800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af

Analysis

max time kernel
39s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af.exe
Size

2.1MB
MD5

537c37a5b00b16d727d4f0b96c1eff94
SHA1

71fec39685b0b65c5b66227393a48df09a6ec89d
SHA256

800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af
SHA512

f2a251c7b884ce6173d4b34abb3ad340d7eda6bcffe5976cc98a589510f9c1d0047a634b03a5e59efb177bc547056af7fc902be9c6217cf41fe4526687732429
SSDEEP

24576:h1OYdaOqGiAEAd/KjjBKyu73i8mxcmMMV6zs+G/pC2d1RJoTJnQqphTuS2MD3Gvh:h1OslMAd/OxfV6zZGYg1RJQnFrTc2SP

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1968	kFMSXtopFoGcHps.exe

Loads dropped DLL 4 IoCs

pid	Process
1960	800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af.exe
1968	kFMSXtopFoGcHps.exe
608	regsvr32.exe
1344	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hphcmkfmcbbolakpaoijodkogbhngnao\1.0\manifest.json	kFMSXtopFoGcHps.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hphcmkfmcbbolakpaoijodkogbhngnao\1.0\manifest.json	kFMSXtopFoGcHps.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hphcmkfmcbbolakpaoijodkogbhngnao\1.0\manifest.json	kFMSXtopFoGcHps.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	kFMSXtopFoGcHps.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	kFMSXtopFoGcHps.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	kFMSXtopFoGcHps.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	kFMSXtopFoGcHps.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	kFMSXtopFoGcHps.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.dll	kFMSXtopFoGcHps.exe
File opened for modification	C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.dll	kFMSXtopFoGcHps.exe
File created	C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.tlb	kFMSXtopFoGcHps.exe
File opened for modification	C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.tlb	kFMSXtopFoGcHps.exe
File created	C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.dat	kFMSXtopFoGcHps.exe
File opened for modification	C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.dat	kFMSXtopFoGcHps.exe
File created	C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.x64.dll	kFMSXtopFoGcHps.exe
File opened for modification	C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.x64.dll	kFMSXtopFoGcHps.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1968	1960	800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af.exe	28
PID 1960 wrote to memory of 1968	1960	800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af.exe	28
PID 1960 wrote to memory of 1968	1960	800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af.exe	28
PID 1960 wrote to memory of 1968	1960	800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af.exe	28
PID 1968 wrote to memory of 608	1968	kFMSXtopFoGcHps.exe	29
PID 1968 wrote to memory of 608	1968	kFMSXtopFoGcHps.exe	29
PID 1968 wrote to memory of 608	1968	kFMSXtopFoGcHps.exe	29
PID 1968 wrote to memory of 608	1968	kFMSXtopFoGcHps.exe	29
PID 1968 wrote to memory of 608	1968	kFMSXtopFoGcHps.exe	29
PID 1968 wrote to memory of 608	1968	kFMSXtopFoGcHps.exe	29
PID 1968 wrote to memory of 608	1968	kFMSXtopFoGcHps.exe	29
PID 608 wrote to memory of 1344	608	regsvr32.exe	30
PID 608 wrote to memory of 1344	608	regsvr32.exe	30
PID 608 wrote to memory of 1344	608	regsvr32.exe	30
PID 608 wrote to memory of 1344	608	regsvr32.exe	30
PID 608 wrote to memory of 1344	608	regsvr32.exe	30
PID 608 wrote to memory of 1344	608	regsvr32.exe	30
PID 608 wrote to memory of 1344	608	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af.exe
"C:\Users\Admin\AppData\Local\Temp\800f813f8be7d2eb58fffac8e4a080c439a0529656384922a8ef6e9b926b32af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\kFMSXtopFoGcHps.exe
  .\kFMSXtopFoGcHps.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.dat

