fbe38f0e1eebf9c2b571a9b195a07fe7013e9391bff722dbfb3b6568e22fd515

Analysis

max time kernel
208s
max time network
243s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbe38f0e1eebf9c2b571a9b195a07fe7013e9391bff722dbfb3b6568e22fd515.exe
Size

2.5MB
MD5

b9107a0a5cecd401db7e0a07ff8beb70
SHA1

faefd57b99aa7f518be5600e158c0d887004f148
SHA256

fbe38f0e1eebf9c2b571a9b195a07fe7013e9391bff722dbfb3b6568e22fd515
SHA512

844edce4c0ae9713a6f4d858e9483b373076f90114cfbc7feadc00acf4d15175bfdf018ccb3affa6aee52a3c796ea3b84c315048eb4655953f1f9e6fd4cc88f7
SSDEEP

49152:h1Os0PHVmVhYwiLtKkKyW4nFU0I+NP/f7I3lMOaYjdxvL0Hu:h1OLHVl71RnFXINxvJ

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

zqOCWXbdsMLcfNc.exe

pid process

3396 zqOCWXbdsMLcfNc.exe
Loads dropped DLL 3 IoCs

Processes:

zqOCWXbdsMLcfNc.exeregsvr32.exeregsvr32.exe

pid process

3396 zqOCWXbdsMLcfNc.exe
4804 regsvr32.exe
836 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3396	zqOCWXbdsMLcfNc.exe

pid	process
3396	zqOCWXbdsMLcfNc.exe
4804	regsvr32.exe
836	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

zqOCWXbdsMLcfNc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckbealaeofijljcpgpebbjbfgmcdjjgp\200\manifest.json	zqOCWXbdsMLcfNc.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckbealaeofijljcpgpebbjbfgmcdjjgp\200\manifest.json	zqOCWXbdsMLcfNc.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckbealaeofijljcpgpebbjbfgmcdjjgp\200\manifest.json	zqOCWXbdsMLcfNc.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckbealaeofijljcpgpebbjbfgmcdjjgp\200\manifest.json	zqOCWXbdsMLcfNc.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckbealaeofijljcpgpebbjbfgmcdjjgp\200\manifest.json	zqOCWXbdsMLcfNc.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exezqOCWXbdsMLcfNc.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	zqOCWXbdsMLcfNc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	zqOCWXbdsMLcfNc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	zqOCWXbdsMLcfNc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	zqOCWXbdsMLcfNc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

zqOCWXbdsMLcfNc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.dat	zqOCWXbdsMLcfNc.exe
File created	C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.x64.dll	zqOCWXbdsMLcfNc.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.x64.dll	zqOCWXbdsMLcfNc.exe
File created	C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.dll	zqOCWXbdsMLcfNc.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.dll	zqOCWXbdsMLcfNc.exe
File created	C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.tlb	zqOCWXbdsMLcfNc.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.tlb	zqOCWXbdsMLcfNc.exe
File created	C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.dat	zqOCWXbdsMLcfNc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

zqOCWXbdsMLcfNc.exe

pid process

3396 zqOCWXbdsMLcfNc.exe
3396 zqOCWXbdsMLcfNc.exe

pid	process
3396	zqOCWXbdsMLcfNc.exe
3396	zqOCWXbdsMLcfNc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fbe38f0e1eebf9c2b571a9b195a07fe7013e9391bff722dbfb3b6568e22fd515.exezqOCWXbdsMLcfNc.exeregsvr32.exe

description	pid	process	target process
PID 5076 wrote to memory of 3396	5076	fbe38f0e1eebf9c2b571a9b195a07fe7013e9391bff722dbfb3b6568e22fd515.exe	zqOCWXbdsMLcfNc.exe
PID 5076 wrote to memory of 3396	5076	fbe38f0e1eebf9c2b571a9b195a07fe7013e9391bff722dbfb3b6568e22fd515.exe	zqOCWXbdsMLcfNc.exe
PID 5076 wrote to memory of 3396	5076	fbe38f0e1eebf9c2b571a9b195a07fe7013e9391bff722dbfb3b6568e22fd515.exe	zqOCWXbdsMLcfNc.exe
PID 3396 wrote to memory of 4804	3396	zqOCWXbdsMLcfNc.exe	regsvr32.exe
PID 3396 wrote to memory of 4804	3396	zqOCWXbdsMLcfNc.exe	regsvr32.exe
PID 3396 wrote to memory of 4804	3396	zqOCWXbdsMLcfNc.exe	regsvr32.exe
PID 4804 wrote to memory of 836	4804	regsvr32.exe	regsvr32.exe
PID 4804 wrote to memory of 836	4804	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\fbe38f0e1eebf9c2b571a9b195a07fe7013e9391bff722dbfb3b6568e22fd515.exe
"C:\Users\Admin\AppData\Local\Temp\fbe38f0e1eebf9c2b571a9b195a07fe7013e9391bff722dbfb3b6568e22fd515.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\zqOCWXbdsMLcfNc.exe
.\zqOCWXbdsMLcfNc.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.dat

