fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4.exe
Size

2.1MB
MD5

4db7b3c97f87268775743e75acc6fd75
SHA1

64a99ddd493e3d3fe2e7bb79334042084825df21
SHA256

fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4
SHA512

2dbd252e442e0b307e35d2c4238c0f8a2415beddd3185a4ebd950e31016a10c85d03aa03cc73816b6a1724f7990f7b752d060b3da1b67b18d8e7219bf780cd22
SSDEEP

49152:h1OsSkMyJo5w3LMa3PYN7i8Y0qKTsab0k:h1OLk/vnYdiy

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	nloF6HkBuFYNpaa.exe

Loads dropped DLL 4 IoCs

pid	Process
1492	fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4.exe
1748	nloF6HkBuFYNpaa.exe
672	regsvr32.exe
636	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahpimmojkaiaaoblpibocimdlidfemog\1.0\manifest.json	nloF6HkBuFYNpaa.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahpimmojkaiaaoblpibocimdlidfemog\1.0\manifest.json	nloF6HkBuFYNpaa.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahpimmojkaiaaoblpibocimdlidfemog\1.0\manifest.json	nloF6HkBuFYNpaa.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	nloF6HkBuFYNpaa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	nloF6HkBuFYNpaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	nloF6HkBuFYNpaa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	nloF6HkBuFYNpaa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	nloF6HkBuFYNpaa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.tlb	nloF6HkBuFYNpaa.exe
File opened for modification	C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.tlb	nloF6HkBuFYNpaa.exe
File created	C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.dat	nloF6HkBuFYNpaa.exe
File opened for modification	C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.dat	nloF6HkBuFYNpaa.exe
File created	C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.x64.dll	nloF6HkBuFYNpaa.exe
File opened for modification	C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.x64.dll	nloF6HkBuFYNpaa.exe
File created	C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.dll	nloF6HkBuFYNpaa.exe
File opened for modification	C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.dll	nloF6HkBuFYNpaa.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1748	1492	fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4.exe	27
PID 1492 wrote to memory of 1748	1492	fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4.exe	27
PID 1492 wrote to memory of 1748	1492	fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4.exe	27
PID 1492 wrote to memory of 1748	1492	fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4.exe	27
PID 1748 wrote to memory of 672	1748	nloF6HkBuFYNpaa.exe	28
PID 1748 wrote to memory of 672	1748	nloF6HkBuFYNpaa.exe	28
PID 1748 wrote to memory of 672	1748	nloF6HkBuFYNpaa.exe	28
PID 1748 wrote to memory of 672	1748	nloF6HkBuFYNpaa.exe	28
PID 1748 wrote to memory of 672	1748	nloF6HkBuFYNpaa.exe	28
PID 1748 wrote to memory of 672	1748	nloF6HkBuFYNpaa.exe	28
PID 1748 wrote to memory of 672	1748	nloF6HkBuFYNpaa.exe	28
PID 672 wrote to memory of 636	672	regsvr32.exe	29
PID 672 wrote to memory of 636	672	regsvr32.exe	29
PID 672 wrote to memory of 636	672	regsvr32.exe	29
PID 672 wrote to memory of 636	672	regsvr32.exe	29
PID 672 wrote to memory of 636	672	regsvr32.exe	29
PID 672 wrote to memory of 636	672	regsvr32.exe	29
PID 672 wrote to memory of 636	672	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4.exe
"C:\Users\Admin\AppData\Local\Temp\fb6c8d76dd482aa059afcf06624dd5323ffdac9b2099f24be6459402e0e65ea4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\nloF6HkBuFYNpaa.exe
  .\nloF6HkBuFYNpaa.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.dat

Filesize
6KB

MD5
cfd63fdd5e76d16fce528eb0e37fae4f

SHA1
b558c2fe4297c08bb49d3a76e80828f00961dff5

SHA256
0862300b6145fb23eb401c833095638b5104e2302fdc6c7d29ac0a6527b7204f

SHA512
7cff4e8a239a4c5733428186163b0886ea2b37e2994a0e31e0ea85977f22cf1ea976281399eab51a9d8c5fe18908891b616a1b19a90f33a1e228b8c26ae1f081

Download Submit
C:\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.x64.dll

Filesize
699KB

MD5
e9d65b59189466bb82c4bdc0c013182a

SHA1
0cf2ea965ee62ce8e7913b1c7b92bc45abc17272

SHA256
5108837e4c1a0b3f489642c4a99cc16dfd0ebea773f4eccd047fcb182fe55978

SHA512
7e41258d5b8e71599369f517017ddce504a066d000abc74a7d526f089b6340aeebdd6152d42bb5730b8dfe3911d0b54ddb3e47dfdf08a1983e13592c84c18932

