b4fcdad6f34b0e27e3ad3e821efe45ab4d14b9e4d8e2e9260aa9178960fc804f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4fcdad6f34b0e27e3ad3e821efe45ab4d14b9e4d8e2e9260aa9178960fc804f.exe
Size

2.1MB
MD5

61cf6857ed90b30d1b823f929ea98dfc
SHA1

1da2a8f45ae725e1d2095fc742cf00b6bbb3ada5
SHA256

b4fcdad6f34b0e27e3ad3e821efe45ab4d14b9e4d8e2e9260aa9178960fc804f
SHA512

456ffa38f310032c088e6ba2714ecdd8d58adf09ced5ebca842e99001297082ed62c91f3700cf785d430378641aea79deee53685e01626004ef251700ec18937
SSDEEP

49152:h1OsaaFBQd+eIvim2CQHSM3OYVv8JGUpqqG:h1O/aFBw+LNRR2FQtG

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2612	p2iPESD7dJdj83H.exe

Loads dropped DLL 3 IoCs

pid	Process
2612	p2iPESD7dJdj83H.exe
5100	regsvr32.exe
888	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhfikjnljcjmlinobfgecedcldlanmc\200\manifest.json	p2iPESD7dJdj83H.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhfikjnljcjmlinobfgecedcldlanmc\200\manifest.json	p2iPESD7dJdj83H.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhfikjnljcjmlinobfgecedcldlanmc\200\manifest.json	p2iPESD7dJdj83H.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhfikjnljcjmlinobfgecedcldlanmc\200\manifest.json	p2iPESD7dJdj83H.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhfikjnljcjmlinobfgecedcldlanmc\200\manifest.json	p2iPESD7dJdj83H.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	p2iPESD7dJdj83H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	p2iPESD7dJdj83H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	p2iPESD7dJdj83H.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	p2iPESD7dJdj83H.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.tlb	p2iPESD7dJdj83H.exe
File opened for modification	C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.tlb	p2iPESD7dJdj83H.exe
File created	C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.dat	p2iPESD7dJdj83H.exe
File opened for modification	C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.dat	p2iPESD7dJdj83H.exe
File created	C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.x64.dll	p2iPESD7dJdj83H.exe
File opened for modification	C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.x64.dll	p2iPESD7dJdj83H.exe
File created	C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.dll	p2iPESD7dJdj83H.exe
File opened for modification	C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.dll	p2iPESD7dJdj83H.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 2612	4812	b4fcdad6f34b0e27e3ad3e821efe45ab4d14b9e4d8e2e9260aa9178960fc804f.exe	81
PID 4812 wrote to memory of 2612	4812	b4fcdad6f34b0e27e3ad3e821efe45ab4d14b9e4d8e2e9260aa9178960fc804f.exe	81
PID 4812 wrote to memory of 2612	4812	b4fcdad6f34b0e27e3ad3e821efe45ab4d14b9e4d8e2e9260aa9178960fc804f.exe	81
PID 2612 wrote to memory of 5100	2612	p2iPESD7dJdj83H.exe	82
PID 2612 wrote to memory of 5100	2612	p2iPESD7dJdj83H.exe	82
PID 2612 wrote to memory of 5100	2612	p2iPESD7dJdj83H.exe	82
PID 5100 wrote to memory of 888	5100	regsvr32.exe	83
PID 5100 wrote to memory of 888	5100	regsvr32.exe	83

C:\Users\Admin\AppData\Local\Temp\b4fcdad6f34b0e27e3ad3e821efe45ab4d14b9e4d8e2e9260aa9178960fc804f.exe
"C:\Users\Admin\AppData\Local\Temp\b4fcdad6f34b0e27e3ad3e821efe45ab4d14b9e4d8e2e9260aa9178960fc804f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\p2iPESD7dJdj83H.exe
  .\p2iPESD7dJdj83H.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.dat

Filesize
6KB

MD5
3e652687c57b14fdd95bf896bb980bb6

SHA1
4e260235caaeb0003ceddde8eb15053798816658

SHA256
15d36c9207694486beb99825ade9df3b603fc565084a57f51403829db9a1e455

SHA512
ff3b42fd2fd3bdc537e0e968a9cf5e90517045642c30753345d18c35b542b10dbe0a1eaf18bb6f1b4610ff44f66fbf1e36ed752603a7e2c2b8520b3b1bea66bd

Download Submit
C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.dll

Filesize
616KB

MD5
1120f8874c79b25d1298a34781f5f753

SHA1
f7818c6893c2b5edcc4321b011ce30f5494a5cf1

SHA256
c6bbf05c75c90b71c4365aec702ccf85a42522925ae58fe3d99c91f5b8d4e4da

SHA512
5a97c876b83b063069be7748f1e9667d7684c4f3ae6f6345cc1af3bd609805eb9616ba51467ca4493894f1a79e4e23c1a6d1828c771fcbcaff0ab02defa7759b

Download Submit
C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Program Files (x86)\BrOwseraShoepi\Nwqke46jNNVlCU.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
46c78933d38ec24b57a83f2ae1cbb12c

SHA1
76eb65d9dab4fb0504a3c98913a02eb48c04ddac

SHA256
235c65097bdd6d3f2456d791b74cd684fcff83b6190b77c97555f93d6b122839

SHA512
11017c2fa4c391b88a07e88197b0a064099a3ff5792a9c707b99c1500ad2cdf220c83be7564cab7d0d8a3ecdfa663ff8a01facea028c36975f4ace60babde0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
6e33af88d326af0b3361e272fc5eaba4

