c9e7ea8e59b6493279b9749b1dd2c9c850ad41f4f364d51a2c31ae7127f5944e

Analysis

max time kernel
162s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9e7ea8e59b6493279b9749b1dd2c9c850ad41f4f364d51a2c31ae7127f5944e.exe
Size

2.5MB
MD5

5b2575b8762141ae1a16f7b1247b1c84
SHA1

122d9d06ab90305157a5673c9d785d62ad28987b
SHA256

c9e7ea8e59b6493279b9749b1dd2c9c850ad41f4f364d51a2c31ae7127f5944e
SHA512

fa052b99568c49ee22725379424f0dfb282d6580ef3aceac6b489db302e073f9eabca64262508053bf455e4bf60d058778c94ce7cff885820073f9c3cb51ffb3
SSDEEP

49152:h1OsIsNQH0eNGTTOxTnkSM1XN+QMz3p6bOkAk+YetEW6FOCMwEFhjzdUwk:h1OHH0eNGunkt3+1z3p6iVCj

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ORn9H3ntEwMIUdn.exe

pid process

4828 ORn9H3ntEwMIUdn.exe
Loads dropped DLL 3 IoCs

Processes:

ORn9H3ntEwMIUdn.exeregsvr32.exeregsvr32.exe

pid process

4828 ORn9H3ntEwMIUdn.exe
3844 regsvr32.exe
4964 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4828	ORn9H3ntEwMIUdn.exe

pid	process
4828	ORn9H3ntEwMIUdn.exe
3844	regsvr32.exe
4964	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

ORn9H3ntEwMIUdn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjgblaippfpkenaadbdhgpkkdffmmaem\200\manifest.json	ORn9H3ntEwMIUdn.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjgblaippfpkenaadbdhgpkkdffmmaem\200\manifest.json	ORn9H3ntEwMIUdn.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjgblaippfpkenaadbdhgpkkdffmmaem\200\manifest.json	ORn9H3ntEwMIUdn.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjgblaippfpkenaadbdhgpkkdffmmaem\200\manifest.json	ORn9H3ntEwMIUdn.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjgblaippfpkenaadbdhgpkkdffmmaem\200\manifest.json	ORn9H3ntEwMIUdn.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeORn9H3ntEwMIUdn.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	ORn9H3ntEwMIUdn.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	ORn9H3ntEwMIUdn.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	ORn9H3ntEwMIUdn.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	ORn9H3ntEwMIUdn.exe

Drops file in Program Files directory 8 IoCs

Processes:

ORn9H3ntEwMIUdn.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.dat	ORn9H3ntEwMIUdn.exe
File created	C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.x64.dll	ORn9H3ntEwMIUdn.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.x64.dll	ORn9H3ntEwMIUdn.exe
File created	C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.dll	ORn9H3ntEwMIUdn.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.dll	ORn9H3ntEwMIUdn.exe
File created	C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.tlb	ORn9H3ntEwMIUdn.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.tlb	ORn9H3ntEwMIUdn.exe
File created	C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.dat	ORn9H3ntEwMIUdn.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ORn9H3ntEwMIUdn.exe

pid process

4828 ORn9H3ntEwMIUdn.exe
4828 ORn9H3ntEwMIUdn.exe

pid	process
4828	ORn9H3ntEwMIUdn.exe
4828	ORn9H3ntEwMIUdn.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c9e7ea8e59b6493279b9749b1dd2c9c850ad41f4f364d51a2c31ae7127f5944e.exeORn9H3ntEwMIUdn.exeregsvr32.exe

description	pid	process	target process
PID 3596 wrote to memory of 4828	3596	c9e7ea8e59b6493279b9749b1dd2c9c850ad41f4f364d51a2c31ae7127f5944e.exe	ORn9H3ntEwMIUdn.exe
PID 3596 wrote to memory of 4828	3596	c9e7ea8e59b6493279b9749b1dd2c9c850ad41f4f364d51a2c31ae7127f5944e.exe	ORn9H3ntEwMIUdn.exe
PID 3596 wrote to memory of 4828	3596	c9e7ea8e59b6493279b9749b1dd2c9c850ad41f4f364d51a2c31ae7127f5944e.exe	ORn9H3ntEwMIUdn.exe
PID 4828 wrote to memory of 3844	4828	ORn9H3ntEwMIUdn.exe	regsvr32.exe
PID 4828 wrote to memory of 3844	4828	ORn9H3ntEwMIUdn.exe	regsvr32.exe
PID 4828 wrote to memory of 3844	4828	ORn9H3ntEwMIUdn.exe	regsvr32.exe
PID 3844 wrote to memory of 4964	3844	regsvr32.exe	regsvr32.exe
PID 3844 wrote to memory of 4964	3844	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\c9e7ea8e59b6493279b9749b1dd2c9c850ad41f4f364d51a2c31ae7127f5944e.exe
"C:\Users\Admin\AppData\Local\Temp\c9e7ea8e59b6493279b9749b1dd2c9c850ad41f4f364d51a2c31ae7127f5944e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\ORn9H3ntEwMIUdn.exe
.\ORn9H3ntEwMIUdn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.dat
Filesize
6KB

