c0292da4f2a0af7393967a806f89db8129967da15c3e14feb142dd74d1bc426f

Analysis

max time kernel
349s
max time network
431s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0292da4f2a0af7393967a806f89db8129967da15c3e14feb142dd74d1bc426f.exe
Size

2.5MB
MD5

981540e5aadb8c7b3fc16383dee08218
SHA1

712465521c32774beb5a6a83b16fdb52498859a5
SHA256

c0292da4f2a0af7393967a806f89db8129967da15c3e14feb142dd74d1bc426f
SHA512

2c4f0064c56e956312a7f99d9e34f0c664b4fbc4865eab8ce54cc2c2e58514a322ce35db404d576daa8ea3c5b8e2269cfb47f781601289d03c4ca9cb025ca99b
SSDEEP

49152:h1OslSQeb71DLvFzAqRmyyVchO4apKHcHhXa3FXWlPC1IS5z0:h1OcSQY1DCqkck4apyLqb

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Ocp4MdudQc2NriL.exe

pid process

3248 Ocp4MdudQc2NriL.exe
Loads dropped DLL 3 IoCs

Processes:

Ocp4MdudQc2NriL.exeregsvr32.exeregsvr32.exe

pid process

3248 Ocp4MdudQc2NriL.exe
4752 regsvr32.exe
4940 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3248	Ocp4MdudQc2NriL.exe

pid	process
3248	Ocp4MdudQc2NriL.exe
4752	regsvr32.exe
4940	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

Ocp4MdudQc2NriL.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oegddmfdpmgebfcoondhnpjhhdnjeden\1.0\manifest.json	Ocp4MdudQc2NriL.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\oegddmfdpmgebfcoondhnpjhhdnjeden\1.0\manifest.json	Ocp4MdudQc2NriL.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\oegddmfdpmgebfcoondhnpjhhdnjeden\1.0\manifest.json	Ocp4MdudQc2NriL.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\oegddmfdpmgebfcoondhnpjhhdnjeden\1.0\manifest.json	Ocp4MdudQc2NriL.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\oegddmfdpmgebfcoondhnpjhhdnjeden\1.0\manifest.json	Ocp4MdudQc2NriL.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

Ocp4MdudQc2NriL.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	Ocp4MdudQc2NriL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	Ocp4MdudQc2NriL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	Ocp4MdudQc2NriL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	Ocp4MdudQc2NriL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

Ocp4MdudQc2NriL.exe

description	ioc	process
File created	C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.tlb	Ocp4MdudQc2NriL.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.tlb	Ocp4MdudQc2NriL.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.dat	Ocp4MdudQc2NriL.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.dat	Ocp4MdudQc2NriL.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.x64.dll	Ocp4MdudQc2NriL.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.x64.dll	Ocp4MdudQc2NriL.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.dll	Ocp4MdudQc2NriL.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.dll	Ocp4MdudQc2NriL.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Ocp4MdudQc2NriL.exe

pid process

3248 Ocp4MdudQc2NriL.exe
3248 Ocp4MdudQc2NriL.exe

pid	process
3248	Ocp4MdudQc2NriL.exe
3248	Ocp4MdudQc2NriL.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c0292da4f2a0af7393967a806f89db8129967da15c3e14feb142dd74d1bc426f.exeOcp4MdudQc2NriL.exeregsvr32.exe

description	pid	process	target process
PID 3352 wrote to memory of 3248	3352	c0292da4f2a0af7393967a806f89db8129967da15c3e14feb142dd74d1bc426f.exe	Ocp4MdudQc2NriL.exe
PID 3352 wrote to memory of 3248	3352	c0292da4f2a0af7393967a806f89db8129967da15c3e14feb142dd74d1bc426f.exe	Ocp4MdudQc2NriL.exe
PID 3352 wrote to memory of 3248	3352	c0292da4f2a0af7393967a806f89db8129967da15c3e14feb142dd74d1bc426f.exe	Ocp4MdudQc2NriL.exe
PID 3248 wrote to memory of 4752	3248	Ocp4MdudQc2NriL.exe	regsvr32.exe
PID 3248 wrote to memory of 4752	3248	Ocp4MdudQc2NriL.exe	regsvr32.exe
PID 3248 wrote to memory of 4752	3248	Ocp4MdudQc2NriL.exe	regsvr32.exe
PID 4752 wrote to memory of 4940	4752	regsvr32.exe	regsvr32.exe
PID 4752 wrote to memory of 4940	4752	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\c0292da4f2a0af7393967a806f89db8129967da15c3e14feb142dd74d1bc426f.exe
"C:\Users\Admin\AppData\Local\Temp\c0292da4f2a0af7393967a806f89db8129967da15c3e14feb142dd74d1bc426f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\Ocp4MdudQc2NriL.exe
  .\Ocp4MdudQc2NriL.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.dat

