321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e

Analysis

max time kernel
33s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e.exe
Size

2.1MB
MD5

08caa5e3ca6b81b4648bf6310fcb67d8
SHA1

dc4aa9246081c73dc27330c202e020be08d18955
SHA256

321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e
SHA512

443e790933f7acd1939f5cbefb64e01f77bc1a0e116b998a56af5450b3cda6a821b5345b7f697921e1b904600137b36ec11ca3be99e9875b2f80b2424a6e1c11
SSDEEP

49152:h1OsxPY2QfeuG1nqR/d9zWFUZsqI6uPUgnWGaU:h1OIlQfeuGIR1RfuPUg

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1996	cOcSjWDkMaj3btk.exe

Loads dropped DLL 4 IoCs

pid	Process
1856	321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e.exe
1996	cOcSjWDkMaj3btk.exe
1452	regsvr32.exe
948	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eidaldbkioifoaejmaamedlfcpeebkhc\200\manifest.json	cOcSjWDkMaj3btk.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eidaldbkioifoaejmaamedlfcpeebkhc\200\manifest.json	cOcSjWDkMaj3btk.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eidaldbkioifoaejmaamedlfcpeebkhc\200\manifest.json	cOcSjWDkMaj3btk.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	cOcSjWDkMaj3btk.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	cOcSjWDkMaj3btk.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	cOcSjWDkMaj3btk.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	cOcSjWDkMaj3btk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	cOcSjWDkMaj3btk.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.tlb	cOcSjWDkMaj3btk.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.tlb	cOcSjWDkMaj3btk.exe
File created	C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.dat	cOcSjWDkMaj3btk.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.dat	cOcSjWDkMaj3btk.exe
File created	C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.x64.dll	cOcSjWDkMaj3btk.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.x64.dll	cOcSjWDkMaj3btk.exe
File created	C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.dll	cOcSjWDkMaj3btk.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.dll	cOcSjWDkMaj3btk.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1996	1856	321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e.exe	27
PID 1856 wrote to memory of 1996	1856	321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e.exe	27
PID 1856 wrote to memory of 1996	1856	321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e.exe	27
PID 1856 wrote to memory of 1996	1856	321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e.exe	27
PID 1996 wrote to memory of 1452	1996	cOcSjWDkMaj3btk.exe	28
PID 1996 wrote to memory of 1452	1996	cOcSjWDkMaj3btk.exe	28
PID 1996 wrote to memory of 1452	1996	cOcSjWDkMaj3btk.exe	28
PID 1996 wrote to memory of 1452	1996	cOcSjWDkMaj3btk.exe	28
PID 1996 wrote to memory of 1452	1996	cOcSjWDkMaj3btk.exe	28
PID 1996 wrote to memory of 1452	1996	cOcSjWDkMaj3btk.exe	28
PID 1996 wrote to memory of 1452	1996	cOcSjWDkMaj3btk.exe	28
PID 1452 wrote to memory of 948	1452	regsvr32.exe	29
PID 1452 wrote to memory of 948	1452	regsvr32.exe	29
PID 1452 wrote to memory of 948	1452	regsvr32.exe	29
PID 1452 wrote to memory of 948	1452	regsvr32.exe	29
PID 1452 wrote to memory of 948	1452	regsvr32.exe	29
PID 1452 wrote to memory of 948	1452	regsvr32.exe	29
PID 1452 wrote to memory of 948	1452	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e.exe
"C:\Users\Admin\AppData\Local\Temp\321ee46cff06088d7ea63461294d77ecff475b75fef5792d09fac0213013bb1e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\cOcSjWDkMaj3btk.exe
  .\cOcSjWDkMaj3btk.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.dat

Filesize
6KB

MD5
664b57f13715070c1188d2f08241f656

SHA1
b148bb256d3749ebd3a7a268cf62945aa8444f5c

SHA256
025eff2a1cfff0075db3891c4e875bcc4811a4fb2d0cddb35318d9d051ebc2e9

SHA512
bded7ff39378ef3230e4e6dd21b2b0f9146ca5607f0a031581ed300bd7df8ad3b95668f4c6cf928f47ba77382954a8190ec33c3fa47722cc128c3a3dd64c8daf

Download Submit
C:\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.x64.dll

Filesize
693KB

MD5
036a783b0d4af93086c9bef9bf1ed7d8

SHA1
58624b183fda19f285365c464914d8c342f693e5

SHA256
1cb50065e24f17a830d511888a1d857556e804ad0ad82d67953b3cbf04a406ec

SHA512
5f25cd28cad3bdd19475d2adfe7385cf177f0177010cd30d2cb03b237f011ae14b993a61466b71fa81613b51664f6b7c4ece954e78d667a17146e9aa38752062

