6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce.exe
Size

2.1MB
MD5

158151966700afada21df4a4bb9b4ab8
SHA1

c6637a445377b2bcda8c4d81f8ac42efae205233
SHA256

6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce
SHA512

39f23b42c1e1368c6f2e709f672ec976243331a5081fbfeed5f108e202706e980da569abcecf9e49fc1b4de353ce9b011053c3a1e78341c70c1fdfb4b9fbbede
SSDEEP

24576:h1OYdaOnTwLleYkTVug2PiL0jHM8WK5z6Sh19BUfOD4XRt1otyBNvJvMXzGK5IhN:h1OsOLARTQ9PimJWtShQnvQsruW

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1160	ggEo6e9UFIldeU6.exe

Loads dropped DLL 4 IoCs

pid	Process
1112	6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce.exe
1160	ggEo6e9UFIldeU6.exe
1432	regsvr32.exe
1228	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\decnbpnoeogohjiclfpckcelfnegaone\1.0\manifest.json	ggEo6e9UFIldeU6.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\decnbpnoeogohjiclfpckcelfnegaone\1.0\manifest.json	ggEo6e9UFIldeU6.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\decnbpnoeogohjiclfpckcelfnegaone\1.0\manifest.json	ggEo6e9UFIldeU6.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	ggEo6e9UFIldeU6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	ggEo6e9UFIldeU6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	ggEo6e9UFIldeU6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	ggEo6e9UFIldeU6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	ggEo6e9UFIldeU6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.dll	ggEo6e9UFIldeU6.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.dll	ggEo6e9UFIldeU6.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.tlb	ggEo6e9UFIldeU6.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.tlb	ggEo6e9UFIldeU6.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.dat	ggEo6e9UFIldeU6.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.dat	ggEo6e9UFIldeU6.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.x64.dll	ggEo6e9UFIldeU6.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.x64.dll	ggEo6e9UFIldeU6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1160	ggEo6e9UFIldeU6.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1160	1112	6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce.exe	28
PID 1112 wrote to memory of 1160	1112	6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce.exe	28
PID 1112 wrote to memory of 1160	1112	6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce.exe	28
PID 1112 wrote to memory of 1160	1112	6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce.exe	28
PID 1160 wrote to memory of 1432	1160	ggEo6e9UFIldeU6.exe	29
PID 1160 wrote to memory of 1432	1160	ggEo6e9UFIldeU6.exe	29
PID 1160 wrote to memory of 1432	1160	ggEo6e9UFIldeU6.exe	29
PID 1160 wrote to memory of 1432	1160	ggEo6e9UFIldeU6.exe	29
PID 1160 wrote to memory of 1432	1160	ggEo6e9UFIldeU6.exe	29
PID 1160 wrote to memory of 1432	1160	ggEo6e9UFIldeU6.exe	29
PID 1160 wrote to memory of 1432	1160	ggEo6e9UFIldeU6.exe	29
PID 1432 wrote to memory of 1228	1432	regsvr32.exe	30
PID 1432 wrote to memory of 1228	1432	regsvr32.exe	30
PID 1432 wrote to memory of 1228	1432	regsvr32.exe	30
PID 1432 wrote to memory of 1228	1432	regsvr32.exe	30
PID 1432 wrote to memory of 1228	1432	regsvr32.exe	30
PID 1432 wrote to memory of 1228	1432	regsvr32.exe	30
PID 1432 wrote to memory of 1228	1432	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce.exe
"C:\Users\Admin\AppData\Local\Temp\6525152f4292d3c56a01458df6dfae11aa0b3d05b149c7b34178268fb4ea14ce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\ggEo6e9UFIldeU6.exe
  .\ggEo6e9UFIldeU6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.dat

Filesize
6KB

MD5
49c73a6bc00c214d827d18eca86cc605

SHA1
c171f19880ac2c32857b1561f5215fdd9dab621b

SHA256
a20904eb1c9073308a37fcfe59bf92953365210a3ecad5d204a5b405aa87b1f7

SHA512
15af57befc8f89dd821596d8306d753ce40f1f5357214f8fb0c8c5ba46da49493f456d19081716030f45715b2a137bfb6ce175a30ae56169b97bc55c1c2e0020

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\decnbpnoeogohjiclfpckcelfnegaone\background.html

