09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9

Analysis

max time kernel
22s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9.exe
Size

2.1MB
MD5

18336840fed8dfae3515f73ed5edecae
SHA1

220b57c901f3f54e97e2e3eea074ebe4877f6866
SHA256

09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9
SHA512

d2c15c5199f5cb0078b05f8a7033ee74494e3eb39b6ae5f923d22b71b85fb21216d934299c0834706c10e36c2fc9d004fc9983840b6ccc6653cf14ac170969df
SSDEEP

49152:h1OsPa+y5xECQXXb/tUkOHelsTTCjqYxqP:h1OWtBOHSbi

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
900	c8H1xX1IUGtJtcq.exe

Loads dropped DLL 4 IoCs

pid	Process
1448	09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9.exe
900	c8H1xX1IUGtJtcq.exe
1968	regsvr32.exe
1940	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\njmoebedachgllekgajolgefgmolhonp\200\manifest.json	c8H1xX1IUGtJtcq.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\njmoebedachgllekgajolgefgmolhonp\200\manifest.json	c8H1xX1IUGtJtcq.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\njmoebedachgllekgajolgefgmolhonp\200\manifest.json	c8H1xX1IUGtJtcq.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	c8H1xX1IUGtJtcq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	c8H1xX1IUGtJtcq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	c8H1xX1IUGtJtcq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	c8H1xX1IUGtJtcq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	c8H1xX1IUGtJtcq.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.dll	c8H1xX1IUGtJtcq.exe
File created	C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.tlb	c8H1xX1IUGtJtcq.exe
File opened for modification	C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.tlb	c8H1xX1IUGtJtcq.exe
File created	C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.dat	c8H1xX1IUGtJtcq.exe
File opened for modification	C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.dat	c8H1xX1IUGtJtcq.exe
File created	C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.x64.dll	c8H1xX1IUGtJtcq.exe
File opened for modification	C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.x64.dll	c8H1xX1IUGtJtcq.exe
File created	C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.dll	c8H1xX1IUGtJtcq.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 900	1448	09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9.exe	28
PID 1448 wrote to memory of 900	1448	09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9.exe	28
PID 1448 wrote to memory of 900	1448	09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9.exe	28
PID 1448 wrote to memory of 900	1448	09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9.exe	28
PID 900 wrote to memory of 1968	900	c8H1xX1IUGtJtcq.exe	29
PID 900 wrote to memory of 1968	900	c8H1xX1IUGtJtcq.exe	29
PID 900 wrote to memory of 1968	900	c8H1xX1IUGtJtcq.exe	29
PID 900 wrote to memory of 1968	900	c8H1xX1IUGtJtcq.exe	29
PID 900 wrote to memory of 1968	900	c8H1xX1IUGtJtcq.exe	29
PID 900 wrote to memory of 1968	900	c8H1xX1IUGtJtcq.exe	29
PID 900 wrote to memory of 1968	900	c8H1xX1IUGtJtcq.exe	29
PID 1968 wrote to memory of 1940	1968	regsvr32.exe	30
PID 1968 wrote to memory of 1940	1968	regsvr32.exe	30
PID 1968 wrote to memory of 1940	1968	regsvr32.exe	30
PID 1968 wrote to memory of 1940	1968	regsvr32.exe	30
PID 1968 wrote to memory of 1940	1968	regsvr32.exe	30
PID 1968 wrote to memory of 1940	1968	regsvr32.exe	30
PID 1968 wrote to memory of 1940	1968	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9.exe
"C:\Users\Admin\AppData\Local\Temp\09f47bc20f3cacee0e772244cd635944f887ce67a60f0972ed4c14d54f7884f9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\c8H1xX1IUGtJtcq.exe
  .\c8H1xX1IUGtJtcq.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.dat

