53de07afdcffcc8da21378dcf6160e377058b2ed801adcf6e468245f7319c0d0

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53de07afdcffcc8da21378dcf6160e377058b2ed801adcf6e468245f7319c0d0.exe
Size

2.1MB
MD5

9d90e2187eedc21ee8413c0a2543f664
SHA1

0bc41478c636703c78607b777f2d124069ae4baa
SHA256

53de07afdcffcc8da21378dcf6160e377058b2ed801adcf6e468245f7319c0d0
SHA512

2e084cc29a0d89c1ab98bd533e16e63e9598377968f63a6a5f3bc6d6208acac4ebdfa5c4d8f3422e65d1f5d2353e889d1f74dd60805cb1c334cada92db372565
SSDEEP

49152:h1Os8l9RJLu6vcW6hGkaVR7QSiN/tObJmZcqYUuRTN:h1O7rVOhGRkSixtKDT

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

8I1DuQmE2Gcgp6I.exe

pid process

1812 8I1DuQmE2Gcgp6I.exe
Loads dropped DLL 3 IoCs

Processes:

8I1DuQmE2Gcgp6I.exeregsvr32.exeregsvr32.exe

pid process

1812 8I1DuQmE2Gcgp6I.exe
4080 regsvr32.exe
4236 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1812	8I1DuQmE2Gcgp6I.exe

pid	process
1812	8I1DuQmE2Gcgp6I.exe
4080	regsvr32.exe
4236	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

8I1DuQmE2Gcgp6I.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gncjgckhkbhmhlccolnabmghnngigpfo\200\manifest.json	8I1DuQmE2Gcgp6I.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gncjgckhkbhmhlccolnabmghnngigpfo\200\manifest.json	8I1DuQmE2Gcgp6I.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gncjgckhkbhmhlccolnabmghnngigpfo\200\manifest.json	8I1DuQmE2Gcgp6I.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gncjgckhkbhmhlccolnabmghnngigpfo\200\manifest.json	8I1DuQmE2Gcgp6I.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gncjgckhkbhmhlccolnabmghnngigpfo\200\manifest.json	8I1DuQmE2Gcgp6I.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe8I1DuQmE2Gcgp6I.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	8I1DuQmE2Gcgp6I.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	8I1DuQmE2Gcgp6I.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	8I1DuQmE2Gcgp6I.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	8I1DuQmE2Gcgp6I.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

8I1DuQmE2Gcgp6I.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.dll	8I1DuQmE2Gcgp6I.exe
File created	C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.tlb	8I1DuQmE2Gcgp6I.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.tlb	8I1DuQmE2Gcgp6I.exe
File created	C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.dat	8I1DuQmE2Gcgp6I.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.dat	8I1DuQmE2Gcgp6I.exe
File created	C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.x64.dll	8I1DuQmE2Gcgp6I.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.x64.dll	8I1DuQmE2Gcgp6I.exe
File created	C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.dll	8I1DuQmE2Gcgp6I.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8I1DuQmE2Gcgp6I.exe

pid process

1812 8I1DuQmE2Gcgp6I.exe
1812 8I1DuQmE2Gcgp6I.exe

pid	process
1812	8I1DuQmE2Gcgp6I.exe
1812	8I1DuQmE2Gcgp6I.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

53de07afdcffcc8da21378dcf6160e377058b2ed801adcf6e468245f7319c0d0.exe8I1DuQmE2Gcgp6I.exeregsvr32.exe

description	pid	process	target process
PID 3252 wrote to memory of 1812	3252	53de07afdcffcc8da21378dcf6160e377058b2ed801adcf6e468245f7319c0d0.exe	8I1DuQmE2Gcgp6I.exe
PID 3252 wrote to memory of 1812	3252	53de07afdcffcc8da21378dcf6160e377058b2ed801adcf6e468245f7319c0d0.exe	8I1DuQmE2Gcgp6I.exe
PID 3252 wrote to memory of 1812	3252	53de07afdcffcc8da21378dcf6160e377058b2ed801adcf6e468245f7319c0d0.exe	8I1DuQmE2Gcgp6I.exe
PID 1812 wrote to memory of 4080	1812	8I1DuQmE2Gcgp6I.exe	regsvr32.exe
PID 1812 wrote to memory of 4080	1812	8I1DuQmE2Gcgp6I.exe	regsvr32.exe
PID 1812 wrote to memory of 4080	1812	8I1DuQmE2Gcgp6I.exe	regsvr32.exe
PID 4080 wrote to memory of 4236	4080	regsvr32.exe	regsvr32.exe
PID 4080 wrote to memory of 4236	4080	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\53de07afdcffcc8da21378dcf6160e377058b2ed801adcf6e468245f7319c0d0.exe
"C:\Users\Admin\AppData\Local\Temp\53de07afdcffcc8da21378dcf6160e377058b2ed801adcf6e468245f7319c0d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\8I1DuQmE2Gcgp6I.exe
.\8I1DuQmE2Gcgp6I.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.dat

