308022c3ae8ea4b657a2653fb78c78463be8469f11f51d025dfb46eb5b5948f8

Analysis

max time kernel
189s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308022c3ae8ea4b657a2653fb78c78463be8469f11f51d025dfb46eb5b5948f8.exe
Size

2.5MB
MD5

8578ec41b7a61802d75a1ab8d4e2126f
SHA1

7511ad07ea4dcf17fe4dbafa596648b3d6ebe9c6
SHA256

308022c3ae8ea4b657a2653fb78c78463be8469f11f51d025dfb46eb5b5948f8
SHA512

c0bb19ac45938785ec3d3aa7a33bda9213c8e8bcfe50046df2bdeb0bf69e1e4263d0fe9437292bff2ef8e2a18e107620c9b96d1a6354d20417b18ccc5e6f9fa0
SSDEEP

49152:h1OsncOjmUBy4DKODLdzOg+rMy4pzypFSO+Ef++hLsL2czY5:h1OEcOtWOarMIf+b2

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

yDiKw9pHHDr7yMC.exe

pid process

4720 yDiKw9pHHDr7yMC.exe
Loads dropped DLL 3 IoCs

Processes:

yDiKw9pHHDr7yMC.exeregsvr32.exeregsvr32.exe

pid process

4720 yDiKw9pHHDr7yMC.exe
1388 regsvr32.exe
2768 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4720	yDiKw9pHHDr7yMC.exe

pid	process
4720	yDiKw9pHHDr7yMC.exe
1388	regsvr32.exe
2768	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

yDiKw9pHHDr7yMC.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmckgaiphaekgiheaipcanhfonooflc\1.0\manifest.json	yDiKw9pHHDr7yMC.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmckgaiphaekgiheaipcanhfonooflc\1.0\manifest.json	yDiKw9pHHDr7yMC.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmckgaiphaekgiheaipcanhfonooflc\1.0\manifest.json	yDiKw9pHHDr7yMC.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmckgaiphaekgiheaipcanhfonooflc\1.0\manifest.json	yDiKw9pHHDr7yMC.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmckgaiphaekgiheaipcanhfonooflc\1.0\manifest.json	yDiKw9pHHDr7yMC.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeyDiKw9pHHDr7yMC.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	yDiKw9pHHDr7yMC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	yDiKw9pHHDr7yMC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	yDiKw9pHHDr7yMC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	yDiKw9pHHDr7yMC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

yDiKw9pHHDr7yMC.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.tlb	yDiKw9pHHDr7yMC.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.dat	yDiKw9pHHDr7yMC.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.dat	yDiKw9pHHDr7yMC.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.x64.dll	yDiKw9pHHDr7yMC.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.x64.dll	yDiKw9pHHDr7yMC.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.dll	yDiKw9pHHDr7yMC.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.dll	yDiKw9pHHDr7yMC.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.tlb	yDiKw9pHHDr7yMC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

yDiKw9pHHDr7yMC.exe

pid process

4720 yDiKw9pHHDr7yMC.exe
4720 yDiKw9pHHDr7yMC.exe

pid	process
4720	yDiKw9pHHDr7yMC.exe
4720	yDiKw9pHHDr7yMC.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

308022c3ae8ea4b657a2653fb78c78463be8469f11f51d025dfb46eb5b5948f8.exeyDiKw9pHHDr7yMC.exeregsvr32.exe

description	pid	process	target process
PID 4776 wrote to memory of 4720	4776	308022c3ae8ea4b657a2653fb78c78463be8469f11f51d025dfb46eb5b5948f8.exe	yDiKw9pHHDr7yMC.exe
PID 4776 wrote to memory of 4720	4776	308022c3ae8ea4b657a2653fb78c78463be8469f11f51d025dfb46eb5b5948f8.exe	yDiKw9pHHDr7yMC.exe
PID 4776 wrote to memory of 4720	4776	308022c3ae8ea4b657a2653fb78c78463be8469f11f51d025dfb46eb5b5948f8.exe	yDiKw9pHHDr7yMC.exe
PID 4720 wrote to memory of 1388	4720	yDiKw9pHHDr7yMC.exe	regsvr32.exe
PID 4720 wrote to memory of 1388	4720	yDiKw9pHHDr7yMC.exe	regsvr32.exe
PID 4720 wrote to memory of 1388	4720	yDiKw9pHHDr7yMC.exe	regsvr32.exe
PID 1388 wrote to memory of 2768	1388	regsvr32.exe	regsvr32.exe
PID 1388 wrote to memory of 2768	1388	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\308022c3ae8ea4b657a2653fb78c78463be8469f11f51d025dfb46eb5b5948f8.exe
"C:\Users\Admin\AppData\Local\Temp\308022c3ae8ea4b657a2653fb78c78463be8469f11f51d025dfb46eb5b5948f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\yDiKw9pHHDr7yMC.exe
.\yDiKw9pHHDr7yMC.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:2768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.dat
Filesize
6KB

