f5d87620b381e60fad42b5efc5e14c82f48b82ddd0d00dfcda7e0fe8c2b6f90a

Analysis

max time kernel
91s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5d87620b381e60fad42b5efc5e14c82f48b82ddd0d00dfcda7e0fe8c2b6f90a.exe
Size

2.1MB
MD5

cbb5f72ac0c1bf9bedef6dbb39d40797
SHA1

83129433a013a195fae36d89144be1e694a4033f
SHA256

f5d87620b381e60fad42b5efc5e14c82f48b82ddd0d00dfcda7e0fe8c2b6f90a
SHA512

1ec865760f8708beffbd722fbefd052d9f45939d0ebb607c632d8d2d282b2313cf0f3aca2f51303726ad260efb514256f2ed6a527a08aefc0319c8fd709738d6
SSDEEP

24576:h1OYdaOPYRFw8fYYFt4YoITo8wNKoWTyYgFJwEFZm1o0iU/7PCILygmNIm58NKaD:h1OsyvoIBqKoyyVDwvlw9eeho

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4060	rq6S859a1Fj6Xgu.exe

Loads dropped DLL 3 IoCs

pid	Process
4060	rq6S859a1Fj6Xgu.exe
1924	regsvr32.exe
388	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjdhojbmahbcefebngejmbgomcmabenb\200\manifest.json	rq6S859a1Fj6Xgu.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjdhojbmahbcefebngejmbgomcmabenb\200\manifest.json	rq6S859a1Fj6Xgu.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjdhojbmahbcefebngejmbgomcmabenb\200\manifest.json	rq6S859a1Fj6Xgu.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjdhojbmahbcefebngejmbgomcmabenb\200\manifest.json	rq6S859a1Fj6Xgu.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjdhojbmahbcefebngejmbgomcmabenb\200\manifest.json	rq6S859a1Fj6Xgu.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	rq6S859a1Fj6Xgu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	rq6S859a1Fj6Xgu.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	rq6S859a1Fj6Xgu.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	rq6S859a1Fj6Xgu.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.tlb	rq6S859a1Fj6Xgu.exe
File opened for modification	C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.tlb	rq6S859a1Fj6Xgu.exe
File created	C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.dat	rq6S859a1Fj6Xgu.exe
File opened for modification	C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.dat	rq6S859a1Fj6Xgu.exe
File created	C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.x64.dll	rq6S859a1Fj6Xgu.exe
File opened for modification	C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.x64.dll	rq6S859a1Fj6Xgu.exe
File created	C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.dll	rq6S859a1Fj6Xgu.exe
File opened for modification	C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.dll	rq6S859a1Fj6Xgu.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4060	4836	f5d87620b381e60fad42b5efc5e14c82f48b82ddd0d00dfcda7e0fe8c2b6f90a.exe	82
PID 4836 wrote to memory of 4060	4836	f5d87620b381e60fad42b5efc5e14c82f48b82ddd0d00dfcda7e0fe8c2b6f90a.exe	82
PID 4836 wrote to memory of 4060	4836	f5d87620b381e60fad42b5efc5e14c82f48b82ddd0d00dfcda7e0fe8c2b6f90a.exe	82
PID 4060 wrote to memory of 1924	4060	rq6S859a1Fj6Xgu.exe	83
PID 4060 wrote to memory of 1924	4060	rq6S859a1Fj6Xgu.exe	83
PID 4060 wrote to memory of 1924	4060	rq6S859a1Fj6Xgu.exe	83
PID 1924 wrote to memory of 388	1924	regsvr32.exe	84
PID 1924 wrote to memory of 388	1924	regsvr32.exe	84

C:\Users\Admin\AppData\Local\Temp\f5d87620b381e60fad42b5efc5e14c82f48b82ddd0d00dfcda7e0fe8c2b6f90a.exe
"C:\Users\Admin\AppData\Local\Temp\f5d87620b381e60fad42b5efc5e14c82f48b82ddd0d00dfcda7e0fe8c2b6f90a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\rq6S859a1Fj6Xgu.exe
  .\rq6S859a1Fj6Xgu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.dat

Filesize
6KB

MD5
783f7c3b838a25280a2c852cebf31f64

SHA1
de8ec4b9b2e4ed58e3457ec2404420fd61b0379f

SHA256
8f4aadc477937c3ac3d301055e7a87299293700c6779044f4f7ab8dcf7fc869d

SHA512
9db423af121e5d5aab14e0f3b8fa9cfc6c4f5099d4f90b8b564f72c37b10328c4ad27371499fa41fee6761f60a418998f3386c99aa54b0350bbf10a9d977d9c1

