73e64c797e233b5bb1cf7e08f752353fb5587b9cf86e5cb8636682634e8a7bcc

Analysis

max time kernel
140s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e64c797e233b5bb1cf7e08f752353fb5587b9cf86e5cb8636682634e8a7bcc.exe
Size

2.1MB
MD5

c12eba950fccf72a28d86ff94735380a
SHA1

64a0a3b28d542b998e59902183c511f3785cec69
SHA256

73e64c797e233b5bb1cf7e08f752353fb5587b9cf86e5cb8636682634e8a7bcc
SHA512

75d4a5cb2acec5ced951f206cb181c711d9c711d74610a3b7b3e110ce970419d84dfbe17f40da6f9078aca1b1056ec5e3d6be26000c64880cea3dfc1c5a27d5e
SSDEEP

49152:h1Osul9RJLu6vcW6hGkaVR7QSiN/tObJmZcqYUuRTe:h1O5rVOhGRkSixtKDo

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1668	oy7aBd2VsmpAe4o.exe

Loads dropped DLL 3 IoCs

pid	Process
1668	oy7aBd2VsmpAe4o.exe
3336	regsvr32.exe
3864	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgmjaiegeojebhdoknjpiclhbbdmpnmg\1.0\manifest.json	oy7aBd2VsmpAe4o.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgmjaiegeojebhdoknjpiclhbbdmpnmg\1.0\manifest.json	oy7aBd2VsmpAe4o.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgmjaiegeojebhdoknjpiclhbbdmpnmg\1.0\manifest.json	oy7aBd2VsmpAe4o.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgmjaiegeojebhdoknjpiclhbbdmpnmg\1.0\manifest.json	oy7aBd2VsmpAe4o.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgmjaiegeojebhdoknjpiclhbbdmpnmg\1.0\manifest.json	oy7aBd2VsmpAe4o.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	oy7aBd2VsmpAe4o.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	oy7aBd2VsmpAe4o.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	oy7aBd2VsmpAe4o.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	oy7aBd2VsmpAe4o.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.tlb	oy7aBd2VsmpAe4o.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.tlb	oy7aBd2VsmpAe4o.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.dat	oy7aBd2VsmpAe4o.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.dat	oy7aBd2VsmpAe4o.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.x64.dll	oy7aBd2VsmpAe4o.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.x64.dll	oy7aBd2VsmpAe4o.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.dll	oy7aBd2VsmpAe4o.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.dll	oy7aBd2VsmpAe4o.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	oy7aBd2VsmpAe4o.exe
1668	oy7aBd2VsmpAe4o.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1668	1276	73e64c797e233b5bb1cf7e08f752353fb5587b9cf86e5cb8636682634e8a7bcc.exe	82
PID 1276 wrote to memory of 1668	1276	73e64c797e233b5bb1cf7e08f752353fb5587b9cf86e5cb8636682634e8a7bcc.exe	82
PID 1276 wrote to memory of 1668	1276	73e64c797e233b5bb1cf7e08f752353fb5587b9cf86e5cb8636682634e8a7bcc.exe	82
PID 1668 wrote to memory of 3336	1668	oy7aBd2VsmpAe4o.exe	87
PID 1668 wrote to memory of 3336	1668	oy7aBd2VsmpAe4o.exe	87
PID 1668 wrote to memory of 3336	1668	oy7aBd2VsmpAe4o.exe	87
PID 3336 wrote to memory of 3864	3336	regsvr32.exe	88
PID 3336 wrote to memory of 3864	3336	regsvr32.exe	88

C:\Users\Admin\AppData\Local\Temp\73e64c797e233b5bb1cf7e08f752353fb5587b9cf86e5cb8636682634e8a7bcc.exe
"C:\Users\Admin\AppData\Local\Temp\73e64c797e233b5bb1cf7e08f752353fb5587b9cf86e5cb8636682634e8a7bcc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\oy7aBd2VsmpAe4o.exe
  .\oy7aBd2VsmpAe4o.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:3864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.dat

Filesize
6KB

MD5
b57888afab38173db65be78251d2197c

SHA1
444c0dd0b3455527ab594205d26d61e4295db284

SHA256
6fdf5120249a207c8a109b42bf27405e17010d8e92c31fea2743cb6f6494aa6d

SHA512
0e753b25a28b2b3a0352cb2a71a6fd4023c5fa41d854f2e957020b6e72148d4182884ab8d1297e402eeaff80cf5ef613e7104049908991d443bc272cc01ac4f1

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\Pc9Lh2OElaDCwJ.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\Pc9Lh2OElaDCwJ.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\Pc9Lh2OElaDCwJ.tlb