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\IZdaC0ePWftnQW.dll

Filesize
612KB

MD5
4e8d65edf539af96ec6861d8445573ae

SHA1
1b4554cd7c108aa09bb3aed009ac8440c0f8bb93

SHA256
f7931fcce1da10bbc25b3aff0b72a6744a7e454d9fc5d83f9c612e142eafee87

SHA512
a0ffd39e17e3e39d12d36bacebd21ac309f09b36e26b786d54e0218d6c41c01a3c3ecfe37aa7c4636f8be3c6821f21a21a3ba327d93fbddcb7adfca591838455

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\IZdaC0ePWftnQW.tlb

Filesize
3KB

MD5
123d8e428b231b034495720766d9db44

SHA1
20db932b0f9fb5045ae866259d4c4c2650e519fe

SHA256
e5a0972cb89bbe9ca59f02a11f145178b7cfee9d43cd2e6729b4d4b9c1809d1f

SHA512
79444ea1e1eecf5adaef18c229516bb095898a7ceed229133a6d6e7082ce02c9e40612ca2b3474d8934f47f41077784cf252ca5832faf0b7063d8cb3c31a1afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\IZdaC0ePWftnQW.x64.dll

Filesize
693KB

MD5
036a783b0d4af93086c9bef9bf1ed7d8

SHA1
58624b183fda19f285365c464914d8c342f693e5

SHA256
1cb50065e24f17a830d511888a1d857556e804ad0ad82d67953b3cbf04a406ec

SHA512
5f25cd28cad3bdd19475d2adfe7385cf177f0177010cd30d2cb03b237f011ae14b993a61466b71fa81613b51664f6b7c4ece954e78d667a17146e9aa38752062

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\cOcSjWDkMaj3btk.dat

Filesize
6KB

MD5
664b57f13715070c1188d2f08241f656

SHA1
b148bb256d3749ebd3a7a268cf62945aa8444f5c

SHA256
025eff2a1cfff0075db3891c4e875bcc4811a4fb2d0cddb35318d9d051ebc2e9

SHA512
bded7ff39378ef3230e4e6dd21b2b0f9146ca5607f0a031581ed300bd7df8ad3b95668f4c6cf928f47ba77382954a8190ec33c3fa47722cc128c3a3dd64c8daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\cOcSjWDkMaj3btk.exe

Filesize
634KB

MD5
af19e3488de335eb28ca3eb46566b7e1

SHA1
1ec3cdea5742b5961605cc1dea8e4d347a5d9cc1

SHA256
e59002c28df258c3a628aa28295edaf96f4235811f04aabab4bb5a42d3cd46cb

SHA512
a51581e8a6becbc27eb3d51b5ec195205d58f15f0483856f7a1afa8927dd138bea301db9253d731fc7c235b4b3acc1cbbe41b3eb04d94d2773942a76e7323247

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\cOcSjWDkMaj3btk.exe

Filesize
634KB

MD5
af19e3488de335eb28ca3eb46566b7e1

SHA1
1ec3cdea5742b5961605cc1dea8e4d347a5d9cc1

SHA256
e59002c28df258c3a628aa28295edaf96f4235811f04aabab4bb5a42d3cd46cb

SHA512
a51581e8a6becbc27eb3d51b5ec195205d58f15f0483856f7a1afa8927dd138bea301db9253d731fc7c235b4b3acc1cbbe41b3eb04d94d2773942a76e7323247

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\eidaldbkioifoaejmaamedlfcpeebkhc\background.html

Filesize
144B

MD5
19878b7b8736dbe690d11066482f9b23

SHA1
af757ef40720b0f468ecee23c426acd26800a1cb

SHA256
cc17e8e6fd24bd813ffc0fc3ec9f0c23b51e1612cff2df77c3b770b4742e8325

SHA512
4d076ed5e1db76efa32e0c9dbed8105b383d5af6eb7fe65aa37a37a0b3acaaeb96ccda61758792ae307738d1e19591a775d6746c2d68c2a29775b5557eaf93c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\eidaldbkioifoaejmaamedlfcpeebkhc\bcFS17x.js

