GwzASQfhPr8klI0.exe

Filesize
624KB

MD5
8440fce178bb6c85832b0fbcc81c160c

SHA1
4d9672221d8e16ad24a706d2ba02552d59e9172d

SHA256
f5778940bb1f43bdf05ed87ca14fe95026455aa35c4a71f2b6912f6ed858baaa

SHA512
8160eaff06cf00ea502e570616a4d89778163c2cf7f175801519ed38fb528a753cc32aa17cf627cd738689e213acf747836ecf42571422f2adede6026904e3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\alpehocboombkpjekphjaolncehggnac\IqiiUymLA.js

Filesize
5KB

MD5
193b17ceacaa91b40385ea5f5ae129dd

SHA1
9f13cb252f61939aaf77e0b88c87ddd45ffab4a0

SHA256
615987742dfef683dcc660fe7886c62eae4fa03973a7a8ae42c9e0ba49f78121

SHA512
d54f2191f677105a13fbb91fbb1d28815a90a947e608add8fc19ea24f17ff82d412bf55c054e6e80d04cb9db290875871045298176f5e302d419e11fae8a421f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\alpehocboombkpjekphjaolncehggnac\background.html

Filesize
146B

MD5
f18a4bcc03364eb5e92cee2465e589f7

SHA1
ef6f09031e80ab58e1ebb72f957529c78812300e

SHA256
ab95527ff3a9c94680d2de62ccd0f5a2883bc4d5717e8d90ffc91427e01b1de7

SHA512
144ee216d2f91487687b8be7b9c101540ba97d87d16c532fcf5f339ef9e1b5accad0bf15d56b8ca59292a2b2ac3a3982a223bee9e61d2baac2d70dc0e726a409

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\alpehocboombkpjekphjaolncehggnac\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\alpehocboombkpjekphjaolncehggnac\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\alpehocboombkpjekphjaolncehggnac\manifest.json

Filesize
505B

MD5
101e29d77f7d050c6d74188ca828b209

SHA1
062e92af305bb20b09af0e49ab3546f6e6e59de1

SHA256
8a8da37ac500d32dd2837a5993aa72d6ed6f333d32e7e23525b8768a5dbe26b7

SHA512
047c73d991fe6061e3ed588f3f209576cfdccd1401e42a348c025f8d8d56f8304356a95d13aae5119994e04555123b55ed076a384a444b9afe76af093208ade0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
9c6b33fef9444b81e9d9978bfdc27043

SHA1
db4d746c4f9cb263823c7c73e93cd4c1103150f0

SHA256
849c5463a1da04b370bb8cbcf37e65a2bc4c9794c2c800b86941b8a6769eade1

SHA512
ec3284e515482c7f62a8519fd520cb766bb5ad50c5feb3d50c26cdcb174acd11b9a6234d57a247cd6179889d22971f858537bf0b28995078c219dd0b220a2c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
a21f1cb51f44de63c86323398a4c635b

SHA1
9585811c1710e1ed0f8f7a2604d30d60a47b0f2d

SHA256
567f2c8a60ee8fc5c24cd18e88c6832bcf7c4aac72d49af5f5da1dacf764344d

SHA512
2edac8f2142a3ed64c20a21fd00d30dfe257baff088f2662db091342eecae0fc3b85ccf10dc54359cc652b6783d06a79f1cd1af201283b1eb980c9da7b3e20be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\[email protected]\install.rdf

Filesize
600B

MD5
3d097e3a1ab758d93b037c32d2dd612a

SHA1
e66710105a60e4f8cf8c21a4b22c142c5af9aed1

SHA256
c927d08b8b68d904de80796696b8935d8b39a57ce8d37822d32ec21b68b98d30

SHA512
a5453f8f64abbb201a486475b606df82c69df8125cb324f4570926f83ced4532664dd39a09434e3edc49c56a73202d3525bd2a1778f0fcd37ce1b1b7d178671c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\ybi8pdjJjtrYSv.dll

Filesize
618KB

MD5
080d8ffcd7f74bb06445d791f818881b

SHA1
db62fc6730b548489a72d9c9de26f3a6045d25ab

SHA256
346d5c9733935935c828115a3eed81322dd67cea4574fe135059582719bc2c68

SHA512
b75dab95829d3d6cff47ae2b66218bd0b92798b114bbc55b6a9cf52d38e6baea31071a2bc34ec2210536a1e7e5f67a8ecbc0468bf0c139ead6cabdc657c47d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\ybi8pdjJjtrYSv.tlb

Filesize
3KB

MD5
16dfbf4806c531622bd907bbbf20fd4d

SHA1
388ca199001cda40623ce6fbe72660553062fb87

SHA256
c569ac7f3994c0fef451e56cbf9c2403fd52b90410d06ce0d4539a0b304b9d83

SHA512
d86f503c052e9cd3e46e29d838ab79e7ffa158f7661c336971e7dfa307cd8b03688a3f9d3b82fc01b699d2167fd25d9eef2a27b6b55f478c6fb775004e6507ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4367.tmp\ybi8pdjJjtrYSv.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.dll

Filesize
618KB

MD5
080d8ffcd7f74bb06445d791f818881b

SHA1
db62fc6730b548489a72d9c9de26f3a6045d25ab

SHA256
346d5c9733935935c828115a3eed81322dd67cea4574fe135059582719bc2c68

SHA512
b75dab95829d3d6cff47ae2b66218bd0b92798b114bbc55b6a9cf52d38e6baea31071a2bc34ec2210536a1e7e5f67a8ecbc0468bf0c139ead6cabdc657c47d52

Download Submit
\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
\Program Files (x86)\BirowseraShOp\ybi8pdjJjtrYSv.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4367.tmp\GwzASQfhPr8klI0.exe

Filesize
624KB

MD5
8440fce178bb6c85832b0fbcc81c160c

SHA1
4d9672221d8e16ad24a706d2ba02552d59e9172d

SHA256
f5778940bb1f43bdf05ed87ca14fe95026455aa35c4a71f2b6912f6ed858baaa

SHA512
8160eaff06cf00ea502e570616a4d89778163c2cf7f175801519ed38fb528a753cc32aa17cf627cd738689e213acf747836ecf42571422f2adede6026904e3c8

Download Submit
memory/1428-54-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1548-78-0x000007FEFBA21000-0x000007FEFBA23000-memory.dmp

Filesize
8KB

Download