Filesize
6KB

MD5
ec21d533f49972dd8f351e7f5bda8262

SHA1
2153ac2724ea16021550a6936a05d6144d605c03

SHA256
68db8a6745ef9ccea55f8483229c7a15f2eb217e72c5556c91326d82abf95f3f

SHA512
e0b095c68491724112b01037573d3908ca9331e0ad51b93537e2cb11f1ce21b9935d3ded6a027cdda100d0d61889f304341993afbe9ab1ca608b6951a110df4f

Download Submit
C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Program Files (x86)\Browser Shop\pKynPN7IfCr9KR.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\8I1DuQmE2Gcgp6I.dat

Filesize
6KB

MD5
ec21d533f49972dd8f351e7f5bda8262

SHA1
2153ac2724ea16021550a6936a05d6144d605c03

SHA256
68db8a6745ef9ccea55f8483229c7a15f2eb217e72c5556c91326d82abf95f3f

SHA512
e0b095c68491724112b01037573d3908ca9331e0ad51b93537e2cb11f1ce21b9935d3ded6a027cdda100d0d61889f304341993afbe9ab1ca608b6951a110df4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\8I1DuQmE2Gcgp6I.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\8I1DuQmE2Gcgp6I.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\gncjgckhkbhmhlccolnabmghnngigpfo\Q3dOjOrXWw.js

Filesize
5KB

MD5
2a5e12ea14d6f41aa3be50d672fd0d09

SHA1
33129058bba9069fe1937bf97712cd5f30b92d8e

SHA256
18457697f9999144ade60477925d4af9be50c215d384dbd6cb7a0c3d1d494341

SHA512
c5659b0c7ab49e06d45a66d773c249580bd146a4fd0f405a3939baa1c295825d2c9046fb018ec981ff9840e0c191f741ebf0005583521a3ce22085f0028243e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\gncjgckhkbhmhlccolnabmghnngigpfo\background.html

Filesize
147B

MD5
6adb262e439ef812400d7d19cdd38e0a

SHA1
1b9898e69034aecc270b8d05b8df3a132b36593e

SHA256
4c95cae36bba01db10fe54ceb8f0382258e9dc4303a03fda9f76407fa9ae8c76

SHA512
f896ecb633cb7d97ebea32f678620d160f5a443cfbbccf0e86ec5f853f1e05c81123fb6f3575c9da2aeff0aeddd805fd863bbfc5b1f7f292be5d18a20fc17821

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\gncjgckhkbhmhlccolnabmghnngigpfo\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\gncjgckhkbhmhlccolnabmghnngigpfo\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\gncjgckhkbhmhlccolnabmghnngigpfo\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\pKynPN7IfCr9KR.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\pKynPN7IfCr9KR.tlb

Filesize
3KB

MD5
38dcedc06ce882652b73038799f369c1

SHA1
09985c74e62920963791808be0765222d2a517d3

SHA256
37996a9f383f824002a73026332578b823bacad0a736f2f4c25401f6e2da307c

SHA512
78b7ab8fc102a0f874d24bb40e7b399befe3eb8788c08b059487770dd83a390daf0011c34d6cd29dd78e3436bfd6587fff2f50bde0c3bed49e6ffe27ef0b4c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\pKynPN7IfCr9KR.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
2bcf2469a9c08a57747d303cee5f0c95

SHA1
a728ef1116172b4123e0a59d6a236e4b6d441441

SHA256
caa8736ce4c2c1f70924cb6d901fd52f5e00a79eea7f56193c9078e5044e123f

SHA512
5fc334865e48c0805571e23545632d750aaffb9bf106943b72952025cb0cce3f262cead1227956bc0595e6b2e29901f09aa4ac02a34ebb02ca13cf064ccf50ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
86f85aed31d6c560ffe743324c16c414

SHA1
15d65653fc5e2a98bc7add7a49e8a0290de28669

SHA256
c88af9e8adc88bb591a9e2bcdc6c6459f102a6cb42755be4a979889f09c6f76f

SHA512
e173c661d8e752aa9586550179da97367fc01e80bb152779d40ca5e21763fc52e80e57601a9a5c529466d756a063a74e7bae97b5eac208362367cc36f7ce75e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE95B.tmp\[email protected]\install.rdf

Filesize
601B

MD5
6f3aecb3dad581cb98df80d64531eb85

SHA1
6356738c7863300098b2cc38bf37bcf26c56c772

SHA256
e55c0f5b9bf9877c85e104453c06f957a11cc2d6a3d857349613365bc32293c8

SHA512
d9c35e0467268be07121fb160a29f2aabbbfabfed69d6ae2ec2d4cedbbf95044b9af4197f4950ce8afb160aab75cd7b6031789ff9194231dcd152a32f777c9cf

Download Submit
memory/1812-132-0x0000000000000000-mapping.dmp

Download
memory/4080-149-0x0000000000000000-mapping.dmp

Download
memory/4236-152-0x0000000000000000-mapping.dmp

Download