58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7

Analysis

max time kernel
42s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7.exe
Size

2.0MB
MD5

a0f637c8c437a41928000dfb7c571613
SHA1

79d60800c76bdb1c9d61edb0110eeea2f68b202a
SHA256

58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7
SHA512

eeb30853297473282091e1e639454ae923f93a80bf9472454b86aa59796d4ddd0da58ab94fa36e97cb791f00af1d9ea8ed9c1f25116bb7298a94899a559bfea1
SSDEEP

24576:h1OYdaOVI6E5REGb4sp9whi3+GVFAc7Ynf+eCI3mF7RGT116QDCp2hD4iFhgFau1:h1OsQb4splF+nf+1bF9BQupbFMQ/

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1344	puqhVQEqfsbAPjy.exe

Loads dropped DLL 4 IoCs

pid	Process
1360	58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7.exe
1344	puqhVQEqfsbAPjy.exe
668	regsvr32.exe
572	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpaaaehginkgeacmedbghmjcokmajggo\200\manifest.json	puqhVQEqfsbAPjy.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpaaaehginkgeacmedbghmjcokmajggo\200\manifest.json	puqhVQEqfsbAPjy.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpaaaehginkgeacmedbghmjcokmajggo\200\manifest.json	puqhVQEqfsbAPjy.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	puqhVQEqfsbAPjy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	puqhVQEqfsbAPjy.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	puqhVQEqfsbAPjy.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	puqhVQEqfsbAPjy.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	puqhVQEqfsbAPjy.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.dat	puqhVQEqfsbAPjy.exe
File opened for modification	C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.dat	puqhVQEqfsbAPjy.exe
File created	C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.x64.dll	puqhVQEqfsbAPjy.exe
File opened for modification	C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.x64.dll	puqhVQEqfsbAPjy.exe
File created	C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.dll	puqhVQEqfsbAPjy.exe
File opened for modification	C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.dll	puqhVQEqfsbAPjy.exe
File created	C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.tlb	puqhVQEqfsbAPjy.exe
File opened for modification	C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.tlb	puqhVQEqfsbAPjy.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1344	1360	58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7.exe	28
PID 1360 wrote to memory of 1344	1360	58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7.exe	28
PID 1360 wrote to memory of 1344	1360	58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7.exe	28
PID 1360 wrote to memory of 1344	1360	58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7.exe	28
PID 1344 wrote to memory of 668	1344	puqhVQEqfsbAPjy.exe	29
PID 1344 wrote to memory of 668	1344	puqhVQEqfsbAPjy.exe	29
PID 1344 wrote to memory of 668	1344	puqhVQEqfsbAPjy.exe	29
PID 1344 wrote to memory of 668	1344	puqhVQEqfsbAPjy.exe	29
PID 1344 wrote to memory of 668	1344	puqhVQEqfsbAPjy.exe	29
PID 1344 wrote to memory of 668	1344	puqhVQEqfsbAPjy.exe	29
PID 1344 wrote to memory of 668	1344	puqhVQEqfsbAPjy.exe	29
PID 668 wrote to memory of 572	668	regsvr32.exe	30
PID 668 wrote to memory of 572	668	regsvr32.exe	30
PID 668 wrote to memory of 572	668	regsvr32.exe	30
PID 668 wrote to memory of 572	668	regsvr32.exe	30
PID 668 wrote to memory of 572	668	regsvr32.exe	30
PID 668 wrote to memory of 572	668	regsvr32.exe	30
PID 668 wrote to memory of 572	668	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7.exe
"C:\Users\Admin\AppData\Local\Temp\58674a023d29bd355422713a36f2787ae59871c05e6e3349b64cc132d98a1cd7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\puqhVQEqfsbAPjy.exe
  .\puqhVQEqfsbAPjy.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.dat

Filesize
6KB

MD5
a44132f1c0ecb53a3240c981fc6cf42f

SHA1
d3ad91676e7c7f769bc6ca65ef383e37b48d49ac

SHA256
bf80e1b03af6b4388a39cce88a523d035f832a4aba46f6f47391eadce6f8f9e2

SHA512
1ed155cbdb0b61c1041b180663ed08c1407aa376db91ac5574fc2c66b3ee56bc9f6662853d5551163c0b37da3d8c21e4f8523e5974f2180b328f57e51eea2dcb

Download Submit
C:\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.x64.dll

Filesize
695KB

MD5
778129815857ac62bb0c123b8b428189

SHA1
df269d9de71cfde97a5f156492aaba450e671287

SHA256
c76feac6ef5e2da002411d7bf90a1bb2ae6ac1eeaa8ba26d83851d54879005eb

SHA512
204feaaa4e592e6d57f54a4bc99bcd8b5b6e214e6936230fbf5dd8608d2c7f1b2fc16495221b1e7f8c5f6a0f19a3e62900a33e7852f86b07479023fc8048d8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
95e6989052f72da3a4c3807f2700532e