MD5
1a594832b1c74a8b5cf14d5b1467a6d1

SHA1
c579291782d0ff3ca35a523fe4d0281bec0f0f67

SHA256
78217080dd660c142a1ed9550d86d5e22316a008518257084ce61b36cff9c057

SHA512
334d6f1b2249d10b90e900b3a8a2320ed4776a52da3a7311d9aecd00a181b7e5aeacc4bdb0252defa0a80984c175226dc6542f18ec3328fc775d6732943c5734

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.dll
Filesize
753KB

MD5
df941296b71b459efe55faa3a9f2b1a7

SHA1
9811274bfbf9a676b017b6cdabe9f389414091a6

SHA256
767019bd8a954c2814b9792e98126e91fcb69864bcdc4fe277b8055c61a92e46

SHA512
c689ba8cdee741d1da7018e3d65e280a889183a9e0da42e3d6567fc78cafea18e284db36a8b08bce6011fa7b6167d018cc248105423befab637dcdf93676e0c3

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.x64.dll
Filesize
882KB

MD5
833133f185e388790109849a89d7ef9f

SHA1
84aa2c4ac8218d859f5887a1d5c14e4f53a198f9

SHA256
5be7627e3c9d3851f0c254191e663bad6ea8e64d7e28d212d7c2ac44bb700765

SHA512
8b8c344a94cf9f82c606b798786ad30933a501dee84be5e71769d3a4e92f172227dd7f577467e82bba55a870887c38c101aa91fbfa8515d38aea256da9f9b78f

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.x64.dll
Filesize
882KB

MD5
833133f185e388790109849a89d7ef9f

SHA1
84aa2c4ac8218d859f5887a1d5c14e4f53a198f9

SHA256
5be7627e3c9d3851f0c254191e663bad6ea8e64d7e28d212d7c2ac44bb700765

SHA512
8b8c344a94cf9f82c606b798786ad30933a501dee84be5e71769d3a4e92f172227dd7f577467e82bba55a870887c38c101aa91fbfa8515d38aea256da9f9b78f

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\MCalVfG186yRSn.x64.dll
Filesize
882KB

MD5
833133f185e388790109849a89d7ef9f

SHA1
84aa2c4ac8218d859f5887a1d5c14e4f53a198f9

SHA256
5be7627e3c9d3851f0c254191e663bad6ea8e64d7e28d212d7c2ac44bb700765

SHA512
8b8c344a94cf9f82c606b798786ad30933a501dee84be5e71769d3a4e92f172227dd7f577467e82bba55a870887c38c101aa91fbfa8515d38aea256da9f9b78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\MCalVfG186yRSn.dll
Filesize
753KB

MD5
df941296b71b459efe55faa3a9f2b1a7

SHA1
9811274bfbf9a676b017b6cdabe9f389414091a6

SHA256
767019bd8a954c2814b9792e98126e91fcb69864bcdc4fe277b8055c61a92e46

SHA512
c689ba8cdee741d1da7018e3d65e280a889183a9e0da42e3d6567fc78cafea18e284db36a8b08bce6011fa7b6167d018cc248105423befab637dcdf93676e0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\MCalVfG186yRSn.tlb
Filesize
3KB

MD5
c4756334ad2b2d78a17cc5772fd53e7c

SHA1
319ca69878f2d22adc1834f8dc5ba2dc7bc0b843

SHA256
3d3e9444d07abaf39ae06c4ab74c8567b581caedfd0a02e77daf4f864a4b7f98

SHA512
6c11a3de33c9bc5ec9587bd2df92d91ecdd1613b385dade6c231c179841478b8078a942a82d7c548f0d4e04cf64fc1363c16d3538fcc04c1bfe54e531991e29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\MCalVfG186yRSn.x64.dll
Filesize
882KB

MD5
833133f185e388790109849a89d7ef9f

SHA1
84aa2c4ac8218d859f5887a1d5c14e4f53a198f9

SHA256
5be7627e3c9d3851f0c254191e663bad6ea8e64d7e28d212d7c2ac44bb700765

SHA512
8b8c344a94cf9f82c606b798786ad30933a501dee84be5e71769d3a4e92f172227dd7f577467e82bba55a870887c38c101aa91fbfa8515d38aea256da9f9b78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
67d4e5745a57ae42784ed5d4af43f725

SHA1
db98c6bc57b92e8d08de3d8d93e4294f06dcf32e

SHA256
d32efd7608a6790a5f77ae0c79151a93cb4634ba78fe523d0a1f117fd2626c50

SHA512
b851fa060901bd16eec08bacbbd3eb2b4b874d9deb4c251c2c0c115e3a99ef77f2d4f357ca70a57f21b9bfcf46f200b1f5e8007a87336a0bae5e4f2a10280cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\[email protected]\content\bg.js
Filesize
7KB

