f0d7e0a191b4405336102c4419c4e599eb6562e53f681b0e8ea63ef380dc9094

Analysis

max time kernel
103s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0d7e0a191b4405336102c4419c4e599eb6562e53f681b0e8ea63ef380dc9094.exe
Size

2.1MB
MD5

af6310dbf068e9c73739aa56203328b2
SHA1

b87866c881368300189d4c574de23b02218dd3c6
SHA256

f0d7e0a191b4405336102c4419c4e599eb6562e53f681b0e8ea63ef380dc9094
SHA512

9aedb721f1dfe5e4363858fa3e99e41bf16b775db03ad80d79af9cf22a26c4b55e152a5149c955e2076ae8ac3430dc71c4edef21a364c480751330cdd2089490
SSDEEP

49152:h1OswYIGWkf6jd9YMhKKumq+4oAczj/i6jgvb7GvKSi:h1Otdd9YMhKgq+4fZ

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4316	jBxZ2eYX7Zj5qsO.exe

Loads dropped DLL 3 IoCs

pid	Process
4316	jBxZ2eYX7Zj5qsO.exe
1456	regsvr32.exe
1876	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkkhkjejcbkpkbijmcopmdddlmfpnchk\1.0\manifest.json	jBxZ2eYX7Zj5qsO.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkkhkjejcbkpkbijmcopmdddlmfpnchk\1.0\manifest.json	jBxZ2eYX7Zj5qsO.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkkhkjejcbkpkbijmcopmdddlmfpnchk\1.0\manifest.json	jBxZ2eYX7Zj5qsO.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkkhkjejcbkpkbijmcopmdddlmfpnchk\1.0\manifest.json	jBxZ2eYX7Zj5qsO.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkkhkjejcbkpkbijmcopmdddlmfpnchk\1.0\manifest.json	jBxZ2eYX7Zj5qsO.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	jBxZ2eYX7Zj5qsO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	jBxZ2eYX7Zj5qsO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	jBxZ2eYX7Zj5qsO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	jBxZ2eYX7Zj5qsO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.dll	jBxZ2eYX7Zj5qsO.exe
File opened for modification	C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.dll	jBxZ2eYX7Zj5qsO.exe
File created	C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.tlb	jBxZ2eYX7Zj5qsO.exe
File opened for modification	C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.tlb	jBxZ2eYX7Zj5qsO.exe
File created	C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.dat	jBxZ2eYX7Zj5qsO.exe
File opened for modification	C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.dat	jBxZ2eYX7Zj5qsO.exe
File created	C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.x64.dll	jBxZ2eYX7Zj5qsO.exe
File opened for modification	C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.x64.dll	jBxZ2eYX7Zj5qsO.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4316	3404	f0d7e0a191b4405336102c4419c4e599eb6562e53f681b0e8ea63ef380dc9094.exe	82
PID 3404 wrote to memory of 4316	3404	f0d7e0a191b4405336102c4419c4e599eb6562e53f681b0e8ea63ef380dc9094.exe	82
PID 3404 wrote to memory of 4316	3404	f0d7e0a191b4405336102c4419c4e599eb6562e53f681b0e8ea63ef380dc9094.exe	82
PID 4316 wrote to memory of 1456	4316	jBxZ2eYX7Zj5qsO.exe	83
PID 4316 wrote to memory of 1456	4316	jBxZ2eYX7Zj5qsO.exe	83
PID 4316 wrote to memory of 1456	4316	jBxZ2eYX7Zj5qsO.exe	83
PID 1456 wrote to memory of 1876	1456	regsvr32.exe	84
PID 1456 wrote to memory of 1876	1456	regsvr32.exe	84

C:\Users\Admin\AppData\Local\Temp\f0d7e0a191b4405336102c4419c4e599eb6562e53f681b0e8ea63ef380dc9094.exe
"C:\Users\Admin\AppData\Local\Temp\f0d7e0a191b4405336102c4419c4e599eb6562e53f681b0e8ea63ef380dc9094.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\jBxZ2eYX7Zj5qsO.exe
  .\jBxZ2eYX7Zj5qsO.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.dat

Filesize
6KB

MD5
49e6b259ab1f052c31822660d7cdface

SHA1
469946f303be0a9097a2be761159398c4b6e6f08

SHA256
a6fd2ef3ec458e033b354b19133d8bd4d112aac98db8224fb3f7533d7e56acc7

SHA512
a70764947b4a7cd9177ee8ee493650648397885ce975516827d3cf2fd46288b964b331a60a0c39ff75b899dc0e66f9b5da05555c0e9d5b0fbac4f99b1296857b

Download Submit
C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.dll

Filesize
623KB

MD5
103866fff4628ada4be6e5235b2ebf5d

SHA1
86ca018b33c7cdb953371ee1e290313b9a54a251

SHA256
963728f71b4ecee9380a18f5bbc6930256be6018a8087a9964f98ba3e17b7a7c

SHA512
2a8f9ce8854bab77b801eb146934e267de3cca83727a8a7c13885b41c75a0b563fdd0cb1683f78057fc6833b22d9d14c5ef0d3707753293d59d4b61f7a9744c3

Download Submit
C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Program Files (x86)\YaouTubeAdBLOCkke\h9PnGRdVt1i4KU.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
d535db8820702241a541d5cf6c117017

