b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6

Analysis

max time kernel
123s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6.exe
Size

2.1MB
MD5

ac7385e4233e8019ff77eab4ba804cbc
SHA1

21c4a29578c9c779415413685df6c3fa5003864a
SHA256

b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6
SHA512

79aff2ce7299c822d49f405c6e42aa0dfa79112f382002f2fce14b544796937ea1b3cc74cfa4e0818b59f62911a8e0aaf9af72019ee6e3fe04bd9bdc7fb00ebf
SSDEEP

49152:h1OsThvaZG1MVEtzijkTvu2x/uw4B8FHFF6A:h1OgvaxMziy35

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
704	XWEUTwa1OncJhL9.exe

Loads dropped DLL 4 IoCs

pid	Process
1500	b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6.exe
704	XWEUTwa1OncJhL9.exe
1372	regsvr32.exe
1868	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\knnmmgkopgdgehhldfnjggbckajempca\1.0\manifest.json	XWEUTwa1OncJhL9.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\knnmmgkopgdgehhldfnjggbckajempca\1.0\manifest.json	XWEUTwa1OncJhL9.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\knnmmgkopgdgehhldfnjggbckajempca\1.0\manifest.json	XWEUTwa1OncJhL9.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	XWEUTwa1OncJhL9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	XWEUTwa1OncJhL9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	XWEUTwa1OncJhL9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	XWEUTwa1OncJhL9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	XWEUTwa1OncJhL9.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.tlb	XWEUTwa1OncJhL9.exe
File created	C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.dat	XWEUTwa1OncJhL9.exe
File opened for modification	C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.dat	XWEUTwa1OncJhL9.exe
File created	C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.x64.dll	XWEUTwa1OncJhL9.exe
File opened for modification	C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.x64.dll	XWEUTwa1OncJhL9.exe
File created	C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.dll	XWEUTwa1OncJhL9.exe
File opened for modification	C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.dll	XWEUTwa1OncJhL9.exe
File created	C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.tlb	XWEUTwa1OncJhL9.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 704	1500	b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6.exe	28
PID 1500 wrote to memory of 704	1500	b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6.exe	28
PID 1500 wrote to memory of 704	1500	b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6.exe	28
PID 1500 wrote to memory of 704	1500	b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6.exe	28
PID 704 wrote to memory of 1372	704	XWEUTwa1OncJhL9.exe	29
PID 704 wrote to memory of 1372	704	XWEUTwa1OncJhL9.exe	29
PID 704 wrote to memory of 1372	704	XWEUTwa1OncJhL9.exe	29
PID 704 wrote to memory of 1372	704	XWEUTwa1OncJhL9.exe	29
PID 704 wrote to memory of 1372	704	XWEUTwa1OncJhL9.exe	29
PID 704 wrote to memory of 1372	704	XWEUTwa1OncJhL9.exe	29
PID 704 wrote to memory of 1372	704	XWEUTwa1OncJhL9.exe	29
PID 1372 wrote to memory of 1868	1372	regsvr32.exe	30
PID 1372 wrote to memory of 1868	1372	regsvr32.exe	30
PID 1372 wrote to memory of 1868	1372	regsvr32.exe	30
PID 1372 wrote to memory of 1868	1372	regsvr32.exe	30
PID 1372 wrote to memory of 1868	1372	regsvr32.exe	30
PID 1372 wrote to memory of 1868	1372	regsvr32.exe	30
PID 1372 wrote to memory of 1868	1372	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6.exe
"C:\Users\Admin\AppData\Local\Temp\b6458893cd855180d666e64c7eec3a7ceb0f0744a515f9946af6b9b15cc26bb6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\XWEUTwa1OncJhL9.exe
  .\XWEUTwa1OncJhL9.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.dat