Filesize
6KB

MD5
57abb148c9ab6194ede820677ab0510a

SHA1
1cd0d7cf661caa493772e7b9e9d29f12cc7ca2fe

SHA256
965bb96968506199f18017465671f3bea49f215a94dd6696d8b35f8246acbb06

SHA512
375c73d1a6b6b3f26ed5c77234cda2c3ca0bf3dcfd2493ba9c0f3a6f647bed6cc47a927d69dd9bd155bfb0f1a50f79d658e521d7b5b7e47685b15a473c8c7a64

Download Submit
C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.dll

Filesize
747KB

MD5
d949da968ea04ac3a7ddf0e300bb32be

SHA1
581d7d799c538b8e9e578cf57c420fb802d5a201

SHA256
5c4756451acf8622efa75639f9131ca8215c165e2ef21cc1ab7f8fee77db462b

SHA512
fd00e332af52646425f0d4032bb1bbfc85a44ff274bcf212f1264a29be546db4c1ceab7da32c70248a6baa2c55d2dff47dcb2ac441c783a1d9d1260c4685eb7e

Download Submit
C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.x64.dll

Filesize
885KB

MD5
1a6b1013f17c1cdc6e98f82cd2568ea8

SHA1
c96e7bdba616743a5c05b08a342d89ed102376b0

SHA256
fa9dd2bd7850053b251c9b5f27f1ac43ad04abf85de61b1928b7c2d562d3290a

SHA512
10596f46c52ca3f50d6b3c7c894fff8b41f4fe920c6e5e0138cf7e95e85bfe1db8d5f1a63939832cd48cf29f571dd36de40ebb931fb9b14a106518ae4fc17ef9

Download Submit
C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.x64.dll

Filesize
885KB

MD5
1a6b1013f17c1cdc6e98f82cd2568ea8

SHA1
c96e7bdba616743a5c05b08a342d89ed102376b0

SHA256
fa9dd2bd7850053b251c9b5f27f1ac43ad04abf85de61b1928b7c2d562d3290a

SHA512
10596f46c52ca3f50d6b3c7c894fff8b41f4fe920c6e5e0138cf7e95e85bfe1db8d5f1a63939832cd48cf29f571dd36de40ebb931fb9b14a106518ae4fc17ef9

Download Submit
C:\Program Files (x86)\Browser Shop\hES3Sg7qyta66I.x64.dll

Filesize
885KB

MD5
1a6b1013f17c1cdc6e98f82cd2568ea8

SHA1
c96e7bdba616743a5c05b08a342d89ed102376b0

SHA256
fa9dd2bd7850053b251c9b5f27f1ac43ad04abf85de61b1928b7c2d562d3290a

SHA512
10596f46c52ca3f50d6b3c7c894fff8b41f4fe920c6e5e0138cf7e95e85bfe1db8d5f1a63939832cd48cf29f571dd36de40ebb931fb9b14a106518ae4fc17ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\ckbealaeofijljcpgpebbjbfgmcdjjgp\G.js

Filesize
5KB

MD5
d3ea4a9b37f3a741280f97aeaf0f60f3

SHA1
059fb1863135ed71132d67827bed43d36e3e59dd

SHA256
ad21329a99a18910dcfba76a1cb3f517d69b86f083c9f60adb3330424280dca1

SHA512
37c9b4ba8490d24c613a034ab4ecdb3ecacc820f23fd5faf64280c083fd32f88c7c481dd99789704cd4ee42192b4dde87d9de138750ec713c218d9fd5b6e86dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\ckbealaeofijljcpgpebbjbfgmcdjjgp\background.html

Filesize
138B

MD5
5e2b89270b88508426c98a0bef540973

SHA1
9074558ea082871ed062d8035056cade035ba80a

SHA256
e37b8a02770ac5ea399f25505f6376193e2ea9887b89104d710d077f4202c893

SHA512
5b79a0941078955b1024c8ab20e652ebb3a7e97c4a74ea5d1fe3abd0f7cc33c4b0866328810f5ef01843183f51f4fe534b9d44ab76c84d871484fdb2918ae529

