c31fe6f0396a1636b076e7378c86ff5a4e2980b6ccfd5b22b8f28d8d2dd7cae7

Analysis

max time kernel
176s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c31fe6f0396a1636b076e7378c86ff5a4e2980b6ccfd5b22b8f28d8d2dd7cae7.exe
Size

2.5MB
MD5

cbfc1a6881dfff36984851a68a74b949
SHA1

bfe6c876c82ab3ddbe6ba5b0d5d04b982d396d30
SHA256

c31fe6f0396a1636b076e7378c86ff5a4e2980b6ccfd5b22b8f28d8d2dd7cae7
SHA512

e3b56b00e5f8ee22b23b8863f5e136d76b96ab385b21aa7268ae6a0b235ad9550ce1b47977f41b0cfb1334e86bd3b69bb6292d9de46d8db6732c56692be4d720
SSDEEP

49152:h1Os1AQ+1ho2H8swSCCwwFB9nfFVDRBTY/3X5wRLCr56JK8xm:h1OtQzVCwJ/3CRLCrY8R

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bewL2v3hB3x63yF.exe

pid process

2884 bewL2v3hB3x63yF.exe
Loads dropped DLL 3 IoCs

Processes:

bewL2v3hB3x63yF.exeregsvr32.exeregsvr32.exe

pid process

2884 bewL2v3hB3x63yF.exe
1004 regsvr32.exe
1256 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2884	bewL2v3hB3x63yF.exe

pid	process
2884	bewL2v3hB3x63yF.exe
1004	regsvr32.exe
1256	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

bewL2v3hB3x63yF.exe

description	ioc	process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\piladbligagbmapmfngineldcffnnobf\1.0\manifest.json	bewL2v3hB3x63yF.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\piladbligagbmapmfngineldcffnnobf\1.0\manifest.json	bewL2v3hB3x63yF.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\piladbligagbmapmfngineldcffnnobf\1.0\manifest.json	bewL2v3hB3x63yF.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\piladbligagbmapmfngineldcffnnobf\1.0\manifest.json	bewL2v3hB3x63yF.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\piladbligagbmapmfngineldcffnnobf\1.0\manifest.json	bewL2v3hB3x63yF.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

bewL2v3hB3x63yF.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	bewL2v3hB3x63yF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	bewL2v3hB3x63yF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	bewL2v3hB3x63yF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	bewL2v3hB3x63yF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

bewL2v3hB3x63yF.exe

description	ioc	process
File created	C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.dat	bewL2v3hB3x63yF.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.dat	bewL2v3hB3x63yF.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.x64.dll	bewL2v3hB3x63yF.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.x64.dll	bewL2v3hB3x63yF.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.dll	bewL2v3hB3x63yF.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.dll	bewL2v3hB3x63yF.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.tlb	bewL2v3hB3x63yF.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.tlb	bewL2v3hB3x63yF.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bewL2v3hB3x63yF.exe

pid process

2884 bewL2v3hB3x63yF.exe
2884 bewL2v3hB3x63yF.exe

pid	process
2884	bewL2v3hB3x63yF.exe
2884	bewL2v3hB3x63yF.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c31fe6f0396a1636b076e7378c86ff5a4e2980b6ccfd5b22b8f28d8d2dd7cae7.exebewL2v3hB3x63yF.exeregsvr32.exe

description	pid	process	target process
PID 2840 wrote to memory of 2884	2840	c31fe6f0396a1636b076e7378c86ff5a4e2980b6ccfd5b22b8f28d8d2dd7cae7.exe	bewL2v3hB3x63yF.exe
PID 2840 wrote to memory of 2884	2840	c31fe6f0396a1636b076e7378c86ff5a4e2980b6ccfd5b22b8f28d8d2dd7cae7.exe	bewL2v3hB3x63yF.exe
PID 2840 wrote to memory of 2884	2840	c31fe6f0396a1636b076e7378c86ff5a4e2980b6ccfd5b22b8f28d8d2dd7cae7.exe	bewL2v3hB3x63yF.exe
PID 2884 wrote to memory of 1004	2884	bewL2v3hB3x63yF.exe	regsvr32.exe
PID 2884 wrote to memory of 1004	2884	bewL2v3hB3x63yF.exe	regsvr32.exe
PID 2884 wrote to memory of 1004	2884	bewL2v3hB3x63yF.exe	regsvr32.exe
PID 1004 wrote to memory of 1256	1004	regsvr32.exe	regsvr32.exe
PID 1004 wrote to memory of 1256	1004	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\c31fe6f0396a1636b076e7378c86ff5a4e2980b6ccfd5b22b8f28d8d2dd7cae7.exe
"C:\Users\Admin\AppData\Local\Temp\c31fe6f0396a1636b076e7378c86ff5a4e2980b6ccfd5b22b8f28d8d2dd7cae7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\bewL2v3hB3x63yF.exe
.\bewL2v3hB3x63yF.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.dat
Filesize
6KB