Filesize
147B

MD5
6796730090f7421dccec84e989c53bd3

SHA1
1486dadeb458d096c15414bb2504f456e927fb03

SHA256
103302546161873d6085b80ccf331f1fbd3545aa29b837f68c19d06672d0beff

SHA512
e14497f88ba130dbf61f50dab655a5cf1f5938d663a84b59bc8fbee2179be2d696733695f4110977ffb5fafc853fa8da6194c10c91b7139fae3b5a11ba3957b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\decnbpnoeogohjiclfpckcelfnegaone\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\decnbpnoeogohjiclfpckcelfnegaone\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\decnbpnoeogohjiclfpckcelfnegaone\manifest.json

Filesize
507B

MD5
d429395a45a9aa09e4ee9054e9196b30

SHA1
c5dbab4e27650b07d4d159c305d08a9d578c3a3e

SHA256
674fc32cde82ed69cb8595bbea9f70f69097062c39bd6a3a505227a4f4a45344

SHA512
4a5bc7c005e573bf0cdb89489d676fb26c5fe116d397a6cd7a1ebb2cae9605b3d1657378e17d354cb102e93c39b32fa8d2963f375af37c871452f3170356101e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\decnbpnoeogohjiclfpckcelfnegaone\wl9tCfJYpT.js

Filesize
5KB

MD5
2f456b556ffef275babba63026fed997

SHA1
e099e216f748263e6ef5b9ec34b5fdd41f5d9559

SHA256
ce815ab84d79e2e75f3b158e532514093a71094d577b1bedbc3a2c263986c926

SHA512
7c7c656a85add3d96defbaa0dc7ba5e614eb64fffe6544c6e332c11cee94a76a11ca4cb2b949513447c99c49da902f17db34624a265c712a25911e2c2abe9b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\ggEo6e9UFIldeU6.dat

Filesize
6KB

MD5
49c73a6bc00c214d827d18eca86cc605

SHA1
c171f19880ac2c32857b1561f5215fdd9dab621b

SHA256
a20904eb1c9073308a37fcfe59bf92953365210a3ecad5d204a5b405aa87b1f7

SHA512
15af57befc8f89dd821596d8306d753ce40f1f5357214f8fb0c8c5ba46da49493f456d19081716030f45715b2a137bfb6ce175a30ae56169b97bc55c1c2e0020

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\ggEo6e9UFIldeU6.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\ggEo6e9UFIldeU6.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
7b7da73be60a662968bd5e20cac4412c

SHA1
0a1c878b99cec8da367bc6153ecb0f94faad4738

SHA256
bce287f5e5af37130c8fa12240501a3d82f1d7dfa6bdb4730d28c99af8df5e94

SHA512
ce0ffb7fae07ee21dad590ccac008821187faba00ba1483b2a47f5dc332159c3064b4ce6cb24919313034cb72389c113678353a270fa9da006802da77a86e681

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
a2de113e9995068b06497be2b64bc028

SHA1
ac75aa278c0e4ff6a814e81bda3b83d34d3e1dbc

SHA256
be3e018aa58bd9e02c29d8053e553d20614bd3d801e8de1ae9b3becd5d4ed196

SHA512
a95b2f8fef437e8502e901664c16e682e2973d7f4a0cf0dedd0abaad6cf8eb660f5e728a45a0a097f1705c2cbf24d952a3e7a9670c9c72ca09d0f50afa2eab46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\[email protected]\install.rdf

Filesize
605B

MD5
358e0bc26eada4d09d3367b60d08b965

SHA1
ed992f7672e657fddd937c537a49696c28145c0f

SHA256
ddce3b165cf61bce5b50d3e25f3653f795c3d78e366324ae4fbc41c020cf6ae3

SHA512
e79e44f9180f697447906a84a8e79087d6590e4746142efa963ed19ad038b6836a22f6d080a2ba055fca33d8014d419ad2014242bd500747aa5261f9da238e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\xhh3pQsuqko4FE.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\xhh3pQsuqko4FE.tlb

Filesize
3KB

MD5
d5c4233a6c3de331b459f5f6a35ae3dd

SHA1
b5f1bf145f4e0896d7ae500abecbfaca715c18ab

SHA256
f3fca93b2a2848af13dcd30cad6305d20319d0a96f622f96753c1aebb91c885c

SHA512
4af48daa80dcd76cf45018d7edef74f35c5917457dd598f5a2071bba8875d75280326e41f3f5885d5301a596c22a3833cb062e2f4c97e0d83a01ad2644056e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\xhh3pQsuqko4FE.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Program Files (x86)\YoutubeAdBlocke\xhh3pQsuqko4FE.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEB4A.tmp\ggEo6e9UFIldeU6.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
memory/1112-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1228-78-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download