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\TysfIfW1aosoyQ.dll

Filesize
618KB

MD5
fa22e2b9ff3086baceedeafbadec9f28

SHA1
0bb8d621faff9fcfcd8377079b9a47110e8c5c5e

SHA256
57e84f2e0c131c0579c6895ff74cc028885addf1ff80631de2a06b870b808bc3

SHA512
f80f7e0cc59a592c2cc8502a267dbd7811be6d4769ae0a422b4b63bae77e7a817594da98a9c27a75bf70117e6c8f1ed84fe99adc20b0d9c281e8ee9ecf2839a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\TysfIfW1aosoyQ.tlb

Filesize
3KB

MD5
446bf1779f1f4c99e90d34218088897a

SHA1
8fbbfe0f6260a33e5e242746f45bab89bc71b1cb

SHA256
fbb113fcbf66becc1465cd0b5238f395a164298d57cb8ae6e860c385fb8c1cd7

SHA512
4977809238dc5c3e4786b777e60c58d2651b3dd46ef4c0ce2ab7bdc206eb9cd836dd803c57c2a3ed4e2e9f0e070eb508b9eb647fe3e8b3b1ecc674f57538717e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\TysfIfW1aosoyQ.x64.dll

Filesize
699KB

MD5
e9d65b59189466bb82c4bdc0c013182a

SHA1
0cf2ea965ee62ce8e7913b1c7b92bc45abc17272

SHA256
5108837e4c1a0b3f489642c4a99cc16dfd0ebea773f4eccd047fcb182fe55978

SHA512
7e41258d5b8e71599369f517017ddce504a066d000abc74a7d526f089b6340aeebdd6152d42bb5730b8dfe3911d0b54ddb3e47dfdf08a1983e13592c84c18932

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\ahpimmojkaiaaoblpibocimdlidfemog\Pm.js

Filesize
5KB

MD5
6e491375e2f7a2637b29ae8e8eb7d6c2

SHA1
06103b13c80c9c143883636a40da33fb58864a2a

SHA256
1936730a22f916d1348f27d154ec1ce384aff0ede4632118ed1b086d3ba7d7d3

SHA512
ab0d48002ac0e4a74d5755eee062c079e246c60c4b304b990c00344eb4db768859c82229a57d0f4d40dcf9e6467c21f9cbbde96160e3accf38ff7ba7119b5736

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\ahpimmojkaiaaoblpibocimdlidfemog\background.html

Filesize
139B

MD5
9aae159525cac21e9d1863ad7e3db267

SHA1
ebc2e3418cd50661ba3020a296bf3ac733c32399

SHA256
c5493984716d4bfc4349b98a2d283258b2d6e74cf34ba666a992260aaf8ce55b

SHA512
8551ef75536859b730f151cb034c76fcb050ac5b3140791941b2e62438f323c8b096aa2bbcaecfe146b8c1cfe2f196989b0c5e332e4386f337313995e4bee0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\ahpimmojkaiaaoblpibocimdlidfemog\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\ahpimmojkaiaaoblpibocimdlidfemog\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\ahpimmojkaiaaoblpibocimdlidfemog\manifest.json

Filesize
508B

MD5
a267cc5bf1ee7c630bb1879b205524d3

SHA1
834977a04f6976a8c748adf499dd9157a14d67d9

SHA256
ad05f1638c3e75e319a45585c917978b7604d8696c510aefb528754c34a36454

SHA512
6124e202cf14381f41bf3470ffbea0149b12cfe93a9124ce9abea81903ce380dc5be93ca75d404dafa2de0382a4686969cebdf4ecfdc97ce5896ffc1cbbbeca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
963f004cf636e711f47c0f946451926a

SHA1
9ffdf148af6c7306919cf908617033665655e81e

SHA256
ce225f8187e5ba94bf317ac4100e4a75148e863ee195040e01c7bcc16db951db

SHA512
eb3a8b443a7e0ec3fb0200b71da8a04490d52763de1da25f26f6d79ffa8a56ad701197a1ef069daa445328187febe50dd4147dd9c773fe1ac350411746c00f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
8a7c91695297e96146d7f098be273b0a

SHA1
1f858edb549701460e9eb8b3a32dafb3a579dcc9

SHA256
24888cd4ea3a0ee969988a286a7514695e564de6503c66b3f2572e0f601f1553

SHA512
099f5aeeaf4f10370ab4ccbc4c7940b974173eba48f3a292d4a590bdcfd1a302377009e77e3626e2ebee219f522a478a29c1f8766f04db845f6c3e8e82306e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\[email protected]\install.rdf