MD5
3d4f9687ab05a08a2869808aa633bf3a

SHA1
b4ebede66567a61ac4fa7c38a179f5c270a689bc

SHA256
a45b80ffdbdcfca28dce38a01370645fca5e43fcab4696ba2dc48cd940e9ebd2

SHA512
19760622c63ce39cbc433da03bd6250a11f2b8901cc46648663db0dae9c14ee4410eb6ce3c43b2db8055aa3ad93316fc98f924853e96bd5a8cb2e0c5e7f8f085

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.dll
Filesize
745KB

MD5
bc75cdace94e1bcc0cd036bec46d13fe

SHA1
ff5763f3806352d6a5470bd2b16b3aaea659e343

SHA256
8b29aab90003e8bcd824cf30660f0ea018d03da0684a9e9bef0d1f11fdf85612

SHA512
6691399cd8c3c53cc43c52a9bbc5aeebd149a91e96a84e6f00824a67988a68aa666942bbcf0622c6ee5d28af7bb23d0e8275a5457594225140de1f66f14c7a3e

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.x64.dll
Filesize
873KB

MD5
3ff4bf612ed76f50997caf4dcb2d2c74

SHA1
1680e712d635eaf8fb66409a467b168ab15c3060

SHA256
ec9e69914920641749b78ee3b8340ed638413e9fb1368a9678f3634f322ec36d

SHA512
d3cd6fb704729ed0df63bd79ab755931529c9fdf8ab544d6e09626b477625648e0c35afec39f5ff53a8dbd8998248726e8db7c207ff163d5a04384f025016cdc

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.x64.dll
Filesize
873KB

MD5
3ff4bf612ed76f50997caf4dcb2d2c74

SHA1
1680e712d635eaf8fb66409a467b168ab15c3060

SHA256
ec9e69914920641749b78ee3b8340ed638413e9fb1368a9678f3634f322ec36d

SHA512
d3cd6fb704729ed0df63bd79ab755931529c9fdf8ab544d6e09626b477625648e0c35afec39f5ff53a8dbd8998248726e8db7c207ff163d5a04384f025016cdc

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\K7SygHi9QhtWCc.x64.dll
Filesize
873KB

MD5
3ff4bf612ed76f50997caf4dcb2d2c74

SHA1
1680e712d635eaf8fb66409a467b168ab15c3060

SHA256
ec9e69914920641749b78ee3b8340ed638413e9fb1368a9678f3634f322ec36d

SHA512
d3cd6fb704729ed0df63bd79ab755931529c9fdf8ab544d6e09626b477625648e0c35afec39f5ff53a8dbd8998248726e8db7c207ff163d5a04384f025016cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\D4Cy@Lr.org\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\D4Cy@Lr.org\chrome.manifest
Filesize
35B

MD5
4aefedf599fd9b17371bed48dff1e8dc

SHA1
48b91f6b045402e7231a518e16381a98125dd4b6

SHA256
e3067f23507dcdc43300b40e7ee7508a68d72a5e79b9887114685b1b0b44047d

SHA512
83c28d4a5fe23a34ad10f6a5cf6c62e77cb212eb7365ee6a1249540693d524be7d54de2092f4a44123f65d2bf655e3b38fe7166ad48ecc1c38e5d64922d2cf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\D4Cy@Lr.org\content\bg.js
Filesize
7KB

MD5
99cad6f93e191cf900ad17fa5af604e4

SHA1
2aabcb543d7c97188b8db1d872c55f314d89c51d

SHA256
769bc997c5e60702c7135a9835c607118d07f12c744d2c7ecaf671bfd39490d4

SHA512
a5e2eadc3f16a4cc825c120ac65fc53aa9b9512ee4e11120d69cbc79081649849f1f84e92e31b2c7844f50c67cc642daa6afd4564c77ca420b2619b9b70883f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\D4Cy@Lr.org\install.rdf
Filesize
602B

MD5
de341e5fe496950d587840b527f5829e

SHA1
61776d318b80743e90e39210150745f19731b645

SHA256
2a3c8f10b54c27f5d83f92fd4d72d5e40537c51bbdaaf53568a0749d7498a79a

SHA512
3a065d04b25d54f0350719977d3d26b95c85f39effc1f13ebebf94adc5c8f061379ba08768c53a21956e629b3977d60b9a9cfc86d3f5b5f773b6d30fc00027d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\K7SygHi9QhtWCc.dll
Filesize
745KB

MD5
bc75cdace94e1bcc0cd036bec46d13fe

SHA1
ff5763f3806352d6a5470bd2b16b3aaea659e343

SHA256
8b29aab90003e8bcd824cf30660f0ea018d03da0684a9e9bef0d1f11fdf85612

SHA512
6691399cd8c3c53cc43c52a9bbc5aeebd149a91e96a84e6f00824a67988a68aa666942bbcf0622c6ee5d28af7bb23d0e8275a5457594225140de1f66f14c7a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\K7SygHi9QhtWCc.tlb
Filesize
3KB