MD5
8ab7db7a50c9caf704921d1a185d8c76

SHA1
ce3e360c7943951f4c0311a717fa1b866a75cb59

SHA256
02f32fe22047884064a3fcd578dc924ce887452a67cb5402c222928117d76205

SHA512
bbdd3b34458cedde56a7d2b3eb5cfe0a14b373a1874a69d43b7398956743a19fba2163c2e167a4495d3b22aa527902f966a4928d64c6a336642834665e1b168f

Download Submit
C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.dll
Filesize
754KB

MD5
0ea14ffbf9bc129f87d5a633ca028a12

SHA1
c91e00a9d6590556a4c13a46cb6c934f84cf2b2b

SHA256
9206058e3e04af4fb8d5c05ae8f088cf0a289ea0e4cd692c4f2d76439adb0d47

SHA512
0cfd075335346690ead8c5aef2340b56ce07c59d6243ad102fee0053d64f1a7847e56ba27f5bbcac4048f2c1cf70038e7cdffafe1cc28994603fdd65d2bf7bb2

Download Submit
C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.x64.dll
Filesize
891KB

MD5
bef492ffc032769cde00802f48a17fab

SHA1
a91e733c1269eb785f8e23dc475acac7432f0563

SHA256
473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d

SHA512
4f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0

Download Submit
C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.x64.dll
Filesize
891KB

MD5
bef492ffc032769cde00802f48a17fab

SHA1
a91e733c1269eb785f8e23dc475acac7432f0563

SHA256
473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d

SHA512
4f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0

Download Submit
C:\Program Files (x86)\Browser Shop\qcAKCS8bPY7Vnm.x64.dll
Filesize
891KB

MD5
bef492ffc032769cde00802f48a17fab

SHA1
a91e733c1269eb785f8e23dc475acac7432f0563

SHA256
473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d

SHA512
4f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\ORn9H3ntEwMIUdn.dat
Filesize
6KB

MD5
8ab7db7a50c9caf704921d1a185d8c76

SHA1
ce3e360c7943951f4c0311a717fa1b866a75cb59

SHA256
02f32fe22047884064a3fcd578dc924ce887452a67cb5402c222928117d76205

SHA512
bbdd3b34458cedde56a7d2b3eb5cfe0a14b373a1874a69d43b7398956743a19fba2163c2e167a4495d3b22aa527902f966a4928d64c6a336642834665e1b168f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\ORn9H3ntEwMIUdn.exe
Filesize
774KB

MD5
fac681323e2e0ea322ef16fa551cf1e8

SHA1
744f89e591a6ced737cfe9214ce09c263de50211

SHA256
537f2df71a2f21f943a39d1c6d093a442e7ee975ed3e29b733b8bc5bf646793c

SHA512
22626bd0e79edac062b61d64234f563e3a8218703276a19a0b01749e2cad8387c8bd39bfe13810b787fb9e4c7f1669ea542e36bbf63c7c243fc68bb6fdf5c7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\ORn9H3ntEwMIUdn.exe
Filesize
774KB

MD5
fac681323e2e0ea322ef16fa551cf1e8

SHA1
744f89e591a6ced737cfe9214ce09c263de50211

SHA256
537f2df71a2f21f943a39d1c6d093a442e7ee975ed3e29b733b8bc5bf646793c

SHA512
22626bd0e79edac062b61d64234f563e3a8218703276a19a0b01749e2cad8387c8bd39bfe13810b787fb9e4c7f1669ea542e36bbf63c7c243fc68bb6fdf5c7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\T3@J.org\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\T3@J.org\chrome.manifest
Filesize
35B