Filesize
3KB

MD5
38dcedc06ce882652b73038799f369c1

SHA1
09985c74e62920963791808be0765222d2a517d3

SHA256
37996a9f383f824002a73026332578b823bacad0a736f2f4c25401f6e2da307c

SHA512
78b7ab8fc102a0f874d24bb40e7b399befe3eb8788c08b059487770dd83a390daf0011c34d6cd29dd78e3436bfd6587fff2f50bde0c3bed49e6ffe27ef0b4c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\Pc9Lh2OElaDCwJ.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\lgmjaiegeojebhdoknjpiclhbbdmpnmg\DaicIn.js

Filesize
5KB

MD5
87c68f290bf739f05bfc6bdeecf2a391

SHA1
70c23050b41dcce9691c06d8ffdbc21fd2a29652

SHA256
ba03f88a59f0a3835842eb06028db015cd86dd203f275f427cec854a03c7687f

SHA512
b15bac8a7f11ac46f4b10683790b79265ec7c760528e31ff97f9c74e7186e1b380b5e2f7ce03e6ec376c2e6ff3146ebdec0847f395bf7d7c1f4cb87e01d06da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\lgmjaiegeojebhdoknjpiclhbbdmpnmg\background.html

Filesize
143B

MD5
dc901991b3f5dc4bd84b7025588b10d4

SHA1
5a4d8ef8446df43d2bbb21ad509c2f5aa2fd3a2b

SHA256
10a625caeb757c21f670766a75c7eeb67c9b16386d89bfaa47c88b84d82910a0

SHA512
ef4b8ceea0225f40c4fcf2d2218d7adf3e1baebb303351f0e1bc5859f82f005ffa081b307d8144401197ecca13608a0bffbf9be6ed035b4bb5326d698b00f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\lgmjaiegeojebhdoknjpiclhbbdmpnmg\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\lgmjaiegeojebhdoknjpiclhbbdmpnmg\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\lgmjaiegeojebhdoknjpiclhbbdmpnmg\manifest.json

Filesize
507B

MD5
d429395a45a9aa09e4ee9054e9196b30

SHA1
c5dbab4e27650b07d4d159c305d08a9d578c3a3e

SHA256
674fc32cde82ed69cb8595bbea9f70f69097062c39bd6a3a505227a4f4a45344

SHA512
4a5bc7c005e573bf0cdb89489d676fb26c5fe116d397a6cd7a1ebb2cae9605b3d1657378e17d354cb102e93c39b32fa8d2963f375af37c871452f3170356101e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\oy7aBd2VsmpAe4o.dat

Filesize
6KB

MD5
b57888afab38173db65be78251d2197c

SHA1
444c0dd0b3455527ab594205d26d61e4295db284

SHA256
6fdf5120249a207c8a109b42bf27405e17010d8e92c31fea2743cb6f6494aa6d

SHA512
0e753b25a28b2b3a0352cb2a71a6fd4023c5fa41d854f2e957020b6e72148d4182884ab8d1297e402eeaff80cf5ef613e7104049908991d443bc272cc01ac4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\oy7aBd2VsmpAe4o.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\oy7aBd2VsmpAe4o.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
f893323f0df41cde0e0506304e6886bf

SHA1
98783c262a531614205383901f4a69ab881fd4fc

SHA256
eb15c9b9dc4fc4a4b503fcd1e21dc546f6d9da62ac730b97fe35df68d09de378

SHA512
be4ffb82b455f7b38bf07cfbeeeae979a882d7868ce92a478c188b4977279687c0c21da7ccd2455ef021f84345b909b41dd55119d3d2991290e88b71564364b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
ecde65aa762e5c2d362009103a060135

SHA1
bdc114bc6071c86ef04c5f1906bef419cb64e13b

SHA256
15a284b19eb95f9d65dd7463fb69f36149be6b59ef3beee5b3b9622dfa98ef15

SHA512
e6f1544590c1063c7877e2a5157b3457244786541a7671f1e08a28914af3473cf161ce1f84aa72affe46cf6216ca7d5d4039e80e871964184e85e59aa07e962e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4A28.tmp\[email protected]\install.rdf

Filesize
602B

MD5
a715fd9ab5cf7f83a3d5390103c7355a

SHA1
228acf28e7353f033a99287e585781da99aacfdd

SHA256
100408dc19ad4e1a9471cb5b2f27a97fdf79cc7c028b5bd6aeb855910d3b4dca

SHA512
9eb45302e51fd64b742d6ec8b6b6373089ef0a6b5ae2f53e99f92f4b3ba882cbb43b5ffb096323108d03fabca040f6484a43b1c9034e24e748322d6295026a76

Download Submit