fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb

Analysis

max time kernel
58s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb.exe
Size

2.1MB
MD5

4bf4707377f43bcef295e64b998408cf
SHA1

8393567a1b1d3ec29b53e183f2c0b7036867bb5b
SHA256

fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb
SHA512

ebd80d5d6910787423e678b5b6be5b9f2b6af8612db21a61f7401886859c394803d36a6d48fd7b88639a03919ff729881007ca9ab0ad3de3b8a5ef80e5f402dd
SSDEEP

49152:h1Os6aFBQd+eIvim2CQHSM3OYVv8JGUpqqB:h1ODaFBw+LNRR2FQtB

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1688	pUkEBwLq9TscDJq.exe

Loads dropped DLL 4 IoCs

pid	Process
1204	fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb.exe
1688	pUkEBwLq9TscDJq.exe
1112	regsvr32.exe
760	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbniogoppjlpggkhhkifbhamdlinlbei\200\manifest.json	pUkEBwLq9TscDJq.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbniogoppjlpggkhhkifbhamdlinlbei\200\manifest.json	pUkEBwLq9TscDJq.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbniogoppjlpggkhhkifbhamdlinlbei\200\manifest.json	pUkEBwLq9TscDJq.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	pUkEBwLq9TscDJq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	pUkEBwLq9TscDJq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	pUkEBwLq9TscDJq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	pUkEBwLq9TscDJq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	pUkEBwLq9TscDJq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.tlb	pUkEBwLq9TscDJq.exe
File created	C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.dat	pUkEBwLq9TscDJq.exe
File opened for modification	C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.dat	pUkEBwLq9TscDJq.exe
File created	C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.x64.dll	pUkEBwLq9TscDJq.exe
File opened for modification	C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.x64.dll	pUkEBwLq9TscDJq.exe
File created	C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.dll	pUkEBwLq9TscDJq.exe
File opened for modification	C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.dll	pUkEBwLq9TscDJq.exe
File created	C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.tlb	pUkEBwLq9TscDJq.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1688	1204	fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb.exe	28
PID 1204 wrote to memory of 1688	1204	fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb.exe	28
PID 1204 wrote to memory of 1688	1204	fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb.exe	28
PID 1204 wrote to memory of 1688	1204	fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb.exe	28
PID 1688 wrote to memory of 1112	1688	pUkEBwLq9TscDJq.exe	29
PID 1688 wrote to memory of 1112	1688	pUkEBwLq9TscDJq.exe	29
PID 1688 wrote to memory of 1112	1688	pUkEBwLq9TscDJq.exe	29
PID 1688 wrote to memory of 1112	1688	pUkEBwLq9TscDJq.exe	29
PID 1688 wrote to memory of 1112	1688	pUkEBwLq9TscDJq.exe	29
PID 1688 wrote to memory of 1112	1688	pUkEBwLq9TscDJq.exe	29
PID 1688 wrote to memory of 1112	1688	pUkEBwLq9TscDJq.exe	29
PID 1112 wrote to memory of 760	1112	regsvr32.exe	30
PID 1112 wrote to memory of 760	1112	regsvr32.exe	30
PID 1112 wrote to memory of 760	1112	regsvr32.exe	30
PID 1112 wrote to memory of 760	1112	regsvr32.exe	30
PID 1112 wrote to memory of 760	1112	regsvr32.exe	30
PID 1112 wrote to memory of 760	1112	regsvr32.exe	30
PID 1112 wrote to memory of 760	1112	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb.exe
"C:\Users\Admin\AppData\Local\Temp\fcc36ef8da97398ea0887e8dd587820e0f85ecb4b505c91eddd927911f20a0eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\pUkEBwLq9TscDJq.exe
  .\pUkEBwLq9TscDJq.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.dat

