0c3086f87ee37d7deb0213e840712f11744991db71bf9455282f87be31f97f2c

Analysis

max time kernel
122s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c3086f87ee37d7deb0213e840712f11744991db71bf9455282f87be31f97f2c.exe
Size

2.0MB
MD5

0896a73e0362b7e32a5e0947f4a77e84
SHA1

22c8a5bf0b48b9870fe298833e60e834038a335b
SHA256

0c3086f87ee37d7deb0213e840712f11744991db71bf9455282f87be31f97f2c
SHA512

6cf18da726b87a1a1504cc43060d636bfc348d89c8e4b3b7857da9f6165dfd0590d6459b32f1bfbc6753dbde83356382e0a1226a289db35efe290f59afea950f
SSDEEP

24576:h1OYdaONaacvu7gXAfwlUlZov8Hk7IelYNJbMBhTlmWCv9oU+pHi00CScsPzMZpY:h1OsWqZBJgvzCg50qNLaz

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	oRx74vKlm8qC8I2.exe

Loads dropped DLL 3 IoCs

pid	Process
2468	oRx74vKlm8qC8I2.exe
3792	regsvr32.exe
3624	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\aahckidicpeplpninkgffbgdflhkaldf\1.3\manifest.json	oRx74vKlm8qC8I2.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aahckidicpeplpninkgffbgdflhkaldf\1.3\manifest.json	oRx74vKlm8qC8I2.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aahckidicpeplpninkgffbgdflhkaldf\1.3\manifest.json	oRx74vKlm8qC8I2.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\aahckidicpeplpninkgffbgdflhkaldf\1.3\manifest.json	oRx74vKlm8qC8I2.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\aahckidicpeplpninkgffbgdflhkaldf\1.3\manifest.json	oRx74vKlm8qC8I2.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	oRx74vKlm8qC8I2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	oRx74vKlm8qC8I2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	oRx74vKlm8qC8I2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	oRx74vKlm8qC8I2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.dll	oRx74vKlm8qC8I2.exe
File opened for modification	C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.dll	oRx74vKlm8qC8I2.exe
File created	C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.tlb	oRx74vKlm8qC8I2.exe
File opened for modification	C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.tlb	oRx74vKlm8qC8I2.exe
File created	C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.dat	oRx74vKlm8qC8I2.exe
File opened for modification	C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.dat	oRx74vKlm8qC8I2.exe
File created	C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.x64.dll	oRx74vKlm8qC8I2.exe
File opened for modification	C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.x64.dll	oRx74vKlm8qC8I2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 2468	5028	0c3086f87ee37d7deb0213e840712f11744991db71bf9455282f87be31f97f2c.exe	81
PID 5028 wrote to memory of 2468	5028	0c3086f87ee37d7deb0213e840712f11744991db71bf9455282f87be31f97f2c.exe	81
PID 5028 wrote to memory of 2468	5028	0c3086f87ee37d7deb0213e840712f11744991db71bf9455282f87be31f97f2c.exe	81
PID 2468 wrote to memory of 3792	2468	oRx74vKlm8qC8I2.exe	82
PID 2468 wrote to memory of 3792	2468	oRx74vKlm8qC8I2.exe	82
PID 2468 wrote to memory of 3792	2468	oRx74vKlm8qC8I2.exe	82
PID 3792 wrote to memory of 3624	3792	regsvr32.exe	83
PID 3792 wrote to memory of 3624	3792	regsvr32.exe	83

C:\Users\Admin\AppData\Local\Temp\0c3086f87ee37d7deb0213e840712f11744991db71bf9455282f87be31f97f2c.exe
"C:\Users\Admin\AppData\Local\Temp\0c3086f87ee37d7deb0213e840712f11744991db71bf9455282f87be31f97f2c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\oRx74vKlm8qC8I2.exe
  .\oRx74vKlm8qC8I2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:3624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.dat

Filesize
6KB

MD5
458e1e2a3828bc8961ef72cb0da5221c

SHA1
09d08692c8298ae70716ad333c7fd3b360089512

SHA256
eeda98858be3989780697cb0bc46371547827affc26af8c7e8009062df56eb00

SHA512
6d313ecdd9b01e09e7abd22088178a6e2680ea45a24f26de0be64b0742d49a2879b6de0ad6a8f70b4361958bde1f07608487ca4773ba265a02a312a283325ba0

Download Submit
C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.dll

Filesize
611KB

MD5
b372e1c602e797f0db6018a7864f8f4f

SHA1
f0389347cb8a9d03d27187015b7ad4e463bd59fa

SHA256
1d8078aea6d3e3b6a42365a5c14143013f910b678534e2ab5c3ce1b1b9fad094

SHA512
8e0f5243e15e9a997d969b875795fe80c662676f951e56e48135805fb236f01f198203e94a22a8173e34f944cd9ff0ae2406f2a5689aba4999fc6eae595ad49b

Download Submit
C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
C:\Program Files (x86)\VaUdix\IhPr4NxeaenXp1.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\IhPr4NxeaenXp1.dll

Filesize
611KB

MD5
b372e1c602e797f0db6018a7864f8f4f

SHA1
f0389347cb8a9d03d27187015b7ad4e463bd59fa

SHA256
1d8078aea6d3e3b6a42365a5c14143013f910b678534e2ab5c3ce1b1b9fad094

SHA512
8e0f5243e15e9a997d969b875795fe80c662676f951e56e48135805fb236f01f198203e94a22a8173e34f944cd9ff0ae2406f2a5689aba4999fc6eae595ad49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\IhPr4NxeaenXp1.tlb

