Analysis
-
max time kernel
191s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:41
Static task
static1
Behavioral task
behavioral1
Sample
c2d0a5578a6843311ef1c0ee9bc68e84a4774961a14f93672c0370d5ce1a9ae7.exe
Resource
win7-20221111-en
General
-
Target
c2d0a5578a6843311ef1c0ee9bc68e84a4774961a14f93672c0370d5ce1a9ae7.exe
-
Size
2.5MB
-
MD5
8d750388fd5ff0a25c67ab5c4081ef36
-
SHA1
64a36985b0903720d49ab55bc37feaae5fd06d98
-
SHA256
c2d0a5578a6843311ef1c0ee9bc68e84a4774961a14f93672c0370d5ce1a9ae7
-
SHA512
0f7462eb7026954a4f81fa43744242cab8b41f3fd4213f877df85ddcee65d6e95ff83e68475bded6a32e06b69f35e964f81f823879f2bc44e5eb9aca02965ddb
-
SSDEEP
49152:h1OsgUc3R1YQeb1bR9qMS3te/+E+kzkeRutdQ3L3V/A9VeG:h1OHbRsTWe/Z0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
9XgYqrbCBZUv1Ag.exepid process 496 9XgYqrbCBZUv1Ag.exe -
Loads dropped DLL 3 IoCs
Processes:
9XgYqrbCBZUv1Ag.exeregsvr32.exeregsvr32.exepid process 496 9XgYqrbCBZUv1Ag.exe 2232 regsvr32.exe 1704 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
9XgYqrbCBZUv1Ag.exedescription ioc process File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\egodmnejmckekffagcmoblochbkpmbng\200\manifest.json 9XgYqrbCBZUv1Ag.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\egodmnejmckekffagcmoblochbkpmbng\200\manifest.json 9XgYqrbCBZUv1Ag.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\egodmnejmckekffagcmoblochbkpmbng\200\manifest.json 9XgYqrbCBZUv1Ag.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\egodmnejmckekffagcmoblochbkpmbng\200\manifest.json 9XgYqrbCBZUv1Ag.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\egodmnejmckekffagcmoblochbkpmbng\200\manifest.json 9XgYqrbCBZUv1Ag.exe -
Installs/modifies Browser Helper Object 2 TTPs 9 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
9XgYqrbCBZUv1Ag.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 9XgYqrbCBZUv1Ag.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 9XgYqrbCBZUv1Ag.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 9XgYqrbCBZUv1Ag.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ 9XgYqrbCBZUv1Ag.exe -
Drops file in Program Files directory 8 IoCs
Processes:
9XgYqrbCBZUv1Ag.exedescription ioc process File opened for modification C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.dll 9XgYqrbCBZUv1Ag.exe File created C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.tlb 9XgYqrbCBZUv1Ag.exe File opened for modification C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.tlb 9XgYqrbCBZUv1Ag.exe File created C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.dat 9XgYqrbCBZUv1Ag.exe File opened for modification C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.dat 9XgYqrbCBZUv1Ag.exe File created C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.x64.dll 9XgYqrbCBZUv1Ag.exe File opened for modification C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.x64.dll 9XgYqrbCBZUv1Ag.exe File created C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.dll 9XgYqrbCBZUv1Ag.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9XgYqrbCBZUv1Ag.exepid process 496 9XgYqrbCBZUv1Ag.exe 496 9XgYqrbCBZUv1Ag.