Filesize
5KB

MD5
43ff72a1413212b8901ec649ae0936da

SHA1
5b5ed55778976009c9b71a482b4c61237d4df67b

SHA256
ef2d409e7fa8214306f67f6109d1476ad9ac977f082146c4831d72fedf730617

SHA512
d99cb427b11848c2f83f4237e0e7895aedcb897d891ef4471be3aca500133be2e9beb12ad4ce9fd2959eaf243720216abb6ebdb1bd9c5e278f4c392c62313d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\eidaldbkioifoaejmaamedlfcpeebkhc\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\eidaldbkioifoaejmaamedlfcpeebkhc\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\eidaldbkioifoaejmaamedlfcpeebkhc\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
0c373b52ab6836bb20e703ccefcd9c4f

SHA1
e0d4fd97b0b0c0c2d706bfd59bf2e88e01ec5b22

SHA256
c1f561a101cb1c99f144aaf0c0d7cf6c10e840e5d3f4d1dea48b932e0de7ba79

SHA512
6160914e9e96d2baac2009f1e82ae1fd0515ba37653fd012cf11dbc30c518eac488271766b84e0f4b299ae715b37dbb974f91e3e9cad71ab8bbc58a5cbc1b1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
8a099b3459d8e0ef723aeacb0e9d1f78

SHA1
2d86a1e7656641847db01af0451c07bc62c45a5c

SHA256
38d873a56e453f346efbc70e3ec6f2cf967d0a03f6cedc1ccf570d0e5c6d4484

SHA512
30763d43f2f18346e5666996b6fee904701c31445c2a64861a37c511e55535b685aa34a57775eb08418d8484dc8d860399854635feba56945be5447179bcb891

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4606.tmp\[email protected]\install.rdf

Filesize
597B

MD5
7ee8a1cd48a7182acd1c6e0b39c722ee

SHA1
a339e66b206413bd4d96dfeb83c128fdd49cb425

SHA256
89dc13e28ee4dc7735a85a8dd562767591209ead503d2c99110756aed9dd5cd8

SHA512
ed01fe53e12486a94d8226c4dfb5de992763c5c4ae7e77faf680f8bbbf2004748a3654aacfe2a49b2f6f3dc72fc124b940f451c76f2b60fef6270c4d9d685f99

Download Submit
\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.dll

Filesize
612KB

MD5
4e8d65edf539af96ec6861d8445573ae

SHA1
1b4554cd7c108aa09bb3aed009ac8440c0f8bb93

SHA256
f7931fcce1da10bbc25b3aff0b72a6744a7e454d9fc5d83f9c612e142eafee87

SHA512
a0ffd39e17e3e39d12d36bacebd21ac309f09b36e26b786d54e0218d6c41c01a3c3ecfe37aa7c4636f8be3c6821f21a21a3ba327d93fbddcb7adfca591838455

Download Submit
\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.x64.dll

Filesize
693KB

MD5
036a783b0d4af93086c9bef9bf1ed7d8

SHA1
58624b183fda19f285365c464914d8c342f693e5

SHA256
1cb50065e24f17a830d511888a1d857556e804ad0ad82d67953b3cbf04a406ec

SHA512
5f25cd28cad3bdd19475d2adfe7385cf177f0177010cd30d2cb03b237f011ae14b993a61466b71fa81613b51664f6b7c4ece954e78d667a17146e9aa38752062

Download Submit
\Program Files (x86)\Browser Shop\IZdaC0ePWftnQW.x64.dll

Filesize
693KB

MD5
036a783b0d4af93086c9bef9bf1ed7d8

SHA1
58624b183fda19f285365c464914d8c342f693e5

SHA256
1cb50065e24f17a830d511888a1d857556e804ad0ad82d67953b3cbf04a406ec

SHA512
5f25cd28cad3bdd19475d2adfe7385cf177f0177010cd30d2cb03b237f011ae14b993a61466b71fa81613b51664f6b7c4ece954e78d667a17146e9aa38752062

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4606.tmp\cOcSjWDkMaj3btk.exe

Filesize
634KB

MD5
af19e3488de335eb28ca3eb46566b7e1

SHA1
1ec3cdea5742b5961605cc1dea8e4d347a5d9cc1

SHA256
e59002c28df258c3a628aa28295edaf96f4235811f04aabab4bb5a42d3cd46cb

SHA512
a51581e8a6becbc27eb3d51b5ec195205d58f15f0483856f7a1afa8927dd138bea301db9253d731fc7c235b4b3acc1cbbe41b3eb04d94d2773942a76e7323247

Download Submit
memory/948-78-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download
memory/1856-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download