Filesize
3KB

MD5
671b9e077657df17db9f3ed2da6bae37

SHA1
bfed6f97de94dc0b4377543c395a5a5453e3f699

SHA256
6ce2d1fb8f5d7bf1a4d4dfa06525484c538e18f5cff12c6b1cf68208313cb68c

SHA512
39973c90739c4c0dcdc70e70673a8dcfb7e9795daf8ad37a8264eb1206bd437aacbbf5c2ed8b3645fac317a6cc98be5413b738c5fe02f3f18272a4349c41676b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\IhPr4NxeaenXp1.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
bc1a14f1b6185552fc55865943d6fa57

SHA1
4fc877bd8f10a330eade6af76cfe59f660ce552f

SHA256
5c8f8fc8efd1421c5ff8ba530885dafacb46908aa8cc467af9c365cdbd5633e8

SHA512
01705c53ef34169a1b9b18c1c529feb1e74622cb8f8a1c8032b8b45ea343ed22802ed0d47eea2901ce4f2ce244b68f38512f4fde9f42a489310130fdd65daa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
c6ebdda6c884e202609c6797d9b1d312

SHA1
cc3561cd8d73c27f81d708c3d88090be8fe89a7a

SHA256
23a0bfc7b607d30beb7086202a561249b1afad9606edb76d30aa50fb22ec24e2

SHA512
fb6984d5fca20a13b772ca1b9a86ead20a452cda04d6326d342a1e727b50f2e32df09c92afd6eeeb7a6043ac2733df1ebe8c57987ef9935ea7a8bf29f5bf1eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\[email protected]\install.rdf

Filesize
594B

MD5
775da4f2ee8cc785174505407e8fd12a

SHA1
2de91f484b0704b3cc4797a132549e40d0373497

SHA256
4f5b2741e441e8425cc39887dfde414ac23df1dab34cf34fa585b1fce9668dec

SHA512
1da8fcbe1db181f52ca20786c3634cfe6412b79ef9f0fd299f1ca961968a6c5d5c0e2cbad7f383d629c67122682fd361bcdd6ff3c60f4718fab6d139c31821d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\aahckidicpeplpninkgffbgdflhkaldf\background.html

Filesize
147B

MD5
efcca9b6e52474e9db93ed86ea9f029b

SHA1
128bead89b1e7d10f1ebf0e481324f8ff9aadb11

SHA256
47230416309123035ec76221fc50fae9d4633f96871681d02f301cdbfd1567d7

SHA512
e5cf516e769edd6d3dc05db598b9d71eb323132612d71751079d76e1e06450dc8df850cd204611a9f4699641b6414d921e5455898f32ac665beefdd3f8701c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\aahckidicpeplpninkgffbgdflhkaldf\bs6ZKvttY0.js

Filesize
5KB

MD5
dd42edbdc05553d7dc5b88b513b45e6e

SHA1
644596baa389268c13071d947ad933264b27f373

SHA256
2a1e651579ff82fdb69ddc9bab720e2dd7d0526d54a790f658723fe7ab2e035c

SHA512
58cce10a8112650bd19b1017132632590db0dc729c1740121207efd3de3db0c08f708562bb9734528c64a4b80c843958047efee809dd3a8186ca8b2586ce8afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\aahckidicpeplpninkgffbgdflhkaldf\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\aahckidicpeplpninkgffbgdflhkaldf\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\aahckidicpeplpninkgffbgdflhkaldf\manifest.json

Filesize
498B

MD5
726fc1521b00f0999309e5e978d1a167

SHA1
ea85418464ce4f2e4f018143bb9da1e54b96e741

SHA256
c9f561a1a28dd9c10774222ed92d8ddc76364ed6a1b7dc795fcfe6e93a59c9a2

SHA512
21b5d1bbbdb28313060f0ba8712a4319cdce1af8753ea6fe688cbc6ef90ef87475887d6e2d9ef3cacdd76b1c74efa5170808cee15f5ae38559b75d9f5db66cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\oRx74vKlm8qC8I2.dat

Filesize
6KB

MD5
458e1e2a3828bc8961ef72cb0da5221c

SHA1
09d08692c8298ae70716ad333c7fd3b360089512

SHA256
eeda98858be3989780697cb0bc46371547827affc26af8c7e8009062df56eb00

SHA512
6d313ecdd9b01e09e7abd22088178a6e2680ea45a24f26de0be64b0742d49a2879b6de0ad6a8f70b4361958bde1f07608487ca4773ba265a02a312a283325ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\oRx74vKlm8qC8I2.exe

Filesize
622KB

MD5
4ecbc35005b5366fbc0ac6b28fc6ad0f

SHA1
d42ed8b1f39305dab856334a47428d1b52577c7c

SHA256
38ea513da8ddb1b65edd505eb24716802e4d33e59ad6050ceaed01b82e506563

SHA512
f45d7ccd8aae26623850a30f7ff52ad71771635745c72c0a929e4ecf5bf748f7badd424dd7f6955c0314a7fb04a6c0ef665664c4920b6476da8321f1dd167d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB059.tmp\oRx74vKlm8qC8I2.exe

Filesize
622KB

MD5
4ecbc35005b5366fbc0ac6b28fc6ad0f

SHA1
d42ed8b1f39305dab856334a47428d1b52577c7c

SHA256
38ea513da8ddb1b65edd505eb24716802e4d33e59ad6050ceaed01b82e506563

SHA512
f45d7ccd8aae26623850a30f7ff52ad71771635745c72c0a929e4ecf5bf748f7badd424dd7f6955c0314a7fb04a6c0ef665664c4920b6476da8321f1dd167d29

Download Submit