fbf78d672b6704d203472362c234fa02d61dd11537ef70c5c67bf31b146fa301

Analysis

max time kernel
337s
max time network
414s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbf78d672b6704d203472362c234fa02d61dd11537ef70c5c67bf31b146fa301.exe
Size

2.5MB
MD5

ec1435fc98c7af8eaf8924a1ff0439ea
SHA1

0cb4bf5da694d4eaddebcacfbd65ead79db5fa9b
SHA256

fbf78d672b6704d203472362c234fa02d61dd11537ef70c5c67bf31b146fa301
SHA512

a62c87db27eba06c2a539c60ad3f945105f91e2a00c71a2fe704e8893aa0a0bae50be8b35ce0a55c482fb1b9b768c111d12a4503f74fd9a0e0054968439339bb
SSDEEP

49152:h1Oss5COLX7G7GRWdmohosycWMhHnOaAxNqZ0qhgU9V:h1OTJyGRBoyLC

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

F2g5J6DWb7kCWPA.exe

pid process

2468 F2g5J6DWb7kCWPA.exe
Loads dropped DLL 3 IoCs

Processes:

F2g5J6DWb7kCWPA.exeregsvr32.exeregsvr32.exe

pid process

2468 F2g5J6DWb7kCWPA.exe
1644 regsvr32.exe
1200 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2468	F2g5J6DWb7kCWPA.exe

pid	process
2468	F2g5J6DWb7kCWPA.exe
1644	regsvr32.exe
1200	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

F2g5J6DWb7kCWPA.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pndhjhlihaenpihlhjlpgeifgchaipbe\200\manifest.json	F2g5J6DWb7kCWPA.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pndhjhlihaenpihlhjlpgeifgchaipbe\200\manifest.json	F2g5J6DWb7kCWPA.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pndhjhlihaenpihlhjlpgeifgchaipbe\200\manifest.json	F2g5J6DWb7kCWPA.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pndhjhlihaenpihlhjlpgeifgchaipbe\200\manifest.json	F2g5J6DWb7kCWPA.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pndhjhlihaenpihlhjlpgeifgchaipbe\200\manifest.json	F2g5J6DWb7kCWPA.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

F2g5J6DWb7kCWPA.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	F2g5J6DWb7kCWPA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	F2g5J6DWb7kCWPA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	F2g5J6DWb7kCWPA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	F2g5J6DWb7kCWPA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

F2g5J6DWb7kCWPA.exe

description	ioc	process
File created	C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.dll	F2g5J6DWb7kCWPA.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.dll	F2g5J6DWb7kCWPA.exe
File created	C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.tlb	F2g5J6DWb7kCWPA.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.tlb	F2g5J6DWb7kCWPA.exe
File created	C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.dat	F2g5J6DWb7kCWPA.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.dat	F2g5J6DWb7kCWPA.exe
File created	C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.x64.dll	F2g5J6DWb7kCWPA.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.x64.dll	F2g5J6DWb7kCWPA.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

F2g5J6DWb7kCWPA.exe

pid process

2468 F2g5J6DWb7kCWPA.exe
2468 F2g5J6DWb7kCWPA.exe

pid	process
2468	F2g5J6DWb7kCWPA.exe
2468	F2g5J6DWb7kCWPA.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fbf78d672b6704d203472362c234fa02d61dd11537ef70c5c67bf31b146fa301.exeF2g5J6DWb7kCWPA.exeregsvr32.exe

description	pid	process	target process
PID 2804 wrote to memory of 2468	2804	fbf78d672b6704d203472362c234fa02d61dd11537ef70c5c67bf31b146fa301.exe	F2g5J6DWb7kCWPA.exe
PID 2804 wrote to memory of 2468	2804	fbf78d672b6704d203472362c234fa02d61dd11537ef70c5c67bf31b146fa301.exe	F2g5J6DWb7kCWPA.exe
PID 2804 wrote to memory of 2468	2804	fbf78d672b6704d203472362c234fa02d61dd11537ef70c5c67bf31b146fa301.exe	F2g5J6DWb7kCWPA.exe
PID 2468 wrote to memory of 1644	2468	F2g5J6DWb7kCWPA.exe	regsvr32.exe
PID 2468 wrote to memory of 1644	2468	F2g5J6DWb7kCWPA.exe	regsvr32.exe
PID 2468 wrote to memory of 1644	2468	F2g5J6DWb7kCWPA.exe	regsvr32.exe
PID 1644 wrote to memory of 1200	1644	regsvr32.exe	regsvr32.exe
PID 1644 wrote to memory of 1200	1644	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\fbf78d672b6704d203472362c234fa02d61dd11537ef70c5c67bf31b146fa301.exe
"C:\Users\Admin\AppData\Local\Temp\fbf78d672b6704d203472362c234fa02d61dd11537ef70c5c67bf31b146fa301.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\F2g5J6DWb7kCWPA.exe
.\F2g5J6DWb7kCWPA.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.dat

