016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03

Analysis

max time kernel
38s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03.exe
Size

2.1MB
MD5

d4af66181055be100b55345bb180ce67
SHA1

c96f009272059c3f700dbe5b8ffd209255ea0b49
SHA256

016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03
SHA512

c09a96d08085379b589094cf95655ee749433fb2a537235d657abbe658b93343293ada40747f98fe039ad69ac52e5383a7abf1438494db7e8299baf8389f91b8
SSDEEP

49152:h1OsGVaQRAQ+A/QnYHL9Da+LNJJs76HWUZtK:h1O6QdHLNJgR

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
576	QBCSE88FcxP2etF.exe

Loads dropped DLL 4 IoCs

pid	Process
744	016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03.exe
576	QBCSE88FcxP2etF.exe
2032	regsvr32.exe
2028	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lndgmmchefobdehdddiicdgcolpoaojp\200\manifest.json	QBCSE88FcxP2etF.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lndgmmchefobdehdddiicdgcolpoaojp\200\manifest.json	QBCSE88FcxP2etF.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lndgmmchefobdehdddiicdgcolpoaojp\200\manifest.json	QBCSE88FcxP2etF.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	QBCSE88FcxP2etF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	QBCSE88FcxP2etF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	QBCSE88FcxP2etF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	QBCSE88FcxP2etF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	QBCSE88FcxP2etF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.dll	QBCSE88FcxP2etF.exe
File created	C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.tlb	QBCSE88FcxP2etF.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.tlb	QBCSE88FcxP2etF.exe
File created	C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.dat	QBCSE88FcxP2etF.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.dat	QBCSE88FcxP2etF.exe
File created	C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.x64.dll	QBCSE88FcxP2etF.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.x64.dll	QBCSE88FcxP2etF.exe
File created	C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.dll	QBCSE88FcxP2etF.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 576	744	016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03.exe	28
PID 744 wrote to memory of 576	744	016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03.exe	28
PID 744 wrote to memory of 576	744	016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03.exe	28
PID 744 wrote to memory of 576	744	016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03.exe	28
PID 576 wrote to memory of 2032	576	QBCSE88FcxP2etF.exe	29
PID 576 wrote to memory of 2032	576	QBCSE88FcxP2etF.exe	29
PID 576 wrote to memory of 2032	576	QBCSE88FcxP2etF.exe	29
PID 576 wrote to memory of 2032	576	QBCSE88FcxP2etF.exe	29
PID 576 wrote to memory of 2032	576	QBCSE88FcxP2etF.exe	29
PID 576 wrote to memory of 2032	576	QBCSE88FcxP2etF.exe	29
PID 576 wrote to memory of 2032	576	QBCSE88FcxP2etF.exe	29
PID 2032 wrote to memory of 2028	2032	regsvr32.exe	30
PID 2032 wrote to memory of 2028	2032	regsvr32.exe	30
PID 2032 wrote to memory of 2028	2032	regsvr32.exe	30
PID 2032 wrote to memory of 2028	2032	regsvr32.exe	30
PID 2032 wrote to memory of 2028	2032	regsvr32.exe	30
PID 2032 wrote to memory of 2028	2032	regsvr32.exe	30
PID 2032 wrote to memory of 2028	2032	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03.exe
"C:\Users\Admin\AppData\Local\Temp\016926a819fe03d14076d737158763eebad15b852e9e1afff69f79e6b14e0c03.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\QBCSE88FcxP2etF.exe
  .\QBCSE88FcxP2etF.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.dat

Filesize
6KB

MD5
20b6bb5ffb622829239c33eccc48860c

SHA1
d9e6303238b2b2ae3bb90affffa79be5aea8d390

SHA256
d21087e5c75b7fe11855bd8896747d5257d273dc942e1ab5734cc59199f3bbc3

SHA512
0b1cd4944f5dec873f2abbd893e16e6a295b9def11dcfcfe6c4145e071b960582bdb344294183d8f8d06a2687ac903adfa2082e8577ae5e2ed3251658ea43fd4

Download Submit
C:\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.x64.dll

Filesize
701KB

MD5
ba029df09fe322da666bd790a070e8fb

SHA1
85c2a745626c58347d4cfe65c92a73239f955351

SHA256
496bd95841eff8e87a62a7ee37614c5d532bf8cf359875b2d7b2e174472ad8b7

SHA512
67b309de2f67c85bbf56cd6e36785547ed8ab575c9e0a2a4a333b8e7041559562a9c4b2aa789a9d700f1df7f0e6762b73d349e80d4f2a7d4d5c09932d55050ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a47e0f955c5370527cb08dda8fcf483d