Filesize
6KB

MD5
18f9e1219f73f9ad4c8c6914535ec657

SHA1
7a96659e52d9ac9dbebc788254806e47880a3dc6

SHA256
ccfe325be97c4e20456b72e6902cedd7b06c2fb89fdf11fe4f1d0eca390a2e2a

SHA512
465baa4b64c8b738d5b0319c190e902ea4c4758b79b275156f9f802a8a44e9eac6d7aa78ced71c55ac74c1dccf482b819e4dc1b37948c8066d98c465c8de83cf

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.dll

Filesize
745KB

MD5
ce27e078a917088b7459c44570637b9d

SHA1
4d9e95fc9b97a1f21221f96ea8fbee55132e82b7

SHA256
8804ae047c9ba998964a359f278f54fa1d671ed245b7dfe117625f1ce0d5e84f

SHA512
492fdacef00a45dfe6d9db9c80b908bd0d9ebb4bf75c1f4053a8e281cfad5279646754a711484709de6f571487276ec19f71552522dc218fba8331bf6358f9ce

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.x64.dll

Filesize
886KB

MD5
1433d7e71196529644716ffc72c261b2

SHA1
f35147e7dc56f4e92856061b48c9f7a872e10385

SHA256
2ae79c724f8c2a134c125315fc6ee929b7ce09260e80b61c9a9e915571103e3f

SHA512
c363a35bd82214350439dcf6aaf9048b29f10aaeb3b1c3a69222792a94fab1009a5f6b6528df102ae082c129cce50ae7d646abc1dbd8ff9e788a9d05828c272c

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.x64.dll

Filesize
886KB

MD5
1433d7e71196529644716ffc72c261b2

SHA1
f35147e7dc56f4e92856061b48c9f7a872e10385

SHA256
2ae79c724f8c2a134c125315fc6ee929b7ce09260e80b61c9a9e915571103e3f

SHA512
c363a35bd82214350439dcf6aaf9048b29f10aaeb3b1c3a69222792a94fab1009a5f6b6528df102ae082c129cce50ae7d646abc1dbd8ff9e788a9d05828c272c

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\gak4QLoQd2WH1N.x64.dll

Filesize
886KB

MD5
1433d7e71196529644716ffc72c261b2

SHA1
f35147e7dc56f4e92856061b48c9f7a872e10385

SHA256
2ae79c724f8c2a134c125315fc6ee929b7ce09260e80b61c9a9e915571103e3f

SHA512
c363a35bd82214350439dcf6aaf9048b29f10aaeb3b1c3a69222792a94fab1009a5f6b6528df102ae082c129cce50ae7d646abc1dbd8ff9e788a9d05828c272c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\Ocp4MdudQc2NriL.dat

Filesize
6KB

MD5
18f9e1219f73f9ad4c8c6914535ec657

SHA1
7a96659e52d9ac9dbebc788254806e47880a3dc6

SHA256
ccfe325be97c4e20456b72e6902cedd7b06c2fb89fdf11fe4f1d0eca390a2e2a

SHA512
465baa4b64c8b738d5b0319c190e902ea4c4758b79b275156f9f802a8a44e9eac6d7aa78ced71c55ac74c1dccf482b819e4dc1b37948c8066d98c465c8de83cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\Ocp4MdudQc2NriL.exe

Filesize
770KB

MD5
b4c30381dd37fea1c1c69bcb3ad48b32

SHA1
869eca61396754586f7e85ebf65a334e01856740

SHA256
66481ba6d9cbf3c7662fc7cfd867739077256f60f4165f76dfdcd9461500ae50

SHA512
1e7bbdd7a75b748ff9a5f70b46766b0108effc84e0cc7c5d8a1f32e56136181060a4363ed2cbd6ed14d195a2379cf8148680380256f31b809bb77d1fe0bf064f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\Ocp4MdudQc2NriL.exe

Filesize
770KB

MD5
b4c30381dd37fea1c1c69bcb3ad48b32

SHA1
869eca61396754586f7e85ebf65a334e01856740

SHA256
66481ba6d9cbf3c7662fc7cfd867739077256f60f4165f76dfdcd9461500ae50

SHA512
1e7bbdd7a75b748ff9a5f70b46766b0108effc84e0cc7c5d8a1f32e56136181060a4363ed2cbd6ed14d195a2379cf8148680380256f31b809bb77d1fe0bf064f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\gak4QLoQd2WH1N.dll

Filesize
745KB

MD5
ce27e078a917088b7459c44570637b9d

SHA1
4d9e95fc9b97a1f21221f96ea8fbee55132e82b7

SHA256
8804ae047c9ba998964a359f278f54fa1d671ed245b7dfe117625f1ce0d5e84f

SHA512
492fdacef00a45dfe6d9db9c80b908bd0d9ebb4bf75c1f4053a8e281cfad5279646754a711484709de6f571487276ec19f71552522dc218fba8331bf6358f9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\gak4QLoQd2WH1N.tlb