SHA1
14461d701b6fc5cfade4ace3e8478cdf94548cbc

SHA256
8e81587871705db05c6c3cfd5fc1cd4e0daccf9e7b9b44fa0c376e4af58c8534

SHA512
e949db69073775c4fb9b85bbf56c72416bde5ca92516ad915d82d139cd231353c21895abdc1d9b59e9cd48fff7cd283054b4d2ae33ec1e064d66fafa8915c427

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
1766c5a263a714b9a10d438e286bcbf2

SHA1
f86f785494364e7719a23187f6d6a67f8982b9be

SHA256
e024412a633d5a55c5797c72d6a3b4eb878d7acbd7133d809e998bb06526cecb

SHA512
375a0fb444e4b4e77c760c32c7159d4c5139712025e6c0857a677c8fca8a5537eff6088c6a9ddf04d9af7cd7563ee66f98a41d6e257a99e476617ffc4ebdfa13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\[email protected]\install.rdf

Filesize
607B

MD5
6a74e445556f9275c813fd4b8d2564cf

SHA1
20d93357495a84f7a9420e6b98da224dd2719ba6

SHA256
8e6f0df38b7acba837cb59433bcb6e57056af2d043fa428bb1208f859c2296b9

SHA512
6cc3d597bd4db372b5e62e8021f30d7887fecc8f5336ac4b6a887322fe188057c623b33a3acdf6fdff6ce59ec393d997ff226df71ee555dc919b31d8ccb2ed4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\h9PnGRdVt1i4KU.dll

Filesize
623KB

MD5
103866fff4628ada4be6e5235b2ebf5d

SHA1
86ca018b33c7cdb953371ee1e290313b9a54a251

SHA256
963728f71b4ecee9380a18f5bbc6930256be6018a8087a9964f98ba3e17b7a7c

SHA512
2a8f9ce8854bab77b801eb146934e267de3cca83727a8a7c13885b41c75a0b563fdd0cb1683f78057fc6833b22d9d14c5ef0d3707753293d59d4b61f7a9744c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\h9PnGRdVt1i4KU.tlb

Filesize
3KB

MD5
3c920faafd032eeda08e4166860d4318

SHA1
26451ee3659c4a217f42ebd07f254679ab452f3a

SHA256
3377d0af1044505271c64fc342e22a7a24b757e5471657f656ac743373e22857

SHA512
327668001f94842eee3ff1dc44c70ddca5da3a0bb49aeea6b3162608b07496456e78bcb3de0462e5e375b349e813f13fd02e61b9e389b1d954cea2628c3c4a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\h9PnGRdVt1i4KU.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\jBxZ2eYX7Zj5qsO.dat

Filesize
6KB

MD5
49e6b259ab1f052c31822660d7cdface

SHA1
469946f303be0a9097a2be761159398c4b6e6f08

SHA256
a6fd2ef3ec458e033b354b19133d8bd4d112aac98db8224fb3f7533d7e56acc7

SHA512
a70764947b4a7cd9177ee8ee493650648397885ce975516827d3cf2fd46288b964b331a60a0c39ff75b899dc0e66f9b5da05555c0e9d5b0fbac4f99b1296857b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\jBxZ2eYX7Zj5qsO.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\jBxZ2eYX7Zj5qsO.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\jkkhkjejcbkpkbijmcopmdddlmfpnchk\background.html

Filesize
138B

MD5
6b80ce55441b27baca57bd6d618243c0

SHA1
44f05e6f84945e4aba53b08df8e347f35885395d

SHA256
11af5e17927527e0b163f6a6e85d359810af251873a36d18ccb61d9e618d1bd5

SHA512
3f9aa21cb51f18e81e381dca0c0e4d8163ff52aa4cc767a106587b421e19569717040c57a775f41010a043d2b9722ca00d5514b082e6e2101d0134c473b4c7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\jkkhkjejcbkpkbijmcopmdddlmfpnchk\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\jkkhkjejcbkpkbijmcopmdddlmfpnchk\l.js

Filesize
5KB

MD5
bd29bc86cba320947796b9423f6a5f6f

SHA1
fae669c17b7f29722ea138f56418adcc24ad342b

SHA256
0c00a2fc4dbf0d151a5b0632526434cbdb06ee7c96a28a62cb7d4649e5e5c707

SHA512
bf5ca16709ded33eb6273dce988a29b2b10a3d67b3402e5487f4aa9e31bf376eb7d8242348d94efe5e69082dd28e9cb5da945107c26e9c09a72f2b59568fcc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\jkkhkjejcbkpkbijmcopmdddlmfpnchk\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4DB.tmp\jkkhkjejcbkpkbijmcopmdddlmfpnchk\manifest.json

Filesize
509B

MD5
c2655fd009a26679ec26ece12868bdb7

SHA1
cbf6f8959d319c9558fe77e30e510bf89d771a71

SHA256
4fb7ad091c06de1900c810ac9c939974366f6be6114536bdbc3451bd6cb2049e

SHA512
a10404837cabcf22a1a0f180d9bdbe214b6328f265cd40cdf3ba142abac9970ca71192c823fde0eb41441cb83d58c949c058083cd14fc479469f0536c3843fb3

Download Submit