58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5.exe
Size

2.0MB
MD5

c846316ad9b02c145937884cfb9abe3e
SHA1

9f41030dbded0256396fd6c5a563d8777284bb72
SHA256

58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5
SHA512

77d33106d5359e8a79d79577b828765a9d3bb41d729fdc80f556e6936b51d1bf05dd2576694f2e547c0e61c34ea3ccbdfb7e7a862b3277e9a89c37d1a7cf65e5
SSDEEP

24576:h1OYdaO2fFu+THyENGBKZCtEZ8r4uamh/U6zEjCPkqXsEWBV1Bsi6uRJaEsrWmx5:h1Os594ZP8lhfzEj4lXsEa3XQETomaF

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
908	1CUDgCxTPxTROjs.exe

Loads dropped DLL 4 IoCs

pid	Process
2016	58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5.exe
908	1CUDgCxTPxTROjs.exe
1748	regsvr32.exe
1372	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nncokekpdeloofaeplfejeinjejmonfe\200\manifest.json	1CUDgCxTPxTROjs.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nncokekpdeloofaeplfejeinjejmonfe\200\manifest.json	1CUDgCxTPxTROjs.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nncokekpdeloofaeplfejeinjejmonfe\200\manifest.json	1CUDgCxTPxTROjs.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	1CUDgCxTPxTROjs.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	1CUDgCxTPxTROjs.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	1CUDgCxTPxTROjs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	1CUDgCxTPxTROjs.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	1CUDgCxTPxTROjs.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.dat	1CUDgCxTPxTROjs.exe
File created	C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.x64.dll	1CUDgCxTPxTROjs.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.x64.dll	1CUDgCxTPxTROjs.exe
File created	C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.dll	1CUDgCxTPxTROjs.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.dll	1CUDgCxTPxTROjs.exe
File created	C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.tlb	1CUDgCxTPxTROjs.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.tlb	1CUDgCxTPxTROjs.exe
File created	C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.dat	1CUDgCxTPxTROjs.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 908	2016	58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5.exe	27
PID 2016 wrote to memory of 908	2016	58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5.exe	27
PID 2016 wrote to memory of 908	2016	58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5.exe	27
PID 2016 wrote to memory of 908	2016	58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5.exe	27
PID 908 wrote to memory of 1748	908	1CUDgCxTPxTROjs.exe	28
PID 908 wrote to memory of 1748	908	1CUDgCxTPxTROjs.exe	28
PID 908 wrote to memory of 1748	908	1CUDgCxTPxTROjs.exe	28
PID 908 wrote to memory of 1748	908	1CUDgCxTPxTROjs.exe	28
PID 908 wrote to memory of 1748	908	1CUDgCxTPxTROjs.exe	28
PID 908 wrote to memory of 1748	908	1CUDgCxTPxTROjs.exe	28
PID 908 wrote to memory of 1748	908	1CUDgCxTPxTROjs.exe	28
PID 1748 wrote to memory of 1372	1748	regsvr32.exe	29
PID 1748 wrote to memory of 1372	1748	regsvr32.exe	29
PID 1748 wrote to memory of 1372	1748	regsvr32.exe	29
PID 1748 wrote to memory of 1372	1748	regsvr32.exe	29
PID 1748 wrote to memory of 1372	1748	regsvr32.exe	29
PID 1748 wrote to memory of 1372	1748	regsvr32.exe	29
PID 1748 wrote to memory of 1372	1748	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5.exe
"C:\Users\Admin\AppData\Local\Temp\58bd63672b8922d92efc5b7d1f240403d53de5c1c68cc915fcdea2e38aeb01c5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\1CUDgCxTPxTROjs.exe
  .\1CUDgCxTPxTROjs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.dat

Filesize
6KB

MD5
db38143ae62e75f60d457eb118bf7b0f

SHA1
a729c5402a0d92b14d0140db404d06ee2b095579

SHA256
6d819cc2aff463ffeb20b7fad6382617fa2c5c531c4ce73e21ff52d73b4cc483

SHA512
317064c0b22efcf2b18f780cc591c6157d0e8ad29922bd843667e296e7931ee86d51833ff4d9a90e300bdc5d737e6a8e63f105cb0f314591fa7e8c15e82b7f9f

