3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef

Analysis

max time kernel
243s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 10:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef.exe
Size

2.1MB
MD5

671fa92d62a3fdf49a5cf60b4a0962f7
SHA1

a833930d68e98dde2c97ffd5185eb6f2dfc92311
SHA256

3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef
SHA512

c06f790163dbc6aa6f92d00c871a37d952b533ae9930675a1b592133954153d6d2eb27c64b5e8576801b266781c29ee19d886f42fbf74757cd39dfdfc616364c
SSDEEP

24576:h1OYdaOPTwLleYkTVug2PiL0jHM8WK5z6Sh19BUfOD4XRt1otyBNvJvMXzGK5Ihv:h1Os6LARTQ9PimJWtShQnvQsrum

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1940	I4IxSCSsGfgZdlz.exe

Loads dropped DLL 4 IoCs

pid	Process
564	3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef.exe
1940	I4IxSCSsGfgZdlz.exe
1224	regsvr32.exe
1904	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gplmajpnigedgiphbinhfbchedfmkgcn\200\manifest.json	I4IxSCSsGfgZdlz.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gplmajpnigedgiphbinhfbchedfmkgcn\200\manifest.json	I4IxSCSsGfgZdlz.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gplmajpnigedgiphbinhfbchedfmkgcn\200\manifest.json	I4IxSCSsGfgZdlz.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	I4IxSCSsGfgZdlz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	I4IxSCSsGfgZdlz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	I4IxSCSsGfgZdlz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	I4IxSCSsGfgZdlz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	I4IxSCSsGfgZdlz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.x64.dll	I4IxSCSsGfgZdlz.exe
File created	C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.dll	I4IxSCSsGfgZdlz.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.dll	I4IxSCSsGfgZdlz.exe
File created	C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.tlb	I4IxSCSsGfgZdlz.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.tlb	I4IxSCSsGfgZdlz.exe
File created	C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.dat	I4IxSCSsGfgZdlz.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.dat	I4IxSCSsGfgZdlz.exe
File created	C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.x64.dll	I4IxSCSsGfgZdlz.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1940	I4IxSCSsGfgZdlz.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 1940	564	3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef.exe	28
PID 564 wrote to memory of 1940	564	3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef.exe	28
PID 564 wrote to memory of 1940	564	3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef.exe	28
PID 564 wrote to memory of 1940	564	3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef.exe	28
PID 1940 wrote to memory of 1224	1940	I4IxSCSsGfgZdlz.exe	29
PID 1940 wrote to memory of 1224	1940	I4IxSCSsGfgZdlz.exe	29
PID 1940 wrote to memory of 1224	1940	I4IxSCSsGfgZdlz.exe	29
PID 1940 wrote to memory of 1224	1940	I4IxSCSsGfgZdlz.exe	29
PID 1940 wrote to memory of 1224	1940	I4IxSCSsGfgZdlz.exe	29
PID 1940 wrote to memory of 1224	1940	I4IxSCSsGfgZdlz.exe	29
PID 1940 wrote to memory of 1224	1940	I4IxSCSsGfgZdlz.exe	29
PID 1224 wrote to memory of 1904	1224	regsvr32.exe	30
PID 1224 wrote to memory of 1904	1224	regsvr32.exe	30
PID 1224 wrote to memory of 1904	1224	regsvr32.exe	30
PID 1224 wrote to memory of 1904	1224	regsvr32.exe	30
PID 1224 wrote to memory of 1904	1224	regsvr32.exe	30
PID 1224 wrote to memory of 1904	1224	regsvr32.exe	30
PID 1224 wrote to memory of 1904	1224	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef.exe
"C:\Users\Admin\AppData\Local\Temp\3f289595f959aa4e6777d396e92fa54d96ec6798ce08e1109f341af6fdf2c5ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\I4IxSCSsGfgZdlz.exe
  .\I4IxSCSsGfgZdlz.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.dat

Filesize
6KB

MD5
2774142341e76a1428ef8c232857a470

SHA1
3994ce34d8f424acbf5061e4133953f29613b6c6

SHA256
494cfa58fbd66ee6debb3e56a3d4a18bda53bad20aed10f621380b4979013549

SHA512
2210d64ce9b29eb940d92c64959b3c424999659a21a8a14190655594074b6c63ca2698581ed9be2facc0e54032838e094cfc421b92db091d4fee5f48053e074b