Filesize
6KB

MD5
a841eb6de68b4884ac3adf9b0d450529

SHA1
e6316dda47a0bc715641fd6b956818a573c08d39

SHA256
ab7c6c426cce94ca25ba5cf75ea673260255db3dc2c12e4189ed2fded4aedbac

SHA512
60d646beb87159a57bb7ee7e636d078d0c54568fe5e45a8152b578f74843033cc31cf5c6451f85d28d0473ac8ba2bde81a086fa395713c4dfcd6df4d05ec7fc1

Download Submit
C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.dll

Filesize
745KB

MD5
175f98785c3d6faa5b5b3e014ca0c6c4

SHA1
827e7ca85de729435c27b4dc5281ab74a8c74716

SHA256
d11cc3cd7c46548d4b5cb75e03ebc38055d625005fb76da2636d310d9c25ffb5

SHA512
8effb2b62cd5ecafcea5f25c45d9abdfaafb769b4e25a5cf8f745e0ff6c745d6334926b6ddfe37fa94623d4ec6c281bee54caffca9699521f5191baa2515aa56

Download Submit
C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.x64.dll

Filesize
883KB

MD5
8af28aca297e5e06910c74a9528518c3

SHA1
fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9

SHA256
f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2

SHA512
4cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6

Download Submit
C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.x64.dll

Filesize
883KB

MD5
8af28aca297e5e06910c74a9528518c3

SHA1
fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9

SHA256
f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2

SHA512
4cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6

Download Submit
C:\Program Files (x86)\Browser Shop\4hOYKHZKPTULEG.x64.dll

Filesize
883KB

MD5
8af28aca297e5e06910c74a9528518c3

SHA1
fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9

SHA256
f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2

SHA512
4cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\4hOYKHZKPTULEG.dll

Filesize
745KB

MD5
175f98785c3d6faa5b5b3e014ca0c6c4

SHA1
827e7ca85de729435c27b4dc5281ab74a8c74716

SHA256
d11cc3cd7c46548d4b5cb75e03ebc38055d625005fb76da2636d310d9c25ffb5

SHA512
8effb2b62cd5ecafcea5f25c45d9abdfaafb769b4e25a5cf8f745e0ff6c745d6334926b6ddfe37fa94623d4ec6c281bee54caffca9699521f5191baa2515aa56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\4hOYKHZKPTULEG.tlb

Filesize
3KB

MD5
aa1b86f094611e50009eac733d790223

SHA1
c80cfc36e2cf4cc4f916b2e5b51c2e393e036ec3

SHA256
1d549089596b20ee3aafa5b5b5b560577da81ded6e96d1cbb115fecb2006b95a

SHA512
eaaeca4c9e1d245e1c4ee6b1541f8663cc09896ae44a2167bb3c7389bce246ea2905af0a80ba4cb25d9cafaeb4b1edabb048e9075d1603367b2bc0e9475faa8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\4hOYKHZKPTULEG.x64.dll

Filesize
883KB

MD5
8af28aca297e5e06910c74a9528518c3

SHA1
fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9

SHA256
f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2

SHA512
4cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\F2g5J6DWb7kCWPA.dat

Filesize
6KB

MD5
a841eb6de68b4884ac3adf9b0d450529

SHA1
e6316dda47a0bc715641fd6b956818a573c08d39

SHA256
ab7c6c426cce94ca25ba5cf75ea673260255db3dc2c12e4189ed2fded4aedbac

SHA512
60d646beb87159a57bb7ee7e636d078d0c54568fe5e45a8152b578f74843033cc31cf5c6451f85d28d0473ac8ba2bde81a086fa395713c4dfcd6df4d05ec7fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\F2g5J6DWb7kCWPA.exe