SHA1
ae044ca7646366f789414cdad865f107b47e2138

SHA256
735567d1f0d40a7aa0cc4eb20a136963ac21f0f676acc130396abb6877f707eb

SHA512
7e04761ff34e76e79457c3ce412b69c1ea414fc990de8b01ab99ee6308bd650ba38c30be4bc31a6bc0b15940dc5395c37f21cb471d70af5813f2280176122170

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
e4035b04a7257105c1f70f8cc1d27cd3

SHA1
2d86e9282dd9368b20a722d07d5d9c30e67fbd69

SHA256
4b09f433641346cae885a3bfd4041267d364a607edf253e1ade279861251b96c

SHA512
98f82aa953b1fc1d04ce585e6399f43f1d69fc3563cbf670e62c7263f5f7877072c6956d5d1a23b8684a0cb883a3a26ed8ea3ac321fee340b6cc8d7a75e81b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\[email protected]\install.rdf

Filesize
599B

MD5
45eed595d4c97f85ff4bd2d1dc01a1f7

SHA1
d2481ca994fa4e2ff78970663f029de7412a42bf

SHA256
e3e668465440dfbf1b1def2111e83c799e1c3f8f49f9cde30230415ed92b2d3f

SHA512
a1436ca0eb8d808da0f48195bd976e4dfaa1a55b6d7af5e152cfe70b42b158a3d5cb0825a3790394a715f90452c206e0c8f84cd9f1057f25f6b6c59dba2ec48a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\Oj7pizSQlTTLCj.dll

Filesize
624KB

MD5
5d02ca019e94426393fbca13427fc28a

SHA1
cd9b4cb70eb6652dc7242afb3354018c964facc1

SHA256
09e0d7030f6b78ef96a3d812645337c6282c7dd0e8c568a7f37dd60f3a05771a

SHA512
b98c66c6f65688ac5a3f471122debe54164ec739e7f4e8c13840b309bd72baff78ec1597554ce0919a05aafee12c8ed3a633475aabee5599c7d2a0571c64103e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\Oj7pizSQlTTLCj.tlb

Filesize
3KB

MD5
40d5ba7a201d49a2e75197fe15c6d328

SHA1
848c0adf675fd7434cfc1dc5b578d8e1c4ac117f

SHA256
d22cfc14e8eec32f54df507ab7eea58a847576f27dc786d794ec011343bc37ab

SHA512
a96da019e5e4c16dea70ce0b80965cd83cdc57a6100a247b1d028434adb96d24b4b49e97937d9ba074329f0574c804b15d300e4f6db9aedd885dd954fec52d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\Oj7pizSQlTTLCj.x64.dll

Filesize
701KB

MD5
ba029df09fe322da666bd790a070e8fb

SHA1
85c2a745626c58347d4cfe65c92a73239f955351

SHA256
496bd95841eff8e87a62a7ee37614c5d532bf8cf359875b2d7b2e174472ad8b7

SHA512
67b309de2f67c85bbf56cd6e36785547ed8ab575c9e0a2a4a333b8e7041559562a9c4b2aa789a9d700f1df7f0e6762b73d349e80d4f2a7d4d5c09932d55050ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\QBCSE88FcxP2etF.dat

Filesize
6KB

MD5
20b6bb5ffb622829239c33eccc48860c

SHA1
d9e6303238b2b2ae3bb90affffa79be5aea8d390

SHA256
d21087e5c75b7fe11855bd8896747d5257d273dc942e1ab5734cc59199f3bbc3

SHA512
0b1cd4944f5dec873f2abbd893e16e6a295b9def11dcfcfe6c4145e071b960582bdb344294183d8f8d06a2687ac903adfa2082e8577ae5e2ed3251658ea43fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\QBCSE88FcxP2etF.exe

Filesize
623KB

MD5
9c474f966075e4d5968e67145bcbe2a3

SHA1
f3fe6099ba9710a7980b3f03d9a6a6551aade41a

SHA256
a4b7326af7d425ce38e5961677c630d3321e3205f3ce9d4fa778788c46f96cc5

SHA512
1c93eac1fce60462068c7271add97b4978e88543dbec8011185131f8c077b0b513d4947d6d6e7fe9189c4d47d8461c1445eec18860e6e4ed715773c9d397047d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\QBCSE88FcxP2etF.exe