Filesize
6KB

MD5
a5eb9d0ced46541c6f72b03959d327a6

SHA1
ea8da543e6576c4297019e687efcf6eaae6d1d6f

SHA256
11ed62aaa46a98c5a07339144d3430fbb31a1d433fb791b57f44a1acd35a12e1

SHA512
640cd51a91018415632a52c986b152750f046a871d8b1d265ae548671c07f080c096cef8ae7091558a77b4ab1c0898c5f397c5f74bab751e6435b6cfeb5609fa

Download Submit
C:\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.x64.dll

Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\XWEUTwa1OncJhL9.dat

Filesize
6KB

MD5
a5eb9d0ced46541c6f72b03959d327a6

SHA1
ea8da543e6576c4297019e687efcf6eaae6d1d6f

SHA256
11ed62aaa46a98c5a07339144d3430fbb31a1d433fb791b57f44a1acd35a12e1

SHA512
640cd51a91018415632a52c986b152750f046a871d8b1d265ae548671c07f080c096cef8ae7091558a77b4ab1c0898c5f397c5f74bab751e6435b6cfeb5609fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\XWEUTwa1OncJhL9.exe

Filesize
634KB

MD5
bd1503d4eaae5e7f2a8cdbd9a88ec02a

SHA1
730280a7839bb46bdeeaa47797d926f8d57e1da1

SHA256
724380928512fc5261d5f42e64f7705fcdeae1410f24a8ec6b0a2ba783675cb4

SHA512
0dc06ce8e78f6b0ebbe65723791ea4ffde8a9d55534dda1b02e81f1a109fce77f26e4bdfb9fd18b5ca9f4d9ff2454e6b05eca325539148512f762b5d2f225c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\XWEUTwa1OncJhL9.exe

Filesize
634KB

MD5
bd1503d4eaae5e7f2a8cdbd9a88ec02a

SHA1
730280a7839bb46bdeeaa47797d926f8d57e1da1

SHA256
724380928512fc5261d5f42e64f7705fcdeae1410f24a8ec6b0a2ba783675cb4

SHA512
0dc06ce8e78f6b0ebbe65723791ea4ffde8a9d55534dda1b02e81f1a109fce77f26e4bdfb9fd18b5ca9f4d9ff2454e6b05eca325539148512f762b5d2f225c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\XyQxKb2NSD8Tow.dll

Filesize
618KB

MD5
f180a95d8673cd01ce4af0ff678fa099

SHA1
8592fe958436e14ef9ace437ac4445ecca22e35e

SHA256
d40aa49822621713e0f79f6c9a187468251fc22559cb1bbd6b5f71a94819eeb7

SHA512
3dda5f3133df4c00c03d8b3fb539b37e2e6b26d0384d3674cefa9595136f9eaa4b9d21c0e806a9ec3cfadfb782a30e344145abbf87bca813de056f84c6fb13c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\XyQxKb2NSD8Tow.tlb

Filesize
3KB

MD5
8af6f42a5b16ced04702514d47052053

SHA1
f06e43c9710e27b38063652217874f6fc8515ea0

SHA256
0fc752f18e2f21a6d0b45fb9769deefe70d4690e72225037a37d1dc0553ae8ed

SHA512
2d1fedf6693f0347d9265436fbc17515fa9a904db54170181ca7a6d5c64a4928494a20a1eb489d646602ed2769e570bfb5835bffd241a53a8fe64d5767b9234b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\XyQxKb2NSD8Tow.x64.dll

Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\knnmmgkopgdgehhldfnjggbckajempca\background.html

Filesize
144B

MD5
60f7581247398b2328194c2bb6a0ff3e

SHA1
424e509d8dca74df366a57af5ebcd7d2b312a746

SHA256
683dc6b18dd5be388ee541982d759937532da6671fc3bb1282a6acdf523d79cd

SHA512
6c788eb66c9f2d94bc58d4500d74c90d82676ced99eadf40f1ff992bbeed3bdf3b94d01f1228781d2c171a40577943034648b2698dd1c3889ce852528a277ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\knnmmgkopgdgehhldfnjggbckajempca\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\knnmmgkopgdgehhldfnjggbckajempca\kTkVhtw.js