SHA1
604152893aa4d7425e03bc77425263eee972eba9

SHA256
ce2b03c6c341f9cdff0bdeb5859a597e8a29ecfb3d51938e32cbaab361b84cfa

SHA512
9c8b0b9f8f41e9d6832b121d161eab2bdbeeb7e2981c4586d53b1355cd990595774fcc975c62f98fbaf51dfd60f2984ca7827b51502180df42986b71b7647ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\[email protected]\install.rdf

Filesize
601B

MD5
5f19b3c3d136dee408464a3ea1b75394

SHA1
42cba8a86021b2b8ad662f36e880b33c1294de19

SHA256
8adfe5fa8019dfb26306808c1712427cd44c104256d2858b30414a5ab62b1a1f

SHA512
c1571939d6d620320c7c6e136c0094a6a90a45722f0b67924b4b610c674669de4d1e62fcf60f6d4bb781157d7bbbd5b574ab932f9468cceed5531725edff4adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\Nwqke46jNNVlCU.dll

Filesize
616KB

MD5
1120f8874c79b25d1298a34781f5f753

SHA1
f7818c6893c2b5edcc4321b011ce30f5494a5cf1

SHA256
c6bbf05c75c90b71c4365aec702ccf85a42522925ae58fe3d99c91f5b8d4e4da

SHA512
5a97c876b83b063069be7748f1e9667d7684c4f3ae6f6345cc1af3bd609805eb9616ba51467ca4493894f1a79e4e23c1a6d1828c771fcbcaff0ab02defa7759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\Nwqke46jNNVlCU.tlb

Filesize
3KB

MD5
633d469f7307d711a7f6b08d024cbe2d

SHA1
a8c01e9c7a081c175a393345a7a60fb3be0f8cde

SHA256
b3c5da764bfb906053b84e92b31e3d9b04a46b65b4e35d34c0c645496a80d054

SHA512
8b66733187095168668526f37d0348d0e78889d44edc4c0da4be486bc10fe443862228af3b112f968d08d2afe5e86a21ab26ef72d4365a15785bef400652d485

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\Nwqke46jNNVlCU.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\jfhfikjnljcjmlinobfgecedcldlanmc\bIb.js

Filesize
5KB

MD5
2167a72d6172c2c717091fe89aeabef2

SHA1
b3d86ab061207b13dd5319f7389c3fe66fa2279e

SHA256
7c7cc24f7aa795283efffa09334dd26406691b41139cdcb64f5ce545a2aa45af

SHA512
51aa9f09eba5a6948aaf6c4acb4f31e5a7bc06a956972b40410e067a5b86da5e2667fac6c84fa244ebecd3551879243284ec01fee00a496ac2dc2fd8a200e4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\jfhfikjnljcjmlinobfgecedcldlanmc\background.html

Filesize
140B

MD5
9ccd21ab4660ba04ef43f18aaebcb0e3

SHA1
20fddb0146e6e369b060005637ade4f17a503f2b

SHA256
7f82e9565ce610a5b23d712181e51a9d39864e393172017b74d90f909eb08bb8

SHA512
3b5e7e7a35f61beb6a14a434207f5b346281e90731b83275d287a7f2288f0e775c9452ecd2d407d24149c7e29b2f0f947d824e4d8e74c162eefe799cf3adb6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\jfhfikjnljcjmlinobfgecedcldlanmc\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\jfhfikjnljcjmlinobfgecedcldlanmc\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\jfhfikjnljcjmlinobfgecedcldlanmc\manifest.json

Filesize
506B

MD5
62efce97a53f0f0074dc2f454823008e

SHA1
b11b0fffd8854a8c7e4d151d41c0bb9677114f24

SHA256
b7e3dce729162e6e6f106f63549118b9d7a3deace388486d561a551e78422f30

SHA512
28adb6992e644907f9a038419d39874c5706ac84e31b4fbc82342bfb6b9376c4e24bb82fdf0854480aa2978f062103c3520eb042be180ba55f0f9d8a34684d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\p2iPESD7dJdj83H.dat

Filesize
6KB

MD5
3e652687c57b14fdd95bf896bb980bb6

SHA1
4e260235caaeb0003ceddde8eb15053798816658

SHA256
15d36c9207694486beb99825ade9df3b603fc565084a57f51403829db9a1e455

SHA512
ff3b42fd2fd3bdc537e0e968a9cf5e90517045642c30753345d18c35b542b10dbe0a1eaf18bb6f1b4610ff44f66fbf1e36ed752603a7e2c2b8520b3b1bea66bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\p2iPESD7dJdj83H.exe

Filesize
624KB

MD5
bfdd027de2e75467ce1d542d4e925e19

SHA1
1c076814ad25983cbdf0cd061978090014ebfcd1

SHA256
ebb6c1511f94ddb23847bbfe73a41bc99496c97287bfce1942af48c52e0db84a

SHA512
63c6f40107d20f4e186dbfece46c8889d17af15e641ca71db39d3dde4689c08248be12318925a3d3eeb6b6bf29b8276994feb5548a92cdcd1149118e7d857fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B3D.tmp\p2iPESD7dJdj83H.exe

Filesize
624KB

MD5
bfdd027de2e75467ce1d542d4e925e19

SHA1
1c076814ad25983cbdf0cd061978090014ebfcd1

SHA256
ebb6c1511f94ddb23847bbfe73a41bc99496c97287bfce1942af48c52e0db84a

SHA512
63c6f40107d20f4e186dbfece46c8889d17af15e641ca71db39d3dde4689c08248be12318925a3d3eeb6b6bf29b8276994feb5548a92cdcd1149118e7d857fc7

Download Submit