Download Submit
C:\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.x64.dll

Filesize
691KB

MD5
59e1333309fec702267c87d196b055e0

SHA1
9963c338edcf9e5d7cffcf0c10c4c37e9851fbf9

SHA256
a9d3eca79b9388f4e57e90a0a02dd3a3c5113e3fea592bb7a3c59b5ab2707cbb

SHA512
43b19e6dd0bf7fbbc814fa870ae8d0c6b5feece6ed9f27b9d330b395d68002d0f345f876db71fd9e1e3dd5bb5a3550d927987b6463f000b48ea32b274d342280

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\1CUDgCxTPxTROjs.dat

Filesize
6KB

MD5
db38143ae62e75f60d457eb118bf7b0f

SHA1
a729c5402a0d92b14d0140db404d06ee2b095579

SHA256
6d819cc2aff463ffeb20b7fad6382617fa2c5c531c4ce73e21ff52d73b4cc483

SHA512
317064c0b22efcf2b18f780cc591c6157d0e8ad29922bd843667e296e7931ee86d51833ff4d9a90e300bdc5d737e6a8e63f105cb0f314591fa7e8c15e82b7f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\1CUDgCxTPxTROjs.exe

Filesize
616KB

MD5
5014b549dc2eef1518aeff4054656352

SHA1
36bf1afcbbaaf88cd9073e7d541c09d204976e90

SHA256
cc2841dd0cd5fc7f876b3f266aef6898ffdca28f27e119660320c927d45158e8

SHA512
0029898636807101434988c7e62d9309ff4e82efec590d251beaf9ae7d568ec79271d65df41f4cad42612426b7a2b48c493822f15eb6b9ef913b008cf556c3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\1CUDgCxTPxTROjs.exe

Filesize
616KB

MD5
5014b549dc2eef1518aeff4054656352

SHA1
36bf1afcbbaaf88cd9073e7d541c09d204976e90

SHA256
cc2841dd0cd5fc7f876b3f266aef6898ffdca28f27e119660320c927d45158e8

SHA512
0029898636807101434988c7e62d9309ff4e82efec590d251beaf9ae7d568ec79271d65df41f4cad42612426b7a2b48c493822f15eb6b9ef913b008cf556c3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
1c9deb68056316ff71cbb0b94f24e97d

SHA1
5f870a38d5f8636cf5dd8d2b8d8062ad06a39372

SHA256
4b5e1f6d09b616e62dabebdf577d70e19ba6b29794109d016d6c668842190c20

SHA512
b56d622398c2a2f7b07e152a0680065e1d9c4d25e208ac4d6e4a1b291cd3b9a38a4fbd7cc702117fa2887ca4337ca1dfa21c3cd2c938eab49e18af731eba44b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
0a004a5ad95da4c390dddff6c8321508

SHA1
bbf541fa091bfe8251d9e9cbbbb47d7ef5476445

SHA256
df70cca72463560fb34226470cc21e646ff375b6140758a371570aa6e0de2565

SHA512
89a41280a83b10dc1bf3d566d9c21afbfd7202a28fedc6ded57625af034f0d29310bb4cf64f9648c605bccf525ddf649b95962fb9608dc0d7a861365b82251b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\[email protected]\install.rdf

Filesize
604B

MD5
b5d219dd0e29d70e3d3fa96ef1bbdc0f

SHA1
adc031c75f0a62c23491894fccf2cfe65d078fb6

SHA256
05bcfb6d385cb07de8c27abe382d3060924c9feeb24d92a201d74de18a0efe4b

SHA512
db04892cf38b8acd7ef37e6ead90ac4804116b40cd64933204ab0e093654c0786d835d6d0daae68fb193f67b8f80b71a3c39a91357ebbe7d1d6794783540254d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\Lhp8QHcVznaOjh.dll

Filesize
610KB

MD5
61c3e691487d69d9bcc5dbe0fc47665b

SHA1
b50758bbd356561d567814588120b73531d40613

SHA256
2595c34d68d44aeffc92f7f8a30aa886a5fe465cecf6b1b8756f10e3c338aad6

SHA512
49bac7e7ee0e67a7c3f1359597de277e7fdddba8129ba935a2f8e3135b2bfd61abb762abc50a2645332e4967eb9f1e77f62d69fb1a91e71b291e7238827960ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\Lhp8QHcVznaOjh.tlb

Filesize
3KB

MD5
60ac3f156e69d832af97dfa97971bf36

SHA1
9c4660e466a9a6305701993907c22cfa55c87eba

SHA256
f48c9a95b76dd9368f73c30e681815275e98d16935bd877cc7897eabc0b32259

SHA512
d210889b577ae3726e03e24a6e1ae704065cc288e20032ad5528cd581e4124a68be7f038fb4a00112705a3461bf2894001ac979195d8c0f5f49b542ba5ab5baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\Lhp8QHcVznaOjh.x64.dll