Filesize
5KB

MD5
d3eb2f07ffdd781a69bdd0472c7f15d4

SHA1
16f192485f15aaa084e4198cc9ea1c5b27e6cfc6

SHA256
31662d9c726806808c1e558de5e9b23ef49fdb6ca77b2db8afae67eea5480267

SHA512
bd004166135308a0013aee6f763521b740ce219db334a2218f89660eb67d8642df0ec686cd2db17e2152735e342176bc0d1d9b6bddcaec2057bc165c5cd94985

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\knnmmgkopgdgehhldfnjggbckajempca\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\knnmmgkopgdgehhldfnjggbckajempca\manifest.json

Filesize
509B

MD5
0efa5ab91e4bc4b876314e9a3f1ebe9b

SHA1
f03fd6600b8b92d8c468d392fd6510aec8c98cd6

SHA256
f353db44661c45beda448b804bbf28d6ff7744d94612d7b596fd51f7b1dcf170

SHA512
16a1d7a5fd3abb2e7528791afbc58b55e9a1febef26f04b036a9ab99fdae8110ed1876be7ba75aba060a6e11cb1c81de592afcad89fd78586b3b62e2a62b179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
182fda101c4920a16bb6fe611aabb8e9

SHA1
42fd979de510d7cc776c57ef6ede92f4fce345b6

SHA256
b195d0eeb5c83ee0912e2abbad356e6e9833334187178b523cc7106c9123c4b7

SHA512
3955ecb3060912872d835daace80edafbc7da29302901ad469f4bd85210afe368ecf0968a440607cdd4aae39481412dbdd457781bc7dfd0ffbae248a2979f43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
a115ab909b0abd8109bd2cf43e16f4f8

SHA1
21ece036b06c662d60c64625607f6e2b4b212b30

SHA256
2e172a26778ea79a59f6d76f4dfeeecc280433619e3cdc30a0129bee7d9b2520

SHA512
dfd370899b753f73f2b67293477d7e965d97afe165ce468d7e82337c17c2eb19bbf54d725e5afac57826feed7cbcbc9a0360b59877c61b0b63b3fea908495897

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\[email protected]\install.rdf

Filesize
608B

MD5
cafd003941f837e8e79d156db5b901f2

SHA1
0a78d6c65acfdd8c4a9681e5276a51d2a30a7a32

SHA256
b4cffb50ff82c43ffb6146cf427db886d13a197d05f599f5c8ca8ebcccae4a1e

SHA512
b2addbad38fac1705424f2299005ccbc4b20170c9020d8afbe55392af35250cd4e06aa9e610b28c06e57681d65c7cfd621c640ce660889e5e00bdfecda511b05

Download Submit
\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.dll

Filesize
618KB

MD5
f180a95d8673cd01ce4af0ff678fa099

SHA1
8592fe958436e14ef9ace437ac4445ecca22e35e

SHA256
d40aa49822621713e0f79f6c9a187468251fc22559cb1bbd6b5f71a94819eeb7

SHA512
3dda5f3133df4c00c03d8b3fb539b37e2e6b26d0384d3674cefa9595136f9eaa4b9d21c0e806a9ec3cfadfb782a30e344145abbf87bca813de056f84c6fb13c9

Download Submit
\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.x64.dll

Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
\Program Files (x86)\YouttubeAdBBlocke\XyQxKb2NSD8Tow.x64.dll

Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7C90.tmp\XWEUTwa1OncJhL9.exe

Filesize
634KB

MD5
bd1503d4eaae5e7f2a8cdbd9a88ec02a

SHA1
730280a7839bb46bdeeaa47797d926f8d57e1da1

SHA256
724380928512fc5261d5f42e64f7705fcdeae1410f24a8ec6b0a2ba783675cb4

SHA512
0dc06ce8e78f6b0ebbe65723791ea4ffde8a9d55534dda1b02e81f1a109fce77f26e4bdfb9fd18b5ca9f4d9ff2454e6b05eca325539148512f762b5d2f225c7b

Download Submit
memory/1500-54-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download
memory/1868-78-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download