MD5
253f68c25c54dc1e9c4bad94c785e6b8

SHA1
9ed5097097d76e2b145a04d42b89748f0a744143

SHA256
50578e5533d286eeb10901b8499d33e0470421b2a8c5bfba7891dba84604f9c4

SHA512
a0328571f4f6c9e1c25eaca0e4b64683459b71912f02ba4d90036cd4d11465f63de5bfa99822977fe26d69d66e883dc10b3c5a7daae216132f4d3faeeeab6f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\K7SygHi9QhtWCc.x64.dll
Filesize
873KB

MD5
3ff4bf612ed76f50997caf4dcb2d2c74

SHA1
1680e712d635eaf8fb66409a467b168ab15c3060

SHA256
ec9e69914920641749b78ee3b8340ed638413e9fb1368a9678f3634f322ec36d

SHA512
d3cd6fb704729ed0df63bd79ab755931529c9fdf8ab544d6e09626b477625648e0c35afec39f5ff53a8dbd8998248726e8db7c207ff163d5a04384f025016cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\bewL2v3hB3x63yF.dat
Filesize
6KB

MD5
3d4f9687ab05a08a2869808aa633bf3a

SHA1
b4ebede66567a61ac4fa7c38a179f5c270a689bc

SHA256
a45b80ffdbdcfca28dce38a01370645fca5e43fcab4696ba2dc48cd940e9ebd2

SHA512
19760622c63ce39cbc433da03bd6250a11f2b8901cc46648663db0dae9c14ee4410eb6ce3c43b2db8055aa3ad93316fc98f924853e96bd5a8cb2e0c5e7f8f085

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\bewL2v3hB3x63yF.exe
Filesize
778KB

MD5
2b3591a7eecb2bfda4a75c5f22f52bbb

SHA1
4b57dc7c82dfb5aee529091314787978b6f2e58d

SHA256
def761f4af36128afc624d20df658e2ac6180c3cb72d77c219c95395d57e1aff

SHA512
0bb7cdfb987b6fbeed51cd186292d119f34fb785a31c2ebe58615f7d71e350aa4b55b458cfc9433db7957b5ade46053e3fcfa7ec004b8b6e52e02857d05d6ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\bewL2v3hB3x63yF.exe
Filesize
778KB

MD5
2b3591a7eecb2bfda4a75c5f22f52bbb

SHA1
4b57dc7c82dfb5aee529091314787978b6f2e58d

SHA256
def761f4af36128afc624d20df658e2ac6180c3cb72d77c219c95395d57e1aff

SHA512
0bb7cdfb987b6fbeed51cd186292d119f34fb785a31c2ebe58615f7d71e350aa4b55b458cfc9433db7957b5ade46053e3fcfa7ec004b8b6e52e02857d05d6ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\piladbligagbmapmfngineldcffnnobf\background.html
Filesize
145B

MD5
c981f568aa8f7945821a36954db2127b

SHA1
5232edaad43236ef8c107822d7a00a40eebd614d

SHA256
8a2ff7bd2d7d841d873dca97370e830bae440688e6b280c28441cda723dec64d

SHA512
bcf7ed843ade9c6d175edd6092106869b6d044fe1d9ec915fee517e92284367a235a4be08644378c5ca20671a625a9487bbf8fd66adec621d873102848e97ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\piladbligagbmapmfngineldcffnnobf\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\piladbligagbmapmfngineldcffnnobf\gqSd9b73.js
Filesize
5KB

MD5
9cc24ad87b934c7dfe8cc99dad90697a

SHA1
897506abc1babaadfd9b6a31436c4a42b98aa19b

SHA256
8fa5fb635f6ce01406ce4360cfcba7fa49edd1f23b33c97aa3664b59164b595f

SHA512
df102e7120d68c3775e1c26ae5a5ddefc02ffc7c0ca3fab8c67717bd987ec0e1142a6704535d3a75e22c68d66fad37f1b924192809d8e54889a7c834fc1ae6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\piladbligagbmapmfngineldcffnnobf\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B20.tmp\piladbligagbmapmfngineldcffnnobf\manifest.json
Filesize
507B

MD5
d429395a45a9aa09e4ee9054e9196b30

SHA1
c5dbab4e27650b07d4d159c305d08a9d578c3a3e

SHA256
674fc32cde82ed69cb8595bbea9f70f69097062c39bd6a3a505227a4f4a45344

SHA512
4a5bc7c005e573bf0cdb89489d676fb26c5fe116d397a6cd7a1ebb2cae9605b3d1657378e17d354cb102e93c39b32fa8d2963f375af37c871452f3170356101e

Download Submit
memory/1004-149-0x0000000000000000-mapping.dmp

Download
memory/1256-152-0x0000000000000000-mapping.dmp

Download
memory/2884-132-0x0000000000000000-mapping.dmp

Download