Filesize
691KB

MD5
59e1333309fec702267c87d196b055e0

SHA1
9963c338edcf9e5d7cffcf0c10c4c37e9851fbf9

SHA256
a9d3eca79b9388f4e57e90a0a02dd3a3c5113e3fea592bb7a3c59b5ab2707cbb

SHA512
43b19e6dd0bf7fbbc814fa870ae8d0c6b5feece6ed9f27b9d330b395d68002d0f345f876db71fd9e1e3dd5bb5a3550d927987b6463f000b48ea32b274d342280

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\nncokekpdeloofaeplfejeinjejmonfe\background.html

Filesize
143B

MD5
62379c0f05586627e3d76f12fe906ba4

SHA1
6a7c9ce524bea2e17ee4eaf15fa51285c7573b42

SHA256
aaaeb6646f4c7fa07e71ced68101c05e1fbd1fe682a738dee06c9e611e24e0c0

SHA512
f2dc0059d29b3563f96f99e30faf865382cd7339cf80111774a6910189f5a6e21be5e43e13afe75a3434f64044ab886db9944949c873ab4093f08bab638959a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\nncokekpdeloofaeplfejeinjejmonfe\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\nncokekpdeloofaeplfejeinjejmonfe\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\nncokekpdeloofaeplfejeinjejmonfe\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\nncokekpdeloofaeplfejeinjejmonfe\vXxiKm.js

Filesize
5KB

MD5
2c6ddb3d785fe99c1a965f2c3b04e248

SHA1
977b3b6d5f3a800c0aac54eaf34cbcce8454706a

SHA256
e177196857ae2ba3f31431ceaf1775246d62306678982153e1a494eb2de28ab7

SHA512
9692b484f4eeb4da7fa3bdc537b08050fb6f1d9b2a80619dd21a4bf17b00a318192f437aec39156941805f9a741215d12fa9f2ddb96dac76a5cbe3d9206ff5d8

Download Submit
\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.dll

Filesize
610KB

MD5
61c3e691487d69d9bcc5dbe0fc47665b

SHA1
b50758bbd356561d567814588120b73531d40613

SHA256
2595c34d68d44aeffc92f7f8a30aa886a5fe465cecf6b1b8756f10e3c338aad6

SHA512
49bac7e7ee0e67a7c3f1359597de277e7fdddba8129ba935a2f8e3135b2bfd61abb762abc50a2645332e4967eb9f1e77f62d69fb1a91e71b291e7238827960ed

Download Submit
\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.x64.dll

Filesize
691KB

MD5
59e1333309fec702267c87d196b055e0

SHA1
9963c338edcf9e5d7cffcf0c10c4c37e9851fbf9

SHA256
a9d3eca79b9388f4e57e90a0a02dd3a3c5113e3fea592bb7a3c59b5ab2707cbb

SHA512
43b19e6dd0bf7fbbc814fa870ae8d0c6b5feece6ed9f27b9d330b395d68002d0f345f876db71fd9e1e3dd5bb5a3550d927987b6463f000b48ea32b274d342280

Download Submit
\Program Files (x86)\Browser Shop\Lhp8QHcVznaOjh.x64.dll

Filesize
691KB

MD5
59e1333309fec702267c87d196b055e0

SHA1
9963c338edcf9e5d7cffcf0c10c4c37e9851fbf9

SHA256
a9d3eca79b9388f4e57e90a0a02dd3a3c5113e3fea592bb7a3c59b5ab2707cbb

SHA512
43b19e6dd0bf7fbbc814fa870ae8d0c6b5feece6ed9f27b9d330b395d68002d0f345f876db71fd9e1e3dd5bb5a3550d927987b6463f000b48ea32b274d342280

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEAEC.tmp\1CUDgCxTPxTROjs.exe

Filesize
616KB

MD5
5014b549dc2eef1518aeff4054656352

SHA1
36bf1afcbbaaf88cd9073e7d541c09d204976e90

SHA256
cc2841dd0cd5fc7f876b3f266aef6898ffdca28f27e119660320c927d45158e8

SHA512
0029898636807101434988c7e62d9309ff4e82efec590d251beaf9ae7d568ec79271d65df41f4cad42612426b7a2b48c493822f15eb6b9ef913b008cf556c3ab

Download Submit
memory/1372-78-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download