Filesize
770KB

MD5
acfc58daed4c2caa7fa430c1b7e427a0

SHA1
e4ddeeaa697b3ca2df9d8a02636a69d3dd8faac3

SHA256
aaf57b2088806da2c5aa507a6673aa1a4f445e25ee10ed8621dcf3821c935906

SHA512
e10efb743a4a7b3270a23ac0ec13c6b34c65d359f7998ffcbfa6c03186c49fc6f57b83e0f8fc31f9953b8fd3a924680a212833b75c2dd3b63a4f6be26a2a69e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\F2g5J6DWb7kCWPA.exe

Filesize
770KB

MD5
acfc58daed4c2caa7fa430c1b7e427a0

SHA1
e4ddeeaa697b3ca2df9d8a02636a69d3dd8faac3

SHA256
aaf57b2088806da2c5aa507a6673aa1a4f445e25ee10ed8621dcf3821c935906

SHA512
e10efb743a4a7b3270a23ac0ec13c6b34c65d359f7998ffcbfa6c03186c49fc6f57b83e0f8fc31f9953b8fd3a924680a212833b75c2dd3b63a4f6be26a2a69e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
5c729f8b9690b0bb3d2bc80c0f81bc7b

SHA1
0737a69644ad2068a02a5c8fc244e1889a147358

SHA256
b58cd2ab7d217c2f3df12c504cc9cd2276b9b1899a012604435436e6b2735396

SHA512
6947e08cb32eb76703e8c26c82efd37037402b2a3a65e54c0c72ad2d0b0aae97b574ccf458345879bc89857aef4de165ab0cf617ac3d2afdc11af127e9d9a6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
05cb28121ffcc9ab9dd42f533378d1b8

SHA1
1fbca5f6af86290ac8a895ed793e9ac3c17dac9b

SHA256
54d152aa3c567dba9214db2d59899e02614a6f4218144562a0804104e8e73d2f

SHA512
f22c591a9b3ad9c9a11988fde67b5d620f6d5eccd349cccdb8db2b054639a572902ba50c0dc700ff6ef6c7729578bb4269b36d5a39ca34862bf75c7a41dbf9c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\[email protected]\install.rdf

Filesize
601B

MD5
78db42f5832f917cd901683af72c22ce

SHA1
1a278728607bbbb7b7417860178c37756ecce13e

SHA256
d768b411e5bf537cc08d99d8b8a147f6a109135344f73c0a25d4dbf2c2d82f86

SHA512
fd362546cc5f9c15a98178c4ed731d3dec779cca4b3c6ba56a1491dceb8455c2ea116b59554efe24c1b7947390b12bec869e61a2366b72bcd4d2d2e848e24ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\pndhjhlihaenpihlhjlpgeifgchaipbe\background.html

Filesize
147B

MD5
84cf3cbf6e496e985db70c01cc44af0b

SHA1
1fe7bfc0ab9281ac779f16150ed15f3d11344140

SHA256
dda9e7d55bd6be208ec6947f087dc6036d1e6bf1cdf5a712ac34666e333bd42c

SHA512
f3d090984306bc49580598685ab7a2c8cb92ee06ff6b950751f9d4a5e2fe0a00b2d42361eda615c6672c6019478e22cf24bf59cac561ac04a119c67a57e9fc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\pndhjhlihaenpihlhjlpgeifgchaipbe\c2DVwzjP61.js

Filesize
5KB

MD5
7bb90e0e5005eb5557386767872367e2

SHA1
11d99c919c11d0409db90fa79d56d0c8050126ce

SHA256
b4257e1307b268c7ffc8688d75735d508983a4969058b6bf48287587daa52604

SHA512
98712de2319c0e6530ac55b3f26a890b69c8ab0f972aff0de93d4ad9386709ef611c03d1d462331452bd8d7542a614316821bb4b9bc7ad09fd339d7c278b1647

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\pndhjhlihaenpihlhjlpgeifgchaipbe\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\pndhjhlihaenpihlhjlpgeifgchaipbe\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS687F.tmp\pndhjhlihaenpihlhjlpgeifgchaipbe\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
memory/1200-152-0x0000000000000000-mapping.dmp

Download
memory/1644-149-0x0000000000000000-mapping.dmp

Download
memory/2468-132-0x0000000000000000-mapping.dmp

Download