Download Submit
C:\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\I4IxSCSsGfgZdlz.dat

Filesize
6KB

MD5
2774142341e76a1428ef8c232857a470

SHA1
3994ce34d8f424acbf5061e4133953f29613b6c6

SHA256
494cfa58fbd66ee6debb3e56a3d4a18bda53bad20aed10f621380b4979013549

SHA512
2210d64ce9b29eb940d92c64959b3c424999659a21a8a14190655594074b6c63ca2698581ed9be2facc0e54032838e094cfc421b92db091d4fee5f48053e074b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\I4IxSCSsGfgZdlz.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\I4IxSCSsGfgZdlz.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
c354ef2e3fda83f1d6d52aaea37d356d

SHA1
d9b1b308bc668eac9ff06ba3fe3b42742e95417c

SHA256
9a01ba2fe46f7c776ef12760d173152663d809404a7aa43995a23350a76f1ef1

SHA512
a74baa841b555673e3527186be40f3c04083ed3bd27aa194f137be1a955e537f9229efba9b855e4b679cb65b1954a72d3d3d0275cf013316fa488d093870d6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
5bd7f31b5011d64eef5c04af6396b57f

SHA1
9b258f7565ee95c1db077afa37f6507a27d9ed07

SHA256
fa6efc1b6c839fdad7e659ba3b529815be60a7f4778197e62d08fb12c7b4622d

SHA512
f27dcff55fb9d19315811d2e65b5459374d827b205eae866be0a27486c2061401d7e987befff94677d0440327aacaa34500690ff7f89f9fdc1f1dd7986671b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\[email protected]\install.rdf

Filesize
601B

MD5
8fcb0b7f6bec5b5a527aa29b00b5c600

SHA1
51838f64a5f88cbddc854acc226c8fbe0b77ac0e

SHA256
8a5d407b0f6cf865fc64ebd0274c26ffa31a92d143eff8958caaaa01c1835198

SHA512
347b2b15917fdb0416e32e537d8d9eaeac8393000670c88cfbfa520689d8a7255672081af54256bb912588d6fd0481b9d7684c7fa8c8b74ae07a7d07fe6e9167

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\gplmajpnigedgiphbinhfbchedfmkgcn\background.html

Filesize
142B

MD5
7a58a6aea25148cbdeba610a13b72ebb

SHA1
6ddd0b4a8bd89e29497776cdf99e26f8343f092e

SHA256
e5c859e0e154af21f051ae6a19621623e68153e3dcdcacc44e149532ea4cab4f

SHA512
e0fd7806ed85edb238544d5bb476b482984cda95dcd7157f55d7b485e911098108875dbe0a0f23a7a3fa2968cc8c585b46223b19bb28301e66fb92c7fd1d6c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\gplmajpnigedgiphbinhfbchedfmkgcn\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\gplmajpnigedgiphbinhfbchedfmkgcn\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\gplmajpnigedgiphbinhfbchedfmkgcn\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\gplmajpnigedgiphbinhfbchedfmkgcn\rIx04.js

Filesize
5KB

MD5
f2729fbcb71d9c4d1d677e8e4064eebd

SHA1
883293e9fc022a8e98a2006ec18ca65b730adfd7

SHA256
e576df7e731dd6846700a07f3c168f7d690a6912d7d840ed8ae4ec4736aa4756

SHA512
5d07fad6cab491c336d6ee339672561ccef12d6457a4d6405cbb25ef96e500bc3fa3e3ac0754ea365c187ad4d973d82601b0e5e811a6f9e62b7f1c77c9405c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\gqAZX42Trqi5ER.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\gqAZX42Trqi5ER.tlb

Filesize
3KB

MD5
d5c4233a6c3de331b459f5f6a35ae3dd

SHA1
b5f1bf145f4e0896d7ae500abecbfaca715c18ab

SHA256
f3fca93b2a2848af13dcd30cad6305d20319d0a96f622f96753c1aebb91c885c

SHA512
4af48daa80dcd76cf45018d7edef74f35c5917457dd598f5a2071bba8875d75280326e41f3f5885d5301a596c22a3833cb062e2f4c97e0d83a01ad2644056e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\gqAZX42Trqi5ER.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Program Files (x86)\Browser Shop\gqAZX42Trqi5ER.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS27AD.tmp\I4IxSCSsGfgZdlz.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
memory/564-54-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download
memory/1904-78-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Filesize
8KB

Download