Filesize
605B

MD5
37737eac7d12639afb4199a734e9bbf3

SHA1
0ab45db5d5da73b5510c9efd4c7ba75bd0a96702

SHA256
b5fc5fce4a7859843295996f0c0aed69963b9c69f6ecc533f8422d501cf1a0a9

SHA512
8179ed2372dab515263536118d15b7866885f1c10a4a4dd7cb1b0d1051cd99e990e903d73593e5ec8e000d6403746d18895774d5f9de0d00fd8f7900971e567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\nloF6HkBuFYNpaa.dat

Filesize
6KB

MD5
cfd63fdd5e76d16fce528eb0e37fae4f

SHA1
b558c2fe4297c08bb49d3a76e80828f00961dff5

SHA256
0862300b6145fb23eb401c833095638b5104e2302fdc6c7d29ac0a6527b7204f

SHA512
7cff4e8a239a4c5733428186163b0886ea2b37e2994a0e31e0ea85977f22cf1ea976281399eab51a9d8c5fe18908891b616a1b19a90f33a1e228b8c26ae1f081

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\nloF6HkBuFYNpaa.exe

Filesize
628KB

MD5
b59c3001e4489fc70fda8e5d5b31b0fa

SHA1
1a1658f6c3dd993bd3ec08ca7d599327b9be6a58

SHA256
4dee536bea4b65ffa91046262fe8ae0a48088ae21c055063c608f23e670ba0b0

SHA512
40bb40dbea96ab17f1b7d34ff635af97fdf10409a6d85a943f9aa2395a461a134a8ce52d70b76878f6c36d8b3fbf592b627c1b77ed7692c165819541e36fa230

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\nloF6HkBuFYNpaa.exe

Filesize
628KB

MD5
b59c3001e4489fc70fda8e5d5b31b0fa

SHA1
1a1658f6c3dd993bd3ec08ca7d599327b9be6a58

SHA256
4dee536bea4b65ffa91046262fe8ae0a48088ae21c055063c608f23e670ba0b0

SHA512
40bb40dbea96ab17f1b7d34ff635af97fdf10409a6d85a943f9aa2395a461a134a8ce52d70b76878f6c36d8b3fbf592b627c1b77ed7692c165819541e36fa230

Download Submit
\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.dll

Filesize
618KB

MD5
fa22e2b9ff3086baceedeafbadec9f28

SHA1
0bb8d621faff9fcfcd8377079b9a47110e8c5c5e

SHA256
57e84f2e0c131c0579c6895ff74cc028885addf1ff80631de2a06b870b808bc3

SHA512
f80f7e0cc59a592c2cc8502a267dbd7811be6d4769ae0a422b4b63bae77e7a817594da98a9c27a75bf70117e6c8f1ed84fe99adc20b0d9c281e8ee9ecf2839a5

Download Submit
\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.x64.dll

Filesize
699KB

MD5
e9d65b59189466bb82c4bdc0c013182a

SHA1
0cf2ea965ee62ce8e7913b1c7b92bc45abc17272

SHA256
5108837e4c1a0b3f489642c4a99cc16dfd0ebea773f4eccd047fcb182fe55978

SHA512
7e41258d5b8e71599369f517017ddce504a066d000abc74a7d526f089b6340aeebdd6152d42bb5730b8dfe3911d0b54ddb3e47dfdf08a1983e13592c84c18932

Download Submit
\Program Files (x86)\YoutuboeAdBlocke\TysfIfW1aosoyQ.x64.dll

Filesize
699KB

MD5
e9d65b59189466bb82c4bdc0c013182a

SHA1
0cf2ea965ee62ce8e7913b1c7b92bc45abc17272

SHA256
5108837e4c1a0b3f489642c4a99cc16dfd0ebea773f4eccd047fcb182fe55978

SHA512
7e41258d5b8e71599369f517017ddce504a066d000abc74a7d526f089b6340aeebdd6152d42bb5730b8dfe3911d0b54ddb3e47dfdf08a1983e13592c84c18932

Download Submit
\Users\Admin\AppData\Local\Temp\7zS10B4.tmp\nloF6HkBuFYNpaa.exe

Filesize
628KB

MD5
b59c3001e4489fc70fda8e5d5b31b0fa

SHA1
1a1658f6c3dd993bd3ec08ca7d599327b9be6a58

SHA256
4dee536bea4b65ffa91046262fe8ae0a48088ae21c055063c608f23e670ba0b0

SHA512
40bb40dbea96ab17f1b7d34ff635af97fdf10409a6d85a943f9aa2395a461a134a8ce52d70b76878f6c36d8b3fbf592b627c1b77ed7692c165819541e36fa230

Download Submit
memory/636-78-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download