c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603

Analysis

max time kernel
178s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe
Size

2.5MB
MD5

975b000252ebb8c5a8f2ec1753c85a93
SHA1

a585bf89b61c311d018837f35c6777c9350c02c2
SHA256

c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603
SHA512

02521616a1e054cc83da5acb800642114e5c5a418a991b50459dbb0f5df64cfc15c9c935f37ea208f36d0fb901578e4583bdbaf5919d16898a99cb134826cdd1
SSDEEP

49152:h1OsTAQ+1ho2H8swSCCwwFB9nfFVDRBTY/3X5wRLCr56JK8xb:h1ObQzVCwJ/3CRLCrY8i

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

X4oOA1qtRIZeXUd.exe

pid process

224 X4oOA1qtRIZeXUd.exe
Loads dropped DLL 3 IoCs

Processes:

X4oOA1qtRIZeXUd.exeregsvr32.exeregsvr32.exe

pid process

224 X4oOA1qtRIZeXUd.exe
1956 regsvr32.exe
4216 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
224	X4oOA1qtRIZeXUd.exe

pid	process
224	X4oOA1qtRIZeXUd.exe
1956	regsvr32.exe
4216	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

X4oOA1qtRIZeXUd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbgilepilfcabogjpmklmabolalpbebn\200\manifest.json	X4oOA1qtRIZeXUd.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbgilepilfcabogjpmklmabolalpbebn\200\manifest.json	X4oOA1qtRIZeXUd.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbgilepilfcabogjpmklmabolalpbebn\200\manifest.json	X4oOA1qtRIZeXUd.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbgilepilfcabogjpmklmabolalpbebn\200\manifest.json	X4oOA1qtRIZeXUd.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbgilepilfcabogjpmklmabolalpbebn\200\manifest.json	X4oOA1qtRIZeXUd.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

X4oOA1qtRIZeXUd.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	X4oOA1qtRIZeXUd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	X4oOA1qtRIZeXUd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	X4oOA1qtRIZeXUd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	X4oOA1qtRIZeXUd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

X4oOA1qtRIZeXUd.exe

description	ioc	process
File created	C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.tlb	X4oOA1qtRIZeXUd.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.tlb	X4oOA1qtRIZeXUd.exe
File created	C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.dat	X4oOA1qtRIZeXUd.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.dat	X4oOA1qtRIZeXUd.exe
File created	C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.x64.dll	X4oOA1qtRIZeXUd.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.x64.dll	X4oOA1qtRIZeXUd.exe
File created	C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.dll	X4oOA1qtRIZeXUd.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.dll	X4oOA1qtRIZeXUd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

X4oOA1qtRIZeXUd.exe

pid process

224 X4oOA1qtRIZeXUd.exe
224 X4oOA1qtRIZeXUd.exe

pid	process
224	X4oOA1qtRIZeXUd.exe
224	X4oOA1qtRIZeXUd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exeX4oOA1qtRIZeXUd.exeregsvr32.exe

description	pid	process	target process
PID 1536 wrote to memory of 224	1536	c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe	X4oOA1qtRIZeXUd.exe
PID 1536 wrote to memory of 224	1536	c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe	X4oOA1qtRIZeXUd.exe
PID 1536 wrote to memory of 224	1536	c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe	X4oOA1qtRIZeXUd.exe
PID 224 wrote to memory of 1956	224	X4oOA1qtRIZeXUd.exe	regsvr32.exe
PID 224 wrote to memory of 1956	224	X4oOA1qtRIZeXUd.exe	regsvr32.exe
PID 224 wrote to memory of 1956	224	X4oOA1qtRIZeXUd.exe	regsvr32.exe
PID 1956 wrote to memory of 4216	1956	regsvr32.exe	regsvr32.exe
PID 1956 wrote to memory of 4216	1956	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe
"C:\Users\Admin\AppData\Local\Temp\c1a4b5286f9eb74692f0b3d1f3938884da4449375ce100e696afb15c64723603.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\X4oOA1qtRIZeXUd.exe
.\X4oOA1qtRIZeXUd.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:4216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.dat
Filesize
6KB

MD5
948da42cd4e34b92ea34aa1bc4cfe717

SHA1
6fa23029b81670dd1ca5f9632162c94cd1514be5

SHA256
ee84c1058f4138f1b8cd895e1b8d2f04533bc0eeaf682070a773c5890e8da98c

SHA512
344851f329957e367421fd62072b9717a733bb68f1ce2460da1e323c0e72d2f7de26fc2590b8b6289485b87f053b27ad892ad56f9218706c3a84e71156f36d9f