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c2d0a5578a6843311ef1c0ee9bc68e84a4774961a14f93672c0370d5ce1a9ae7.exe9XgYqrbCBZUv1Ag.exeregsvr32.exedescription pid process target process PID 4308 wrote to memory of 496 4308 c2d0a5578a6843311ef1c0ee9bc68e84a4774961a14f93672c0370d5ce1a9ae7.exe 9XgYqrbCBZUv1Ag.exe PID 4308 wrote to memory of 496 4308 c2d0a5578a6843311ef1c0ee9bc68e84a4774961a14f93672c0370d5ce1a9ae7.exe 9XgYqrbCBZUv1Ag.exe PID 4308 wrote to memory of 496 4308 c2d0a5578a6843311ef1c0ee9bc68e84a4774961a14f93672c0370d5ce1a9ae7.exe 9XgYqrbCBZUv1Ag.exe PID 496 wrote to memory of 2232 496 9XgYqrbCBZUv1Ag.exe regsvr32.exe PID 496 wrote to memory of 2232 496 9XgYqrbCBZUv1Ag.exe regsvr32.exe PID 496 wrote to memory of 2232 496 9XgYqrbCBZUv1Ag.exe regsvr32.exe PID 2232 wrote to memory of 1704 2232 regsvr32.exe regsvr32.exe PID 2232 wrote to memory of 1704 2232 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2d0a5578a6843311ef1c0ee9bc68e84a4774961a14f93672c0370d5ce1a9ae7.exe"C:\Users\Admin\AppData\Local\Temp\c2d0a5578a6843311ef1c0ee9bc68e84a4774961a14f93672c0370d5ce1a9ae7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\9XgYqrbCBZUv1Ag.exe.\9XgYqrbCBZUv1Ag.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.datFilesize
6KB
MD50596e4467be4ecb60bd88a99f64cd026
SHA10d3c0f47466b34f675e3c29ace66b8959c65fa87
SHA25696e05709d8e98d19a03c231898c809b1bd7a78b7bc010fd85b0dbca1271f6f3b
SHA51291bb70407af60de663bf0c0477502a2a8c40bdd95d39741070a9a7f9c9c62473a4b481012320ae415cacd1ec2784673b31eaa2f62e13050c8a8dfbe01d78748f
-
C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.dllFilesize
744KB
MD5fc8b2dfce95210e4fe59b69a454ce14a
SHA146acd69f9bc55784091a572c8aa4d4d153a874f8
SHA2563b408b96d81cfe3167926bcb62020da4d95001d8d2c3fc4d67708ec21488f189
SHA5125ba3bb3437bb523721eac4e5c510b3fcb7b15090efeccd43075c8a42a776acad0c785431d7e2287e1b812556a30cd17bdde3d0d99f505a739c2042843d2cc1bf
-
C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.x64.dllFilesize
874KB
MD5c204b63eda2256280c0d74669210c890
SHA10a66d21505519e92683ac9845c3ff9ee6e196332
SHA256505902d13946b15000ecb6aadb6946a298193dbef795f1d085a233ca5d7ab4f0
SHA5121bec19d922bbf35807826f156663338b9d0cfa221d41b531555577579646e5cbb5854a510da918c92755f10782e4f5fc8e49c4e4b24c32b7e800ca51691c7425
-
C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.x64.dllFilesize
874KB
MD5c204b63eda2256280c0d74669210c890
SHA10a66d21505519e92683ac9845c3ff9ee6e196332
SHA256505902d13946b15000ecb6aadb6946a298193dbef795f1d085a233ca5d7ab4f0
SHA5121bec19d922bbf35807826f156663338b9d0cfa221d41b531555577579646e5cbb5854a510da918c92755f10782e4f5fc8e49c4e4b24c32b7e800ca51691c7425
-
C:\Program Files (x86)\Browser Shop\vOE1PtZ3ZdYMx8.x64.dllFilesize
874KB
MD5c204b63eda2256280c0d74669210c890
SHA10a66d21505519e92683ac9845c3ff9ee6e196332
SHA256505902d13946b15000ecb6aadb6946a298193dbef795f1d085a233ca5d7ab4f0
SHA5121bec19d922bbf35807826f156663338b9d0cfa221d41b531555577579646e5cbb5854a510da918c92755f10782e4f5fc8e49c4e4b24c32b7e800ca51691c7425
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\9XgYqrbCBZUv1Ag.datFilesize
6KB
MD50596e4467be4ecb60bd88a99f64cd026
SHA10d3c0f47466b34f675e3c29ace66b8959c65fa87
SHA25696e05709d8e98d19a03c231898c809b1bd7a78b7bc010fd85b0dbca1271f6f3b
SHA51291bb70407af60de663bf0c0477502a2a8c40bdd95d39741070a9a7f9c9c62473a4b481012320ae415cacd1ec2784673b31eaa2f62e13050c8a8dfbe01d78748f
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\9XgYqrbCBZUv1Ag.exeFilesize
762KB
MD5468f56fce4a9413059464fa7c9c3cc5f
SHA199dde68e6dca34b5787c1e2faeab1716f443e462
SHA2561b0cefe330725f38dd592a9900eeca832124643d3a170805ad7cd988dc312841
SHA51211bf2744d92faaa1e13bb316d3d56555fd5bb8a8248fde6bbca1f692cc55928ec901cc1cc79c09f236273e25712526dd629fd97aec4f062d469c9714d1a6a7d0
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\9XgYqrbCBZUv1Ag.exeFilesize
762KB
MD5468f56fce4a9413059464fa7c9c3cc5f
SHA199dde68e6dca34b5787c1e2faeab1716f443e462
SHA2561b0cefe330725f38dd592a9900eeca832124643d3a170805ad7cd988dc312841
SHA51211bf2744d92faaa1e13bb316d3d56555fd5bb8a8248fde6bbca1f692cc55928ec901cc1cc79c09f236273e25712526dd629fd97aec4f062d469c9714d1a6a7d0
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\egodmnejmckekffagcmoblochbkpmbng\UXZ.jsFilesize