Filesize
6KB

MD5
d8612bfcd23d62099f2446ca0928e1ff

SHA1
97feb74b9b015e169b4972f6b4c7cbd93d30f4df

SHA256
ff589413d94e63de76eb16a3f6c0f01d89a8cc79420ef4b8c3b1daa308b638ee

SHA512
e5d3c2023cbde2408a5676483cca1937ff69d4da7d4118330e4f5215a23e2f37fcffbfe1a388fff4ec0b140a732c885e01855372a42bc56f51101538133874dd

Download Submit
C:\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\K7FNBLPjD6CVcO.dll

Filesize
618KB

MD5
080d8ffcd7f74bb06445d791f818881b

SHA1
db62fc6730b548489a72d9c9de26f3a6045d25ab

SHA256
346d5c9733935935c828115a3eed81322dd67cea4574fe135059582719bc2c68

SHA512
b75dab95829d3d6cff47ae2b66218bd0b92798b114bbc55b6a9cf52d38e6baea31071a2bc34ec2210536a1e7e5f67a8ecbc0468bf0c139ead6cabdc657c47d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\K7FNBLPjD6CVcO.tlb

Filesize
3KB

MD5
16dfbf4806c531622bd907bbbf20fd4d

SHA1
388ca199001cda40623ce6fbe72660553062fb87

SHA256
c569ac7f3994c0fef451e56cbf9c2403fd52b90410d06ce0d4539a0b304b9d83

SHA512
d86f503c052e9cd3e46e29d838ab79e7ffa158f7661c336971e7dfa307cd8b03688a3f9d3b82fc01b699d2167fd25d9eef2a27b6b55f478c6fb775004e6507ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\K7FNBLPjD6CVcO.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\c8H1xX1IUGtJtcq.dat

Filesize
6KB

MD5
d8612bfcd23d62099f2446ca0928e1ff

SHA1
97feb74b9b015e169b4972f6b4c7cbd93d30f4df

SHA256
ff589413d94e63de76eb16a3f6c0f01d89a8cc79420ef4b8c3b1daa308b638ee

SHA512
e5d3c2023cbde2408a5676483cca1937ff69d4da7d4118330e4f5215a23e2f37fcffbfe1a388fff4ec0b140a732c885e01855372a42bc56f51101538133874dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\c8H1xX1IUGtJtcq.exe

Filesize
624KB

MD5
8440fce178bb6c85832b0fbcc81c160c

SHA1
4d9672221d8e16ad24a706d2ba02552d59e9172d

SHA256
f5778940bb1f43bdf05ed87ca14fe95026455aa35c4a71f2b6912f6ed858baaa

SHA512
8160eaff06cf00ea502e570616a4d89778163c2cf7f175801519ed38fb528a753cc32aa17cf627cd738689e213acf747836ecf42571422f2adede6026904e3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\c8H1xX1IUGtJtcq.exe

Filesize
624KB

MD5
8440fce178bb6c85832b0fbcc81c160c

SHA1
4d9672221d8e16ad24a706d2ba02552d59e9172d

SHA256
f5778940bb1f43bdf05ed87ca14fe95026455aa35c4a71f2b6912f6ed858baaa

SHA512
8160eaff06cf00ea502e570616a4d89778163c2cf7f175801519ed38fb528a753cc32aa17cf627cd738689e213acf747836ecf42571422f2adede6026904e3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
fbad59a343caa605cf485d2a13084fb2

SHA1
42e904918d3ec3ba7682379fdbf906b6dd7fc238

SHA256
5faed83fc60c3b1b78b28d6bb6992be5c7d0c0c78981a2647e77c167a9d4d629

SHA512
b3b1809e3972942f4914dd5cd1678bbdd1f666db8f907b1e866446069f98eb5fa26a2800479f4f1019b8245b6146b365585d394b434864ca7c181a583ea0730b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
9e0885a5625f431c98c9f9ae03018e4a