SHA1
239d7ff1d2a04b570d284dad2a653b2fd8545072

SHA256
0b6658b49c81906420ba9189a7cd8b8b0f041f1438fa801b8625c85d04df009c

SHA512
666a2773da73789436255afc462c3c02812813ab3093ad4bf59dfb42f84708d03454029a2f5edf04d697b26b39f61f70c34277f4f46cb9b38b6faf21dc5fd2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
e5ba5cf5b1c940b026c20cadd36cd362

SHA1
52a1e072b3d574fad869d3e012e2a9a4d2368f73

SHA256
8fa81fa10b84168dcde16338f0a657dd9b775a1dae269ba157ddc98a5079a5f2

SHA512
3a1bc1de8a29687ae946f6ecf8c0b384abeefc0cb340f367b4daf291b5d876b9557866e025876ee393cba271df28b7a9a4bce2cf94ffbd9cdfed37f3f67e9a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\[email protected]\install.rdf

Filesize
601B

MD5
4975f876d8b307483e0f7133edecf114

SHA1
3014d3e095ca232bfca041f6a8c3262392f13761

SHA256
7e07e8c557d45067803225ea31279c27087e94c86b8a36c0089da0fb57da45c8

SHA512
4a1caecd6b0a9d7922366fe6afd42ee2cb8d5205e908e84a644072f9f3cb144f67d18d1acfe12c39e562500f720ef271d9b0482239de3af8c978fa50f65ffdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\gj1f6Zs5KBsNJG.dll

Filesize
614KB

MD5
c6b13b59b5326dd95e352027a180e42f

SHA1
16e02b4d300896d0384f5deed58a301191be0b8a

SHA256
a732d4f500b4df6cec5852bc4e8c7f8c64857b7c089637aca46643ecdd9f9a9f

SHA512
c24466afe116ce22c14e0e80348eb2f7ec2498a188605afd34cf1e51ad7bb018920dda997c88063f38e12ff4a0e0e627fdc5140b66d890b0c6862f441421bf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\gj1f6Zs5KBsNJG.tlb

Filesize
3KB

MD5
04394c6fd86d2619f9ca279c405ce4fa

SHA1
75c975f51db8219dd89825408f9748ed557a271d

SHA256
c70e8100821466642b0df8f4e5c399ec9d9428f4b4716aef32eb96c1fd5d982b

SHA512
e7fb1ebd90d6570b81d3b3c4c903356bd3f619ed5197c67a10f5a1181f41eeb0f27ad5e2b02398f00da2c21055c29d5a1dc8b9e3a98003219eac8cfd2eaa7ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\gj1f6Zs5KBsNJG.x64.dll

Filesize
695KB

MD5
778129815857ac62bb0c123b8b428189

SHA1
df269d9de71cfde97a5f156492aaba450e671287

SHA256
c76feac6ef5e2da002411d7bf90a1bb2ae6ac1eeaa8ba26d83851d54879005eb

SHA512
204feaaa4e592e6d57f54a4bc99bcd8b5b6e214e6936230fbf5dd8608d2c7f1b2fc16495221b1e7f8c5f6a0f19a3e62900a33e7852f86b07479023fc8048d8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\hpaaaehginkgeacmedbghmjcokmajggo\MoxP.js

Filesize
5KB

MD5
66eb76ba69eb688996558772cca2c41d

SHA1
c22dd5729b6e786c22cbfdb232a74f2d02dc30af

SHA256
0d78ddac3b32c173c6eb3c79f43a72fa8e32526afef7c13b20c00b80bb7acc80

SHA512
41c3d22b7c9e6765435108ed608417c384ea49c7227158928c4138eaee069c3e98169b64bb7558046563d277d4c43111efb087eadc7f6dc419d24352034cd3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\hpaaaehginkgeacmedbghmjcokmajggo\background.html

Filesize
141B

MD5
999c472fdcb69d70ef335860a32c8297

SHA1
2457cdf7fab6a13550e1bc84cba26a820aa11e25

SHA256
9d9fbdf78c3d6900969757884821983cb11f68c6a3c00308be9e5e1a9b78176a

SHA512
83a3ad1758feaf16b63f671448e0001712cff800535789a0d916dada95689b3f3c2354d9864fa814eb9c1750f6eea0aeb1b7c94a939d4c5c8210c93d115a74e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\hpaaaehginkgeacmedbghmjcokmajggo\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\hpaaaehginkgeacmedbghmjcokmajggo\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\hpaaaehginkgeacmedbghmjcokmajggo\manifest.json