5KB
MD54b8114694bb4d01975883e65164fc9ce
SHA1706c361d1f7c3f9a294ce41c9b0a959531ee6487
SHA256fbc14afa5e561ac6b47f61cc6a1df745ae7bea4394ec5a87eb5eb7b2477e6433
SHA5125b151d3184ecf5a530f5bc6292edcb9805d950ba3068b9db7bcd44ea6d26b2826c3cc03a6405f1bf8e7752f58a0f9814afef1d2696b76c51dd9b6e35a835f9ee
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\egodmnejmckekffagcmoblochbkpmbng\background.htmlFilesize
140B
MD5a04d1d8f55508deb908f9b4e546cd979
SHA193f6b379a80f8b9cb5693fbaf2d3e827bab15f85
SHA256185e4065072036dbecdd6feff2fd6a79b74a02c51abc2db3c3acaa66ee0211d1
SHA5127e6380ba232d1d1c9e3abfd2c6797808380a26c20d2f6cf42d58382dab50ca7e324bb1db47338ca80a98e5ff7da7ff3d9c59e7b201e8af7d1ae4c7cc0f01e600
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\egodmnejmckekffagcmoblochbkpmbng\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\egodmnejmckekffagcmoblochbkpmbng\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\egodmnejmckekffagcmoblochbkpmbng\manifest.jsonFilesize
504B
MD5d532994175ac6e4e8fea2ae07edef6ff
SHA15646eab3cebc8b0a804103b63f08a63db784a77d
SHA256f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d
SHA512ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\jYIPmQ8QNH@M.com\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\jYIPmQ8QNH@M.com\chrome.manifestFilesize
35B
MD54c1ab88616c7a9b6324e61102c786cbd
SHA121a994dbb9607e0842de1043854072dcca96771d
SHA256165eb59c2e45c1255973fa43f82b49712ff287f00708886daa4eac4efe28b1e3
SHA5124830e4c3a046e3a8289b05d5b4da612a8943a5472d50bb43ad24a1ef9366fa42f6a587c5d1c0e8366b1d93e5659deaf02af1e2d315d5b905353521fcede6f32d
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\jYIPmQ8QNH@M.com\content\bg.jsFilesize
7KB
MD5bfbf0f6e0dac620fc3fc64429290d864
SHA1e221c58d6abb214ee92c44f83147e3b0bd8c51df
SHA2562812d0a9eb507e3529a9f113661b7cd65feda2481cb22a6b3dcf09e8fc381ca9
SHA51216de72dd24dbc725d5ce6fffb81dddb0497b7a1125a252bad28c53c59721a37995bff25c1e261a0d48bcca6de6c391e78118640847e9332c40e84ce268783abb
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\jYIPmQ8QNH@M.com\install.rdfFilesize
604B
MD5032506c8030780e3a78793ff6b073780
SHA1a293c0d963d5783383b8a3a4a66b6e399b284629
SHA256bff66d269612fe6e9fe280a97d98111bf6c644c84650100821859d052aff71f6
SHA512f594a669b4c22508f96d5ab61ed97f2d90ee5073d2001fb7f76ec962f25a3cd899928d85261e3220b375909fb63e5fe0f65aae549c550343c5fb3b5f4eae523d
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\vOE1PtZ3ZdYMx8.dllFilesize
744KB
MD5fc8b2dfce95210e4fe59b69a454ce14a
SHA146acd69f9bc55784091a572c8aa4d4d153a874f8
SHA2563b408b96d81cfe3167926bcb62020da4d95001d8d2c3fc4d67708ec21488f189
SHA5125ba3bb3437bb523721eac4e5c510b3fcb7b15090efeccd43075c8a42a776acad0c785431d7e2287e1b812556a30cd17bdde3d0d99f505a739c2042843d2cc1bf
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\vOE1PtZ3ZdYMx8.tlbFilesize
3KB
MD5662093ad59715d81e0a2b7cfbd4ac684
SHA183419c0803aa1c25a27b1fb8ad4a663d2d4878b0
SHA25668fc930e26f7f38e30df8f8f40d1232b81af62d4cf27a281a8f645788ad1f6c4
SHA5120eaffb7f011f548e1c6f8490c3d353fa05976140383df85663b5ef13be110d4847f08afe236a796a7f10a28895d29a7344e6d346389aa0780cc24af50fd66bf6
-
C:\Users\Admin\AppData\Local\Temp\7zS6B1E.tmp\vOE1PtZ3ZdYMx8.x64.dllFilesize
874KB
MD5c204b63eda2256280c0d74669210c890
SHA10a66d21505519e92683ac9845c3ff9ee6e196332
SHA256505902d13946b15000ecb6aadb6946a298193dbef795f1d085a233ca5d7ab4f0
SHA5121bec19d922bbf35807826f156663338b9d0cfa221d41b531555577579646e5cbb5854a510da918c92755f10782e4f5fc8e49c4e4b24c32b7e800ca51691c7425
-
memory/496-135-0x0000000000000000-mapping.dmp
-
memory/1704-155-0x0000000000000000-mapping.dmp
-
memory/2232-152-0x0000000000000000-mapping.dmp