Filesize
6KB

MD5
a0c744a01ce1c142721f53d706c6ff92

SHA1
1d89385cefcd6e5c9d6d865623bfcc94e8fb8270

SHA256
44b311f29c664741064de10e01afdbd95066bedab9cd5b2d2e1a8e419cdba178

SHA512
6340fc58c92617cd3d35cd797bca7da44f9637f7edb9a1d5dc7422a075ba454b4adb2e122612470c22bfdfe401860878eccd8d20a524bb1d146c008ace9bdaa6

Download Submit
C:\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.x64.dll

Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
d7a6e84c42ee1be1298bc4458e494af2

SHA1
20843c2cb8799701225e48208bf32d548c324840

SHA256
c93a114f98d17f38296754c2522822ad26dce9460bd3670dac34f461e20f1a12

SHA512
584f3e37df68fe40f45b5bce8d053b595920cfd1c060eaeefdee95cba1103c3f279ca479074ba181535087dbd0f8fe0e008e15b17a2c24b2306727c2e950b48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
6e63dd3d14a8d2d0d47a0fab6da326e9

SHA1
fb83162cfc76af03140742e5e0758f79926dcd41

SHA256
fc013cd62dcadec3e1584d0fabdf0b87ef20ecd8dbe3020a4797b7e6ac402b10

SHA512
0ea98839ea445b825349a59af999b8c0e9a218186406be89a0a621e44973206a19da04fc8724f39c707ded1296c006ec04acfed865706b8c146232247df3b97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\[email protected]\install.rdf

Filesize
611B

MD5
d08ea2e447ced3230944e174a6516378

SHA1
83521fbe299ccaa351a69edb4741226b49dc97f5

SHA256
9a49afb440439eaedfa49bd5d9fcc9c342533610c2c3aeb851a219acebda80fb

SHA512
83f0c91947ba8e3b62b96b7efed488144df7520dcead391699fe04e071e8fdd1d41e5ed7a3ad09fb5c4188657c35973f0a6a6225ed51bac72938630cf38f77dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\VwxHQNL8b0aIPl.dll

Filesize
619KB

MD5
4f328f4e17a2c81830aac4c8c3d67141

SHA1
063c8e33d6a263dd604d072ffd143305f6c3d4a8

SHA256
303917029755e7a44a6e7392c5e751e4fbcb66feaa8a5f09142efaf5a91ad2fc

SHA512
d387cf9ee95426717be8bac7a6cd422b8ddc2aa925723a9b25a169d9b4a0f5cb5607e2f2b8161cadb0e4333d1fda4ba24ecb838dbb49571d55a6799efce404c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\VwxHQNL8b0aIPl.tlb

Filesize
3KB

MD5
62cb4133d9d3a46f4f1c6c0fb3688619

SHA1
feaaef6e2b8c41be2575d0763cc8de3e8c19478e

SHA256
3ddcfb4b206fc4856f5bb5c06bcc3761dde53882eea20b5dc5ddf4ee8864bea5

SHA512
cb30dc73d52eb502f745fe32b4055b53306f62f0847cae1275d0856608949ea62c30f40d7f252ad450909a4bd425cf0e50012400175cc42a4096cf1451d90123

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\VwxHQNL8b0aIPl.x64.dll

Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\hphcmkfmcbbolakpaoijodkogbhngnao\UI2TGXcUIo.js

Filesize
5KB

MD5
219d0d79e101070f9b4cdbc748dfa086

SHA1
db9b402d32ef630d3a00f86c594f74c066f87b3a

SHA256
77785c43ad345619419b181d6c6efaba60df0f9ce7fc93129994a8ee251f9e71

SHA512
fdc486f95428bf372a53e41f230aab1018d9bf034783f865d42f0ea2a65b9168349c71aff02e269627aed79a2f43fb5d5c7df380423b0aed39fa1f4f85e8f0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\hphcmkfmcbbolakpaoijodkogbhngnao\background.html

Filesize
147B

MD5
e0bc636918afa58beaf3e7095f0f2685

SHA1
b1d79c512b05ec152d04b98b0e19e7ac7949b148

SHA256
c6e8e4d67cdd052fca8d609eb953b4a3dac759146a706dafccf5716d51294a23

SHA512
fe49b50ebde65c24ad22d6f3f1526c707ba4a996e40bb784ab2a9b5d3bae6c074fc46fcb486c94e9b1dc4ce7498102c12d68edc488482139f34d86a985add304