Filesize
623KB

MD5
9c474f966075e4d5968e67145bcbe2a3

SHA1
f3fe6099ba9710a7980b3f03d9a6a6551aade41a

SHA256
a4b7326af7d425ce38e5961677c630d3321e3205f3ce9d4fa778788c46f96cc5

SHA512
1c93eac1fce60462068c7271add97b4978e88543dbec8011185131f8c077b0b513d4947d6d6e7fe9189c4d47d8461c1445eec18860e6e4ed715773c9d397047d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\lndgmmchefobdehdddiicdgcolpoaojp\bY5DpLkuo.js

Filesize
5KB

MD5
aa9cc76ce1568d9119a56fc39b0451b0

SHA1
3fa0d161aeeee4e2350aa2a65cd8c9281ef8f6fd

SHA256
790b7f493ca5864c2b804d4770f18cbb2352e03d8d72f37edc4c9f6abfda3223

SHA512
d7572af0aac42504f1520e6d3699def53bafc2278d191fbfa4258f0d44b7bff1aa3187f82e33fb350bdaa105ed4870852a305af9ebcf89c7243fad1d08f81749

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\lndgmmchefobdehdddiicdgcolpoaojp\background.html

Filesize
146B

MD5
68ce843ed7d295883ec0fa99fd03bc36

SHA1
2519a4cc619c4eefb871716455f6da9d84ccd636

SHA256
bb8ab2ae04aad918e83e5c4dc72d5e158b35970092e460d0c3f03eef62c7c8df

SHA512
05d3dcbcdbf55959c86d7baf40f646e73458a8d9cb3953b75a4b479971dc7c27819d1c7d2e6099cffd620ac6e231a8aec1d938e4943f728eec08e6666cea6f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\lndgmmchefobdehdddiicdgcolpoaojp\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\lndgmmchefobdehdddiicdgcolpoaojp\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS761.tmp\lndgmmchefobdehdddiicdgcolpoaojp\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.dll

Filesize
624KB

MD5
5d02ca019e94426393fbca13427fc28a

SHA1
cd9b4cb70eb6652dc7242afb3354018c964facc1

SHA256
09e0d7030f6b78ef96a3d812645337c6282c7dd0e8c568a7f37dd60f3a05771a

SHA512
b98c66c6f65688ac5a3f471122debe54164ec739e7f4e8c13840b309bd72baff78ec1597554ce0919a05aafee12c8ed3a633475aabee5599c7d2a0571c64103e

Download Submit
\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.x64.dll

Filesize
701KB

MD5
ba029df09fe322da666bd790a070e8fb

SHA1
85c2a745626c58347d4cfe65c92a73239f955351

SHA256
496bd95841eff8e87a62a7ee37614c5d532bf8cf359875b2d7b2e174472ad8b7

SHA512
67b309de2f67c85bbf56cd6e36785547ed8ab575c9e0a2a4a333b8e7041559562a9c4b2aa789a9d700f1df7f0e6762b73d349e80d4f2a7d4d5c09932d55050ad

Download Submit
\Program Files (x86)\Browser Shop\Oj7pizSQlTTLCj.x64.dll

Filesize
701KB

MD5
ba029df09fe322da666bd790a070e8fb

SHA1
85c2a745626c58347d4cfe65c92a73239f955351

SHA256
496bd95841eff8e87a62a7ee37614c5d532bf8cf359875b2d7b2e174472ad8b7

SHA512
67b309de2f67c85bbf56cd6e36785547ed8ab575c9e0a2a4a333b8e7041559562a9c4b2aa789a9d700f1df7f0e6762b73d349e80d4f2a7d4d5c09932d55050ad

Download Submit
\Users\Admin\AppData\Local\Temp\7zS761.tmp\QBCSE88FcxP2etF.exe

Filesize
623KB

MD5
9c474f966075e4d5968e67145bcbe2a3

SHA1
f3fe6099ba9710a7980b3f03d9a6a6551aade41a

SHA256
a4b7326af7d425ce38e5961677c630d3321e3205f3ce9d4fa778788c46f96cc5

SHA512
1c93eac1fce60462068c7271add97b4978e88543dbec8011185131f8c077b0b513d4947d6d6e7fe9189c4d47d8461c1445eec18860e6e4ed715773c9d397047d

Download Submit
memory/744-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/2028-78-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download