Download Submit
C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.dll
Filesize
745KB

MD5
bc75cdace94e1bcc0cd036bec46d13fe

SHA1
ff5763f3806352d6a5470bd2b16b3aaea659e343

SHA256
8b29aab90003e8bcd824cf30660f0ea018d03da0684a9e9bef0d1f11fdf85612

SHA512
6691399cd8c3c53cc43c52a9bbc5aeebd149a91e96a84e6f00824a67988a68aa666942bbcf0622c6ee5d28af7bb23d0e8275a5457594225140de1f66f14c7a3e

Download Submit
C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.x64.dll
Filesize
873KB

MD5
3ff4bf612ed76f50997caf4dcb2d2c74

SHA1
1680e712d635eaf8fb66409a467b168ab15c3060

SHA256
ec9e69914920641749b78ee3b8340ed638413e9fb1368a9678f3634f322ec36d

SHA512
d3cd6fb704729ed0df63bd79ab755931529c9fdf8ab544d6e09626b477625648e0c35afec39f5ff53a8dbd8998248726e8db7c207ff163d5a04384f025016cdc

Download Submit
C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.x64.dll
Filesize
873KB

MD5
3ff4bf612ed76f50997caf4dcb2d2c74

SHA1
1680e712d635eaf8fb66409a467b168ab15c3060

SHA256
ec9e69914920641749b78ee3b8340ed638413e9fb1368a9678f3634f322ec36d

SHA512
d3cd6fb704729ed0df63bd79ab755931529c9fdf8ab544d6e09626b477625648e0c35afec39f5ff53a8dbd8998248726e8db7c207ff163d5a04384f025016cdc

Download Submit
C:\Program Files (x86)\Browser Shop\dXue8m0v2iGJCX.x64.dll
Filesize
873KB

MD5
3ff4bf612ed76f50997caf4dcb2d2c74

SHA1
1680e712d635eaf8fb66409a467b168ab15c3060

SHA256
ec9e69914920641749b78ee3b8340ed638413e9fb1368a9678f3634f322ec36d

SHA512
d3cd6fb704729ed0df63bd79ab755931529c9fdf8ab544d6e09626b477625648e0c35afec39f5ff53a8dbd8998248726e8db7c207ff163d5a04384f025016cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\BediW5BCf0@u.com\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\BediW5BCf0@u.com\chrome.manifest
Filesize
35B

MD5
6349488d60fd43c7d1a88a57a8ccf608

SHA1
5bacc6350067d563f518e0128311ba24630ea79f

SHA256
21f1518fbae6880776acfd8c9697877bdb0c66b1cadf3ccfcb5446bbbeba818e

SHA512
7cd0e23ebd46cdbdd8078688f732f0343f4e2e2cd74e19e7980a8afcf2996e8d90b05cbdf3ef0ac6caa9d10e9ab31fc54dc1613c88a9aae15283c573daf20f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\BediW5BCf0@u.com\content\bg.js
Filesize
7KB

MD5
010a73863599fa069a18e394c0807d0b

SHA1
78b680c02b5a654369e45ddaf1a3468f989bb1b5

SHA256
4591b3bf36393861160f7bafbd6324b708ea0b410db8132500a27a9f8bc6c6b8

SHA512
c7e2d97950d7c55e0fe7963eeb5c2479b6ba7ad1bc834412355a94f3c916bd757fbc031758254237618b123c6e17289c1351224f33694b6866338f62a595338f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\BediW5BCf0@u.com\install.rdf
Filesize
604B

MD5
7d39f156b6f95bc88b82c48d96844af4

SHA1
b3711a8f2fc08f6d7c340d6d5f47db99056a96e8

SHA256
fef982cf04e4df09b88b4ee739bd3fa26b165d4c1e7604c7f7cb5195acd6d901

SHA512
1766a772d594f15bae7e92c87d18bf098f4f8660b77199f4e35e373943aeb958b4680928432642a70e947a67e79ec68d0f7fd78006ca84abb01611cd5cba90f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\X4oOA1qtRIZeXUd.dat
Filesize
6KB

MD5
948da42cd4e34b92ea34aa1bc4cfe717

SHA1
6fa23029b81670dd1ca5f9632162c94cd1514be5

SHA256
ee84c1058f4138f1b8cd895e1b8d2f04533bc0eeaf682070a773c5890e8da98c

SHA512
344851f329957e367421fd62072b9717a733bb68f1ce2460da1e323c0e72d2f7de26fc2590b8b6289485b87f053b27ad892ad56f9218706c3a84e71156f36d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\X4oOA1qtRIZeXUd.exe
Filesize
778KB