MD5
5e6f21307fe020bdfed34d7dc76cef6f

SHA1
583b600fd6f6757b130c3e369eb834f6493d40bc

SHA256
762deb73150f7087eadd57dca9df9243931824c44d3223580c6681996f6677e0

SHA512
de296a2ed2c1982de534dd31171826c592d61f7e15bc9b4e7553444a7accfe35eb2a07c1743f0dcd985630963857cd5fca3bfa5ac95af407da21213b484501fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\[email protected]\install.rdf
Filesize
607B

MD5
ef27fe70089e7d2636dfdf50ea7b3266

SHA1
8fa701cd4cd9e2b4bf6e1622cb86a1f3970ff4b8

SHA256
4d7b5fe7712fd18804dc8be82e413bd851444119d9a4430f434d55d4ed6ea1ab

SHA512
ae61c4590c7fdbe1e60d9a7bfdef89dde5b49cb9bc54bfaf983cf7b2cf70b981e827f5b04ebdf9ebba51ef3232e2e6ea7b43875283743ddf5b560d06ebb06363

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\cfmckgaiphaekgiheaipcanhfonooflc\OC1t0J.js
Filesize
5KB

MD5
2366e195bb8b6a898326584791a5ea8e

SHA1
16107164e80e68bb5386b5435bf087ede62d80de

SHA256
40e031a093973fad9d9ad553a3ce9ae1c4a64c5df0b1cf94c15abc8ec9303a9b

SHA512
ada5858468da829a493ccfc2e19b0e6b40d2e8bc749dbe7f2d8c8cd5cabab5f8c5b8af05172dee3db69a1ea93d391baf0d6973c3de4104155c8d27362cf7b9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\cfmckgaiphaekgiheaipcanhfonooflc\background.html
Filesize
143B

MD5
65785b5a10c9de8a82dd33d79fc38305

SHA1
54cfdea9a65605f8a2379e62a5fa9ddc02c819e5

SHA256
d68772eb258beb86fc31f4450f7fac0b54818c1a8907c3847dde0e4b755779b3

SHA512
67ca5f30a109f4e93e222377f769393d970114e4ecdecb2892aa116b6dc5e7a5cd49638cdba8b55bb0ae7405467eef2c5f75d749775040de547a07e53cb28738

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\cfmckgaiphaekgiheaipcanhfonooflc\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\cfmckgaiphaekgiheaipcanhfonooflc\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\cfmckgaiphaekgiheaipcanhfonooflc\manifest.json
Filesize
507B

MD5
d429395a45a9aa09e4ee9054e9196b30

SHA1
c5dbab4e27650b07d4d159c305d08a9d578c3a3e

SHA256
674fc32cde82ed69cb8595bbea9f70f69097062c39bd6a3a505227a4f4a45344

SHA512
4a5bc7c005e573bf0cdb89489d676fb26c5fe116d397a6cd7a1ebb2cae9605b3d1657378e17d354cb102e93c39b32fa8d2963f375af37c871452f3170356101e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\yDiKw9pHHDr7yMC.dat
Filesize
6KB

MD5
1a594832b1c74a8b5cf14d5b1467a6d1

SHA1
c579291782d0ff3ca35a523fe4d0281bec0f0f67

SHA256
78217080dd660c142a1ed9550d86d5e22316a008518257084ce61b36cff9c057

SHA512
334d6f1b2249d10b90e900b3a8a2320ed4776a52da3a7311d9aecd00a181b7e5aeacc4bdb0252defa0a80984c175226dc6542f18ec3328fc775d6732943c5734

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\yDiKw9pHHDr7yMC.exe
Filesize
772KB

MD5
7b366160f6f76bef394dd0a3d79d2370

SHA1
2ab5c55559a57ee05cd29fa20ab14049753a6144

SHA256
0a50fcbc476dfa24a1af95345764ac6eaeda1e075c33d4054c5ba7fc1c780a7e

SHA512
e373d43ea40380d189937a00af958c6e14d4f251ecf9a40a9a9f5dcb051008a3a741ac4c8b5640530e31c2b2fd4d7b4aaef71623d92da6077bfba84419164180

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27CB.tmp\yDiKw9pHHDr7yMC.exe
Filesize
772KB

MD5
7b366160f6f76bef394dd0a3d79d2370

SHA1
2ab5c55559a57ee05cd29fa20ab14049753a6144

SHA256
0a50fcbc476dfa24a1af95345764ac6eaeda1e075c33d4054c5ba7fc1c780a7e

SHA512
e373d43ea40380d189937a00af958c6e14d4f251ecf9a40a9a9f5dcb051008a3a741ac4c8b5640530e31c2b2fd4d7b4aaef71623d92da6077bfba84419164180

Download Submit
memory/1388-149-0x0000000000000000-mapping.dmp

Download
memory/2768-152-0x0000000000000000-mapping.dmp

Download
memory/4720-132-0x0000000000000000-mapping.dmp

Download