SHA1
eb05bbab5d2d844d06a7a36a9d5953367f4652f6

SHA256
0c0bb7887d9d8bc15694733da1d562abdce2f128fbf920d9fa9e0a86ab9160f8

SHA512
bfc6733089f64e2c005a388045cafe36ceaab6f476361b115a5a738a21571b8e2e13bba9ed68fc84542c9e8c5c98429ebe8c2ed6af7772fc3099a22d273bec80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\[email protected]\install.rdf

Filesize
600B

MD5
99dfb510f9a25c4a3b4cb43b7d84c7da

SHA1
69c459d4f1059bc6f032731881547ff026b40273

SHA256
692d188666a1c6bf160f0ee38d78e59158e4ab2c6ed27a3e1e296aefc6984f72

SHA512
fab53b728820cf3b499592041cbdeda487ff026dc3c3e0e0aa846141c92b13c067041effacd345e64ab51dec4e50932afb03172cc76edbab5d2c3a45662aea17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\njmoebedachgllekgajolgefgmolhonp\background.html

Filesize
140B

MD5
7a28e81fa94e6d6e951c857dd98c9ec2

SHA1
8cfaab255a9493fb997b801e057f24acf37eaf4a

SHA256
77d9d5fe759ccd8f945c85cf938a0be155576bda7557db556f3dc21ed0d7fdc3

SHA512
30887e078e18832d077564232729afb484612949bd99d8cb643c02a6c97b3105665a8d78781d4c9685e87d4d746f7bd3c9ede83c1314c90e90086a6a36f234a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\njmoebedachgllekgajolgefgmolhonp\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\njmoebedachgllekgajolgefgmolhonp\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\njmoebedachgllekgajolgefgmolhonp\manifest.json

Filesize
504B

MD5
8e21c92cbb52ed1fcc8da88974b1a17c

SHA1
948b8d3b12c1643767641d3771ad0f193b5a31c8

SHA256
bec6902f73e8bf99d4e5250f53819fb956de0aa7e99303daa837142f807d06ad

SHA512
4f70f7090bd2524ce8431cd7994b800fdb41be27e77e122a21f47b640eea8d718c915243dbaebca2407e2cf68520edb52b1f0c5f09c234acc463fb25ea17abcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\njmoebedachgllekgajolgefgmolhonp\xlL.js

Filesize
5KB

MD5
f16650a5b2a0c7d320949b39b78e1fb4

SHA1
4d368fdf9153bd611635922acc6b4e7afbedb2d2

SHA256
502fd1ea3ba8d15cc6e68e3cb81ec79ace388c6022ba1cefe83dd103c77a1ef9

SHA512
9525e51066bb3db326b5bb670f2ee655abc066fb6ce46a4d556f99ec5d27cb328c47d20e30fa4c655f8bed140d2cd5245bf059ada94d9b1b20222cd92ee7e743

Download Submit
\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.dll

Filesize
618KB

MD5
080d8ffcd7f74bb06445d791f818881b

SHA1
db62fc6730b548489a72d9c9de26f3a6045d25ab

SHA256
346d5c9733935935c828115a3eed81322dd67cea4574fe135059582719bc2c68

SHA512
b75dab95829d3d6cff47ae2b66218bd0b92798b114bbc55b6a9cf52d38e6baea31071a2bc34ec2210536a1e7e5f67a8ecbc0468bf0c139ead6cabdc657c47d52

Download Submit
\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
\Program Files (x86)\BrowseReShOp\K7FNBLPjD6CVcO.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFB8F.tmp\c8H1xX1IUGtJtcq.exe

Filesize
624KB

MD5
8440fce178bb6c85832b0fbcc81c160c

SHA1
4d9672221d8e16ad24a706d2ba02552d59e9172d

SHA256
f5778940bb1f43bdf05ed87ca14fe95026455aa35c4a71f2b6912f6ed858baaa

SHA512
8160eaff06cf00ea502e570616a4d89778163c2cf7f175801519ed38fb528a753cc32aa17cf627cd738689e213acf747836ecf42571422f2adede6026904e3c8

Download Submit
memory/1448-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1940-78-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download