MD5
2b3591a7eecb2bfda4a75c5f22f52bbb

SHA1
4b57dc7c82dfb5aee529091314787978b6f2e58d

SHA256
def761f4af36128afc624d20df658e2ac6180c3cb72d77c219c95395d57e1aff

SHA512
0bb7cdfb987b6fbeed51cd186292d119f34fb785a31c2ebe58615f7d71e350aa4b55b458cfc9433db7957b5ade46053e3fcfa7ec004b8b6e52e02857d05d6ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\X4oOA1qtRIZeXUd.exe
Filesize
778KB

MD5
2b3591a7eecb2bfda4a75c5f22f52bbb

SHA1
4b57dc7c82dfb5aee529091314787978b6f2e58d

SHA256
def761f4af36128afc624d20df658e2ac6180c3cb72d77c219c95395d57e1aff

SHA512
0bb7cdfb987b6fbeed51cd186292d119f34fb785a31c2ebe58615f7d71e350aa4b55b458cfc9433db7957b5ade46053e3fcfa7ec004b8b6e52e02857d05d6ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\dXue8m0v2iGJCX.dll
Filesize
745KB

MD5
bc75cdace94e1bcc0cd036bec46d13fe

SHA1
ff5763f3806352d6a5470bd2b16b3aaea659e343

SHA256
8b29aab90003e8bcd824cf30660f0ea018d03da0684a9e9bef0d1f11fdf85612

SHA512
6691399cd8c3c53cc43c52a9bbc5aeebd149a91e96a84e6f00824a67988a68aa666942bbcf0622c6ee5d28af7bb23d0e8275a5457594225140de1f66f14c7a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\dXue8m0v2iGJCX.tlb
Filesize
3KB

MD5
253f68c25c54dc1e9c4bad94c785e6b8

SHA1
9ed5097097d76e2b145a04d42b89748f0a744143

SHA256
50578e5533d286eeb10901b8499d33e0470421b2a8c5bfba7891dba84604f9c4

SHA512
a0328571f4f6c9e1c25eaca0e4b64683459b71912f02ba4d90036cd4d11465f63de5bfa99822977fe26d69d66e883dc10b3c5a7daae216132f4d3faeeeab6f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\dXue8m0v2iGJCX.x64.dll
Filesize
873KB

MD5
3ff4bf612ed76f50997caf4dcb2d2c74

SHA1
1680e712d635eaf8fb66409a467b168ab15c3060

SHA256
ec9e69914920641749b78ee3b8340ed638413e9fb1368a9678f3634f322ec36d

SHA512
d3cd6fb704729ed0df63bd79ab755931529c9fdf8ab544d6e09626b477625648e0c35afec39f5ff53a8dbd8998248726e8db7c207ff163d5a04384f025016cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\mbgilepilfcabogjpmklmabolalpbebn\Ze.js
Filesize
5KB

MD5
93380286b4a236bf52919898cd411e79

SHA1
830ea0abfc107cadd10668967d018e6cff211bbe

SHA256
561031f79c3ad3ffb0637908c7a5790a83d6ada5cdac0e1d4b628cd963a3b152

SHA512
4ba5a9c0fef52157e4d0f58bba6f24dfc64110e3c0325767b0f6f42b1a3f818a1001e22b79d52b8c130e351441e624a6fca448ead4e67caece5cdcaa4c149cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\mbgilepilfcabogjpmklmabolalpbebn\background.html
Filesize
139B

MD5
67178422d1053decddd2a3b72ad25b80

SHA1
b1d37bf08441d1bf1c66eb571f7959d6a149b8b3

SHA256
a6fa6766b6dc285c6d1f3154d6635802db33c79f9f6195d50e8ada7bb996234f

SHA512
00371dc0d1f5b6aab34b533039726f0de017fee08fe5475a0920814cdd8b03b65fbf2d756456de834d146b3264465222bbdcc3c77955c636726e40cf7e4e5f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\mbgilepilfcabogjpmklmabolalpbebn\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\mbgilepilfcabogjpmklmabolalpbebn\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25A.tmp\mbgilepilfcabogjpmklmabolalpbebn\manifest.json
Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
memory/224-133-0x0000000000000000-mapping.dmp

Download
memory/1956-150-0x0000000000000000-mapping.dmp

Download
memory/4216-153-0x0000000000000000-mapping.dmp

Download