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\hphcmkfmcbbolakpaoijodkogbhngnao\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\hphcmkfmcbbolakpaoijodkogbhngnao\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\hphcmkfmcbbolakpaoijodkogbhngnao\manifest.json

Filesize
512B

MD5
822ad6ac5ea85cdfe82c1b9bf6b062eb

SHA1
6773b9d45eaf71064d75531c1c357d9f17282f49

SHA256
cf5ca28fc584ebc1c9dc3c6f9477b2235415dc183a7dd66731feed0883fa80bf

SHA512
f8269c6ff777cb2b6825c3fa3b404db03f5020345f8e73867ebdf98421a4804e8de9171c61177daa6df97c1a9a14cebe0ad049ff74e17241ebdecef684747d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\kFMSXtopFoGcHps.dat

Filesize
6KB

MD5
a0c744a01ce1c142721f53d706c6ff92

SHA1
1d89385cefcd6e5c9d6d865623bfcc94e8fb8270

SHA256
44b311f29c664741064de10e01afdbd95066bedab9cd5b2d2e1a8e419cdba178

SHA512
6340fc58c92617cd3d35cd797bca7da44f9637f7edb9a1d5dc7422a075ba454b4adb2e122612470c22bfdfe401860878eccd8d20a524bb1d146c008ace9bdaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\kFMSXtopFoGcHps.exe

Filesize
623KB

MD5
cd6bf363f5af45a16926343310023db4

SHA1
e5bcbe9735e5a8d6243af1c2a4593784e8e63aa6

SHA256
bfa98e4e677c8bcb7348aed64d51915e3bacb05925d0234e646e2bb7cc3cdd06

SHA512
3ccb2c4ea143ac58d4df43751bf1c8781795b2321f3acb5d85a0249e4b43c1bf3f93c41c0c59cc2933b923069340a3f7425e9ddce1d7355e60eec843d9158ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA00.tmp\kFMSXtopFoGcHps.exe

Filesize
623KB

MD5
cd6bf363f5af45a16926343310023db4

SHA1
e5bcbe9735e5a8d6243af1c2a4593784e8e63aa6

SHA256
bfa98e4e677c8bcb7348aed64d51915e3bacb05925d0234e646e2bb7cc3cdd06

SHA512
3ccb2c4ea143ac58d4df43751bf1c8781795b2321f3acb5d85a0249e4b43c1bf3f93c41c0c59cc2933b923069340a3f7425e9ddce1d7355e60eec843d9158ced

Download Submit
\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.dll

Filesize
619KB

MD5
4f328f4e17a2c81830aac4c8c3d67141

SHA1
063c8e33d6a263dd604d072ffd143305f6c3d4a8

SHA256
303917029755e7a44a6e7392c5e751e4fbcb66feaa8a5f09142efaf5a91ad2fc

SHA512
d387cf9ee95426717be8bac7a6cd422b8ddc2aa925723a9b25a169d9b4a0f5cb5607e2f2b8161cadb0e4333d1fda4ba24ecb838dbb49571d55a6799efce404c0

Download Submit
\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.x64.dll

Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
\Program Files (x86)\YoutoubbeAduBlockiee\VwxHQNL8b0aIPl.x64.dll

Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
\Users\Admin\AppData\Local\Temp\7zSA00.tmp\kFMSXtopFoGcHps.exe

Filesize
623KB

MD5
cd6bf363f5af45a16926343310023db4

SHA1
e5bcbe9735e5a8d6243af1c2a4593784e8e63aa6

SHA256
bfa98e4e677c8bcb7348aed64d51915e3bacb05925d0234e646e2bb7cc3cdd06

SHA512
3ccb2c4ea143ac58d4df43751bf1c8781795b2321f3acb5d85a0249e4b43c1bf3f93c41c0c59cc2933b923069340a3f7425e9ddce1d7355e60eec843d9158ced

Download Submit
memory/1344-78-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download