Filesize
6KB

MD5
82f5a71bb5eef6e508202970321d87e1

SHA1
2456a2361c524f71f36904d6784d2ab368e92e83

SHA256
61d3afe778b8b6e07138762814d99ec9831e0343fdcc9859ed18cc759e97522b

SHA512
84cc01388bf73a4b05c3b0e58e0a52488bc05872420481d4a5259bf4d6cb2f5753cc35d3648c1232a3bdc709c8e49893ee044b0b863d0639b8c445d578396aee

Download Submit
C:\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
5c315369fa845cbd77503cc1a13e31f9

SHA1
ffc7cc45eb22dcfd4f562b4c302056e935407237

SHA256
35dfc074a2fdad835629d167f3bbed158bf01ec2fef5e349afb62e36378d0d0f

SHA512
cce54c18aaa0479077daace501ea5c92a5ee9751c5c8babeece10c198a80d69b0e02e080d65ef98f5b23cc7d4105a2687e6817a01649607283ac5f71945b4949

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
ea5f59b3599a88e03ab049cd04725ee4

SHA1
d611b8addf3991c7120320cc6ff0b39e89a029fb

SHA256
f8412496d421413e99148040c701fd169f5a09b01674d2a6c037c48be3b9920a

SHA512
0689f6241685c0ff8ee2c14b2e32a14df11ccbf0a2dbe5a220ce0cc3815fc776d162936c07ecac7e1280c904ee50e2265baef266ee2faa71f7fc94d2a2b54d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\[email protected]\install.rdf

Filesize
600B

MD5
1b7b35a313df0361c3df6160392cb06e

SHA1
3fcc40575ddc0e30b5db31e5c4f0917133b96842

SHA256
e5a0552d40a4edf43ed50645c6259888f5fe5c8d30acc7abdf37dde393cf53cf

SHA512
f93905847ffa15ec6b3583bb2d3dc9b620622efd4539c627ad3da50a14972f9e57b6cbb5a97d5715117208d7400c3f4466fd64cbd18b7a14f379b406034826a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\YxpkVJmv6JD6q2.dll

Filesize
616KB

MD5
1120f8874c79b25d1298a34781f5f753

SHA1
f7818c6893c2b5edcc4321b011ce30f5494a5cf1

SHA256
c6bbf05c75c90b71c4365aec702ccf85a42522925ae58fe3d99c91f5b8d4e4da

SHA512
5a97c876b83b063069be7748f1e9667d7684c4f3ae6f6345cc1af3bd609805eb9616ba51467ca4493894f1a79e4e23c1a6d1828c771fcbcaff0ab02defa7759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\YxpkVJmv6JD6q2.tlb

Filesize
3KB

MD5
633d469f7307d711a7f6b08d024cbe2d

SHA1
a8c01e9c7a081c175a393345a7a60fb3be0f8cde

SHA256
b3c5da764bfb906053b84e92b31e3d9b04a46b65b4e35d34c0c645496a80d054

SHA512
8b66733187095168668526f37d0348d0e78889d44edc4c0da4be486bc10fe443862228af3b112f968d08d2afe5e86a21ab26ef72d4365a15785bef400652d485

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\YxpkVJmv6JD6q2.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\dbniogoppjlpggkhhkifbhamdlinlbei\UIpY80y.js

Filesize
5KB

MD5
6bad62d2adf1b1d902b1e0875a4c201d

SHA1
6f96198152fe8ccc6519a221935f36a7a4279ef9

SHA256
f7e634b728c452e3dddba1a36618f34fe5b971d578ffdf358126d3523e360d5c

SHA512
87cb8c62b0f64db676f247414062c787b44c4e99130a877b8393eb7b53f217a0379db0dfad9dbc9e7043a23461fa50ceb9ef576df2e3c4dfc6ab627ce612db76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\dbniogoppjlpggkhhkifbhamdlinlbei\background.html