MD5
7e6df0fa7e4f3f8335c87394748ecfb6

SHA1
6393ce288d5fe3a3dcaf839729952c66b6d1d307

SHA256
b1d97dac1f080c1bc645b871b4760038203235b8b4c1cd4aab3879776388fb09

SHA512
87346a86a1b7070868ba3d95ca32afeec888a7ed3af6278b910824b28882054a65d61de61932f3a67340e75dfa72eb3c1b9aadbc9944265709e8791eb84063bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\T3@J.org\content\bg.js
Filesize
7KB

MD5
41a4240c90aa74686f8d39d122781431

SHA1
10e11f69784db48a7e5b3a8a302919db4879abfb

SHA256
62e9efc1d3e80ee5b174ef3b45757a19129a4d9a5632f430178df710885722c4

SHA512
c83b4ddeb517879f06f1acfb600acad843893c3b1b32d2b78db35bb1f193497c061be50664b20ac3a7a0f3d6eb067acbc617d79b505877d7a9878e401c9e3a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\T3@J.org\install.rdf
Filesize
596B

MD5
bf1357302bcdf6a478df0feb845c77c8

SHA1
164164f2a05c881ce1d06986a811b2aee9aa9d92

SHA256
474585ee148897fb58ee6a3e5a9dd25fe48919547a41da2965db09c16be7b0cb

SHA512
3f3af69fa3021b7049012b7981906f152b800489672784bdd6a7b84e56cf38dd790151823207bfe61d36ca41936c7f3196a19f62c37da54745e9ef2666ed01a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\hjgblaippfpkenaadbdhgpkkdffmmaem\background.html
Filesize
142B

MD5
a6087b7a89427b8699fb4a3f25ac06c6

SHA1
523f58db08451069a8bb76205558c1b7a3b65789

SHA256
91144d60a544c3ac9a4e8c13a5fa00df3f186b3447522a3397424485df686a2e

SHA512
15c583fb60fb8c4714353b1f692dc295f7a26736b48b6ca325f195ad46cb07de7305990b53afd143b157a64e1d5b4b5d51ef9b355d7b3e2398bb294c153c9e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\hjgblaippfpkenaadbdhgpkkdffmmaem\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\hjgblaippfpkenaadbdhgpkkdffmmaem\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\hjgblaippfpkenaadbdhgpkkdffmmaem\manifest.json
Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\hjgblaippfpkenaadbdhgpkkdffmmaem\nBJjI.js
Filesize
5KB

MD5
8a7e8f5a2280591262728248c4f5a134

SHA1
cca6aeba5b3e9ee7f97a4977ce2da216722d9951

SHA256
c9ed43d1026f7dc19cdc453b35b71109a55d03c881813bf7a893fc07b8f912ab

SHA512
10d5bc8a1eb8c03836739a3e2b6806af1eb294e3581018e1cf1b05810fb9c0409e87678245924483fa0452865e8d2a9b2f97de9a2c6296f826dabfa7a2bed913

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\qcAKCS8bPY7Vnm.dll
Filesize
754KB

MD5
0ea14ffbf9bc129f87d5a633ca028a12

SHA1
c91e00a9d6590556a4c13a46cb6c934f84cf2b2b

SHA256
9206058e3e04af4fb8d5c05ae8f088cf0a289ea0e4cd692c4f2d76439adb0d47

SHA512
0cfd075335346690ead8c5aef2340b56ce07c59d6243ad102fee0053d64f1a7847e56ba27f5bbcac4048f2c1cf70038e7cdffafe1cc28994603fdd65d2bf7bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\qcAKCS8bPY7Vnm.tlb
Filesize
3KB

MD5
4ab2bba691d66beca01f76ac65546fe8

SHA1
16f05ce91f3e2fe4b43452e24d56836fc65615af

SHA256
12816936003f13a1711de73328e38f311926a4cc9d1a836f46c9ccc02b6fb06f

SHA512
f034390bfd57618bbfd218c3df9e465dda8f4fa51fc0445c74e246472a4cde2bc0bfe4607cbc8cb31ac0edff62a84e954179fadddc2b644b8726cfa3e01694a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C2C.tmp\qcAKCS8bPY7Vnm.x64.dll
Filesize
891KB

MD5
bef492ffc032769cde00802f48a17fab

SHA1
a91e733c1269eb785f8e23dc475acac7432f0563

SHA256
473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d

SHA512
4f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0

Download Submit
memory/3844-149-0x0000000000000000-mapping.dmp

Download
memory/4828-132-0x0000000000000000-mapping.dmp

Download
memory/4964-152-0x0000000000000000-mapping.dmp

Download