Filesize
505B

MD5
fe72235cbb99f3e36acd803f951e8390

SHA1
cb13f2a0b016d937923816dd2eb0a1ed8de3f393

SHA256
bcca716b2965cc052b1c1bed4b9e0ba30382420b8035b646b22a3a4095f0c339

SHA512
f4ba85e4bc8e15aca89648ba6aa9b04bb1a12cb4aec34be69ae1c97cff81cf287003feacd17391019a04994bc371d7adc698496a3b20b99986f55d28cde71c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\puqhVQEqfsbAPjy.dat

Filesize
6KB

MD5
a44132f1c0ecb53a3240c981fc6cf42f

SHA1
d3ad91676e7c7f769bc6ca65ef383e37b48d49ac

SHA256
bf80e1b03af6b4388a39cce88a523d035f832a4aba46f6f47391eadce6f8f9e2

SHA512
1ed155cbdb0b61c1041b180663ed08c1407aa376db91ac5574fc2c66b3ee56bc9f6662853d5551163c0b37da3d8c21e4f8523e5974f2180b328f57e51eea2dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\puqhVQEqfsbAPjy.exe

Filesize
618KB

MD5
1f6c233b6bd46db7ed2e62ea5a824bf6

SHA1
d7f27647c97fc8b832463335df28fe750a4aebb2

SHA256
4548be95d5d9ea78c9cc37eba06f8c30b23da2e60392dabd2f8fb0082719475b

SHA512
af26f7ee482193a1cc4a16edba3daa9f8593cf06b70d14d043e92e2fdca86b097f8a7e93bdf97ba1c3cd760aa18a8080088d7d502bcf58ff0b83f9275c88bd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\puqhVQEqfsbAPjy.exe

Filesize
618KB

MD5
1f6c233b6bd46db7ed2e62ea5a824bf6

SHA1
d7f27647c97fc8b832463335df28fe750a4aebb2

SHA256
4548be95d5d9ea78c9cc37eba06f8c30b23da2e60392dabd2f8fb0082719475b

SHA512
af26f7ee482193a1cc4a16edba3daa9f8593cf06b70d14d043e92e2fdca86b097f8a7e93bdf97ba1c3cd760aa18a8080088d7d502bcf58ff0b83f9275c88bd9d

Download Submit
\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.dll

Filesize
614KB

MD5
c6b13b59b5326dd95e352027a180e42f

SHA1
16e02b4d300896d0384f5deed58a301191be0b8a

SHA256
a732d4f500b4df6cec5852bc4e8c7f8c64857b7c089637aca46643ecdd9f9a9f

SHA512
c24466afe116ce22c14e0e80348eb2f7ec2498a188605afd34cf1e51ad7bb018920dda997c88063f38e12ff4a0e0e627fdc5140b66d890b0c6862f441421bf8e

Download Submit
\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.x64.dll

Filesize
695KB

MD5
778129815857ac62bb0c123b8b428189

SHA1
df269d9de71cfde97a5f156492aaba450e671287

SHA256
c76feac6ef5e2da002411d7bf90a1bb2ae6ac1eeaa8ba26d83851d54879005eb

SHA512
204feaaa4e592e6d57f54a4bc99bcd8b5b6e214e6936230fbf5dd8608d2c7f1b2fc16495221b1e7f8c5f6a0f19a3e62900a33e7852f86b07479023fc8048d8d7

Download Submit
\Program Files (x86)\BrowssEreShoP\gj1f6Zs5KBsNJG.x64.dll

Filesize
695KB

MD5
778129815857ac62bb0c123b8b428189

SHA1
df269d9de71cfde97a5f156492aaba450e671287

SHA256
c76feac6ef5e2da002411d7bf90a1bb2ae6ac1eeaa8ba26d83851d54879005eb

SHA512
204feaaa4e592e6d57f54a4bc99bcd8b5b6e214e6936230fbf5dd8608d2c7f1b2fc16495221b1e7f8c5f6a0f19a3e62900a33e7852f86b07479023fc8048d8d7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS99FF.tmp\puqhVQEqfsbAPjy.exe

Filesize
618KB

MD5
1f6c233b6bd46db7ed2e62ea5a824bf6

SHA1
d7f27647c97fc8b832463335df28fe750a4aebb2

SHA256
4548be95d5d9ea78c9cc37eba06f8c30b23da2e60392dabd2f8fb0082719475b

SHA512
af26f7ee482193a1cc4a16edba3daa9f8593cf06b70d14d043e92e2fdca86b097f8a7e93bdf97ba1c3cd760aa18a8080088d7d502bcf58ff0b83f9275c88bd9d

Download Submit
memory/572-78-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/1360-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download