Filesize
144B

MD5
30e05e1c37c160ecf957b12537fbacd8

SHA1
f3416ec3c9373e5d1ae8164e447fe43fcd929c2c

SHA256
6f80aaa83bdb9c2473dd597043ccfd1c442918821c1c58e3280b82fd56a60646

SHA512
239693846f5514ec33f247dd0736475c0ffc913959cd59015676b70e5cf5928db027b9779e73409ccde112f1863b1677a8e9cf83a4957fe9b989cb70f4bd24b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\dbniogoppjlpggkhhkifbhamdlinlbei\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\dbniogoppjlpggkhhkifbhamdlinlbei\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\dbniogoppjlpggkhhkifbhamdlinlbei\manifest.json

Filesize
508B

MD5
2a4bfb260baf4686bf8e40e8d2f5b4de

SHA1
b18fe613b463ffa052a9e250e576446e3c29e744

SHA256
f2408273257cd92d55b7ad3392c49f1bc3c45ca004028c66f16a5894a430231a

SHA512
d956bc78d6d6f95ba9c8be8ccab4b49f7ac672da24a68d7dce5cabb6e923a7b7f678cfd831004a48ce19574fe52bbc34f354f5b91b3a099d0661e3f5f6a6b6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\pUkEBwLq9TscDJq.dat

Filesize
6KB

MD5
82f5a71bb5eef6e508202970321d87e1

SHA1
2456a2361c524f71f36904d6784d2ab368e92e83

SHA256
61d3afe778b8b6e07138762814d99ec9831e0343fdcc9859ed18cc759e97522b

SHA512
84cc01388bf73a4b05c3b0e58e0a52488bc05872420481d4a5259bf4d6cb2f5753cc35d3648c1232a3bdc709c8e49893ee044b0b863d0639b8c445d578396aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\pUkEBwLq9TscDJq.exe

Filesize
624KB

MD5
bfdd027de2e75467ce1d542d4e925e19

SHA1
1c076814ad25983cbdf0cd061978090014ebfcd1

SHA256
ebb6c1511f94ddb23847bbfe73a41bc99496c97287bfce1942af48c52e0db84a

SHA512
63c6f40107d20f4e186dbfece46c8889d17af15e641ca71db39d3dde4689c08248be12318925a3d3eeb6b6bf29b8276994feb5548a92cdcd1149118e7d857fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE995.tmp\pUkEBwLq9TscDJq.exe

Filesize
624KB

MD5
bfdd027de2e75467ce1d542d4e925e19

SHA1
1c076814ad25983cbdf0cd061978090014ebfcd1

SHA256
ebb6c1511f94ddb23847bbfe73a41bc99496c97287bfce1942af48c52e0db84a

SHA512
63c6f40107d20f4e186dbfece46c8889d17af15e641ca71db39d3dde4689c08248be12318925a3d3eeb6b6bf29b8276994feb5548a92cdcd1149118e7d857fc7

Download Submit
\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.dll

Filesize
616KB

MD5
1120f8874c79b25d1298a34781f5f753

SHA1
f7818c6893c2b5edcc4321b011ce30f5494a5cf1

SHA256
c6bbf05c75c90b71c4365aec702ccf85a42522925ae58fe3d99c91f5b8d4e4da

SHA512
5a97c876b83b063069be7748f1e9667d7684c4f3ae6f6345cc1af3bd609805eb9616ba51467ca4493894f1a79e4e23c1a6d1828c771fcbcaff0ab02defa7759b

Download Submit
\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
\Program Files (x86)\BruowwSer Sheope\YxpkVJmv6JD6q2.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE995.tmp\pUkEBwLq9TscDJq.exe

Filesize
624KB

MD5
bfdd027de2e75467ce1d542d4e925e19

SHA1
1c076814ad25983cbdf0cd061978090014ebfcd1

SHA256
ebb6c1511f94ddb23847bbfe73a41bc99496c97287bfce1942af48c52e0db84a

SHA512
63c6f40107d20f4e186dbfece46c8889d17af15e641ca71db39d3dde4689c08248be12318925a3d3eeb6b6bf29b8276994feb5548a92cdcd1149118e7d857fc7

Download Submit
memory/760-78-0x000007FEFB7C1000-0x000007FEFB7C3000-memory.dmp

Filesize
8KB

Download
memory/1204-54-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download