Download Submit
C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.dll

Filesize
622KB

MD5
8b25d120044424e3ec273ac959fff938

SHA1
3993ccda1e5a76c1dcad288e24d458d4dafca5aa

SHA256
0db373d6054cd542fe327f3a81f96cd21cd99ef9bd982dc09ac5a55bb90ec1cd

SHA512
babfce75d8f57dd4f07ce0a778b7f7406f0ee4ce256761cb912c041588acfddc553535ec229338e758fab77981268d3022d9f125a17acfcc209449d0a192772d

Download Submit
C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.x64.dll

Filesize
699KB

MD5
0f7fd08e76c48202c9cd34cb499d6553

SHA1
ea9718612fadf13fc4af2c5167031d1232c927ae

SHA256
92aa6ead2d4103a9b52de24d3480df986d2dacf5f52068195558adaf1127b811

SHA512
37e2bdc1e854cbaf052eb616c59995f563e9f47d60fa63ece7216fb5fbd24c1793b5ba7d5671a01060ec9d945d72988d880f6ec68989131ccedb44dc69d9e7bc

Download Submit
C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.x64.dll

Filesize
699KB

MD5
0f7fd08e76c48202c9cd34cb499d6553

SHA1
ea9718612fadf13fc4af2c5167031d1232c927ae

SHA256
92aa6ead2d4103a9b52de24d3480df986d2dacf5f52068195558adaf1127b811

SHA512
37e2bdc1e854cbaf052eb616c59995f563e9f47d60fa63ece7216fb5fbd24c1793b5ba7d5671a01060ec9d945d72988d880f6ec68989131ccedb44dc69d9e7bc

Download Submit
C:\Program Files (x86)\BrowseriShop\cDN3N4y0Pd3hE4.x64.dll

Filesize
699KB

MD5
0f7fd08e76c48202c9cd34cb499d6553

SHA1
ea9718612fadf13fc4af2c5167031d1232c927ae

SHA256
92aa6ead2d4103a9b52de24d3480df986d2dacf5f52068195558adaf1127b811

SHA512
37e2bdc1e854cbaf052eb616c59995f563e9f47d60fa63ece7216fb5fbd24c1793b5ba7d5671a01060ec9d945d72988d880f6ec68989131ccedb44dc69d9e7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\cDN3N4y0Pd3hE4.dll

Filesize
622KB

MD5
8b25d120044424e3ec273ac959fff938

SHA1
3993ccda1e5a76c1dcad288e24d458d4dafca5aa

SHA256
0db373d6054cd542fe327f3a81f96cd21cd99ef9bd982dc09ac5a55bb90ec1cd

SHA512
babfce75d8f57dd4f07ce0a778b7f7406f0ee4ce256761cb912c041588acfddc553535ec229338e758fab77981268d3022d9f125a17acfcc209449d0a192772d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\cDN3N4y0Pd3hE4.tlb

Filesize
3KB

MD5
e4226d4e4e3cf2175354a30a5d269d23

SHA1
6f4bb94887d02c49e4097f3bad537470beea1f07

SHA256
77a4039d3d0ce6522872b18e7ac957b717b30deedd6ac2ca832e1f63c12e2a4f

SHA512
dce70c2413789949fc73601b4404433559814eb27e36beab4eb5eaebabaf57d6507c8b1639749706a0313c3214342a83b7a6b8b62e559ab5fab44642671e8b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\cDN3N4y0Pd3hE4.x64.dll

Filesize
699KB

MD5
0f7fd08e76c48202c9cd34cb499d6553

SHA1
ea9718612fadf13fc4af2c5167031d1232c927ae

SHA256
92aa6ead2d4103a9b52de24d3480df986d2dacf5f52068195558adaf1127b811

SHA512
37e2bdc1e854cbaf052eb616c59995f563e9f47d60fa63ece7216fb5fbd24c1793b5ba7d5671a01060ec9d945d72988d880f6ec68989131ccedb44dc69d9e7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\gjdhojbmahbcefebngejmbgomcmabenb\background.html

Filesize
138B

MD5
6b80ce55441b27baca57bd6d618243c0

SHA1
44f05e6f84945e4aba53b08df8e347f35885395d

SHA256
11af5e17927527e0b163f6a6e85d359810af251873a36d18ccb61d9e618d1bd5

SHA512
3f9aa21cb51f18e81e381dca0c0e4d8163ff52aa4cc767a106587b421e19569717040c57a775f41010a043d2b9722ca00d5514b082e6e2101d0134c473b4c7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\gjdhojbmahbcefebngejmbgomcmabenb\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\gjdhojbmahbcefebngejmbgomcmabenb\l.js