Filesize
3KB

MD5
f636475c74627ddf7b3b6b6dfaa8d491

SHA1
fb3a63977f8b0e07f18d313ace3e1f1223dc423b

SHA256
e6e330d72d59551c9ba78464c4081280510901a82f66d94c84cc94ca4594e4b2

SHA512
ba788afd76700c60fa8d899ea6ebc1c69594b09d9099c7cb4d408e290575c9ed89b0288df1a1ca9f1562564eb65f51f8add17f4c57eea7fe890b38592560fb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\gak4QLoQd2WH1N.x64.dll

Filesize
886KB

MD5
1433d7e71196529644716ffc72c261b2

SHA1
f35147e7dc56f4e92856061b48c9f7a872e10385

SHA256
2ae79c724f8c2a134c125315fc6ee929b7ce09260e80b61c9a9e915571103e3f

SHA512
c363a35bd82214350439dcf6aaf9048b29f10aaeb3b1c3a69222792a94fab1009a5f6b6528df102ae082c129cce50ae7d646abc1dbd8ff9e788a9d05828c272c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\oegddmfdpmgebfcoondhnpjhhdnjeden\PXiI.js

Filesize
5KB

MD5
3698824be40ea7d1a52080a79b3ddf3d

SHA1
2f03f21893863cf4ea996b68f0f86a77f740816e

SHA256
756020afc3d10a46adfa07c6d72513f0a7e67b04d058b7cc0e826dba04a65cce

SHA512
8bb8e8119c880e7d455468594424c27517f2ae25e216cedd1fdd3374685bb80e010a57a88b62619bcd5458054873ca34bf38500ee06bb7eb3ed83b592a3f20c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\oegddmfdpmgebfcoondhnpjhhdnjeden\background.html

Filesize
141B

MD5
e3acd1b9eadc0c31e28fae9544edfe7d

SHA1
0eb32916ab5db82fbb02c2ee1760e3a7cadb3f47

SHA256
581e80d5e1e8efba67961128f21392f9d92c4df527818d56aa46d141f3b62efa

SHA512
2ceeda8220f098ab453d05c87c326f78b2c78ffc50b6ab1b93c10dcc777c1ce8a76003103b68462971cc05d831d3e38c74520c2c36aedfa90a4490ecf563aa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\oegddmfdpmgebfcoondhnpjhhdnjeden\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\oegddmfdpmgebfcoondhnpjhhdnjeden\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\oegddmfdpmgebfcoondhnpjhhdnjeden\manifest.json

Filesize
507B

MD5
d429395a45a9aa09e4ee9054e9196b30

SHA1
c5dbab4e27650b07d4d159c305d08a9d578c3a3e

SHA256
674fc32cde82ed69cb8595bbea9f70f69097062c39bd6a3a505227a4f4a45344

SHA512
4a5bc7c005e573bf0cdb89489d676fb26c5fe116d397a6cd7a1ebb2cae9605b3d1657378e17d354cb102e93c39b32fa8d2963f375af37c871452f3170356101e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
b1e5e95ebff60a93c7dc9cff0b8128e0

SHA1
14b8a847690b34ec3d3522e6c91703dbe904e65f

SHA256
515df4f55731f134d8550dcc181f03579d657de1cac4449216857558a53efa62

SHA512
b686e83908566e1721d867a439b3d3e2d1ebb080737beac1d482236b51a935762037b291dbbde09cdfc2ca57c10b6005801bbd122c4988806a377e329ef4ea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
f2fe68b9dbcea77881772b961500753f

SHA1
1f7a3f26d37af3b96722cbade628faf0bbbdd25b

SHA256
6ccb8a5debe7e9c4a1a925e6b01e0ed0c9b0d2bcdac86cd3cfd94713159e1131

SHA512
25f75a47d268b4581a27bfed24a4c67a7b63a9a0418e2c26fdebc6c124815a3ce3ef1ed8978213a0ecafdfebca7627ffe928dea9016f1b6114aa7e938a146a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A2E.tmp\[email protected]\install.rdf

Filesize
601B

MD5
2460f78c8d186dc9ba9a0f5715012e12

SHA1
ac4b39db1b7f6acbdd4f9b0e13502fc7be2116dd

SHA256
6235ce5b2fe7f790129f631d8a880bd6278b4752ba1512dc592fad3716c3e777

SHA512
ed7b0a92a553766577e0cb0b3ab47d0da8ce666966e825fea6e777e136c55ed2664f9758e53344d9ab0a33df406fd1a4720b57c2888098bfb1c551aab5e7661d

Download Submit
memory/3248-132-0x0000000000000000-mapping.dmp

Download
memory/4752-149-0x0000000000000000-mapping.dmp

Download
memory/4940-152-0x0000000000000000-mapping.dmp

Download