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\ckbealaeofijljcpgpebbjbfgmcdjjgp\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\ckbealaeofijljcpgpebbjbfgmcdjjgp\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\ckbealaeofijljcpgpebbjbfgmcdjjgp\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
abfc1c52814f79594148c02f18b4da5c

SHA1
25ec972fc4b630f6ef91d166ead0eebb23531086

SHA256
36fe8ec9527b754da98cdf5e936e27c6829eb8945033310c1ec82adca53dc1b5

SHA512
70923d4acd330a705a2643e540568955eef7020a3e155e0ba57ef719ba704d304940ad7ceab83458691bf7bcee2e3a6889ae18defed2f46cb6e3010f456690cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
e165a19f9cb80292139669ae0eae4ba4

SHA1
c739538042db02e22a9797a2ac22142282383dbf

SHA256
f19188b7575bf59f60d03fc4ab21252ac60c4fc98a6bcd78be65b0ca65408c3a

SHA512
0c9338ac6dfea85a1b464d123ece5e02926c71059bc92f118db5b199356ac5a6d9409710bf0de9bf7f3d6e292727e40eb802b6b3b6680af26601360046447323

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\[email protected]\install.rdf

Filesize
597B

MD5
9c34891a071eac3c36ac26716055d108

SHA1
786a39bbc01485bb3a301b250a7a764f3b0397e1

SHA256
fe8e0621c3cc769d5891d013d16e99ff41a193dc01e42809b0215bab7b62d215

SHA512
61ddb853b9ab975edf744f6d79d7f70784b61e921dfe0dc70818c91b7c1e196fdcec0795c4ab77006d6f58b684a698eb023fc711b689649d00a48b3d943c0617

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\hES3Sg7qyta66I.dll

Filesize
747KB

MD5
d949da968ea04ac3a7ddf0e300bb32be

SHA1
581d7d799c538b8e9e578cf57c420fb802d5a201

SHA256
5c4756451acf8622efa75639f9131ca8215c165e2ef21cc1ab7f8fee77db462b

SHA512
fd00e332af52646425f0d4032bb1bbfc85a44ff274bcf212f1264a29be546db4c1ceab7da32c70248a6baa2c55d2dff47dcb2ac441c783a1d9d1260c4685eb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\hES3Sg7qyta66I.tlb

Filesize
3KB

MD5
5b503f1b4056c3d4fbf2d03f88e1adfe

SHA1
c8d659ea27bf0ca0bbfd46865d5796589bf9ef68

SHA256
231ef0fef77ab6c7fea053f64a9ce7f9e21646b868bfe391962262fc15c9bb6c

SHA512
229207201368d9674258389df19132070390f913aa5cc21b7567c515be5f5e0f07cdaa460d497ae355f27f00f7fc75538783d8890f6c9c0e861a7ecb8f520bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\hES3Sg7qyta66I.x64.dll

Filesize
885KB

MD5
1a6b1013f17c1cdc6e98f82cd2568ea8

SHA1
c96e7bdba616743a5c05b08a342d89ed102376b0

SHA256
fa9dd2bd7850053b251c9b5f27f1ac43ad04abf85de61b1928b7c2d562d3290a

SHA512
10596f46c52ca3f50d6b3c7c894fff8b41f4fe920c6e5e0138cf7e95e85bfe1db8d5f1a63939832cd48cf29f571dd36de40ebb931fb9b14a106518ae4fc17ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\zqOCWXbdsMLcfNc.dat

Filesize
6KB

MD5
57abb148c9ab6194ede820677ab0510a

SHA1
1cd0d7cf661caa493772e7b9e9d29f12cc7ca2fe

SHA256
965bb96968506199f18017465671f3bea49f215a94dd6696d8b35f8246acbb06

SHA512
375c73d1a6b6b3f26ed5c77234cda2c3ca0bf3dcfd2493ba9c0f3a6f647bed6cc47a927d69dd9bd155bfb0f1a50f79d658e521d7b5b7e47685b15a473c8c7a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\zqOCWXbdsMLcfNc.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF4D0.tmp\zqOCWXbdsMLcfNc.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
memory/836-152-0x0000000000000000-mapping.dmp

Download
memory/3396-132-0x0000000000000000-mapping.dmp

Download
memory/4804-149-0x0000000000000000-mapping.dmp

Download