Filesize
5KB

MD5
e86aacf92044988d85e2b48f9e5c3714

SHA1
b2ed7db32f00d09735bae4613572532049798409

SHA256
f01444a4462598e237bd285d8adf5d3d8cfa77076200a0741c9800d0894d8762

SHA512
21f0d00b67a624b272db06f599a3d1ff2e7a6b2fa122a767d23cc41bf336208f9273aefd2075a399c7547f997f110691c0fb8b1abd7c680baee9c00442f789ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\gjdhojbmahbcefebngejmbgomcmabenb\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\gjdhojbmahbcefebngejmbgomcmabenb\manifest.json

Filesize
504B

MD5
0b2948514d949629ad3419558e5c370d

SHA1
95d15fc057065713723991e26ae11663aa61f1af

SHA256
cb575ac28357444016f478ecdd16e027afe2d8f5e6567ee12edef943542144ed

SHA512
165119683f769686968f64ce0c7f18354832a597332d1b440ae0aa483fa3210ac70de958357692b5c962c6e2b9b81d9e87e238abf6ac5607e10618dff1b1b0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\rq6S859a1Fj6Xgu.dat

Filesize
6KB

MD5
783f7c3b838a25280a2c852cebf31f64

SHA1
de8ec4b9b2e4ed58e3457ec2404420fd61b0379f

SHA256
8f4aadc477937c3ac3d301055e7a87299293700c6779044f4f7ab8dcf7fc869d

SHA512
9db423af121e5d5aab14e0f3b8fa9cfc6c4f5099d4f90b8b564f72c37b10328c4ad27371499fa41fee6761f60a418998f3386c99aa54b0350bbf10a9d977d9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\rq6S859a1Fj6Xgu.exe

Filesize
621KB

MD5
9bd30a06593bdf01f2cffbf9630166e3

SHA1
132ea2fd2a057a5cafa1a639e669038e5f1fd0e1

SHA256
201ef8f6e94e7289cd1d8a27ab4f61f8b3c62852f241232d73289e322febd5a7

SHA512
1ba934f7702d9cf0d2407b64c1d31b684365edd705c9283a60df4175e75a7ab6140b1d2c262c2647a0334a069845dc909f535b6ccba26908eb6fbd7c26c2dded

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\rq6S859a1Fj6Xgu.exe

Filesize
621KB

MD5
9bd30a06593bdf01f2cffbf9630166e3

SHA1
132ea2fd2a057a5cafa1a639e669038e5f1fd0e1

SHA256
201ef8f6e94e7289cd1d8a27ab4f61f8b3c62852f241232d73289e322febd5a7

SHA512
1ba934f7702d9cf0d2407b64c1d31b684365edd705c9283a60df4175e75a7ab6140b1d2c262c2647a0334a069845dc909f535b6ccba26908eb6fbd7c26c2dded

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
30dfb8c9a93310bec8b8e527321a139d

SHA1
7831622b529cdd775d2020fa0ed3cdffb6765b1c

SHA256
b9fa5018dcdab35928ec5f2c89286f64bd52a43cb7ed5cdeb3f9f2addbdbd1f8

SHA512
5c191cc01c72ac1717fe539d61a7b4ec3de726e49420d30b31696b3bf8b75696b2fdd35f68f6db3a192317e7b495c17a3f979b63109d0b9064f6102734824888

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
85ef6435b98472ce8561a016e957a7fe

SHA1
2d384186c8581e1619dffdc527be03d25d7a3d11

SHA256
ff1a9d6f8678a0b5a486f44d0f71825d713893954013dd7881259a4d829ee88f

SHA512
f348032c59e32827b77cc866215211989cb35ab3e597c30180d0881a6448ad569c084a803c9ece08a80c02c463a3ef5e1972a2368b1b7542b91675d0e994b3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSACEE.tmp\[email protected]\install.rdf

Filesize
600B

MD5
5791846a57d06391a64610814c4916ed

SHA1
3dc6b4fa7cd49441e10fe10f11db6909066af956

SHA256
6a9eaa534d278cd18c9b5bb70a72e4fd51495e119262d5ab1483a30393dc4dc7

SHA512
6fd49616779347e42e48267aad1b935220df14a2958a36bf79f4c5923beffecde2188f0400f1bd58959060400b42866fcaa3b00ce0c3289b45a614af71f8faec

Download Submit