f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742

Analysis

max time kernel
35s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742.exe
Size

2.1MB
MD5

d5c4309d3bca2e9294e20ad6eaee8aa3
SHA1

f278c732b80ddd630eb608e41e63a74f785cea86
SHA256

f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742
SHA512

5dd7c1400f15bffcdd99ea4d3db0b5452b0968128837c9f3235c794b6225674f0e02078c54eb8f5421f19fdc28110b77024ec4e3b3b5e8f77eb7bfee5b6a44ee
SSDEEP

24576:h1OYdaOmZ4/yZSbsUcMInv5HPeIvYgKLdQ4z7NW6IY12Ck5GfPra5TDVRd:h1OsM+yZS/cMIndPeIvzKL/7NW6L+pRd

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1556	9wiC0wfwQWlcw0a.exe

Loads dropped DLL 4 IoCs

pid	Process
1344	f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742.exe
1556	9wiC0wfwQWlcw0a.exe
952	regsvr32.exe
1936	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\imnmecnhpldiabjnmfehafpbafcjkefp\1.0\manifest.json	9wiC0wfwQWlcw0a.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\imnmecnhpldiabjnmfehafpbafcjkefp\1.0\manifest.json	9wiC0wfwQWlcw0a.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\imnmecnhpldiabjnmfehafpbafcjkefp\1.0\manifest.json	9wiC0wfwQWlcw0a.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	9wiC0wfwQWlcw0a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	9wiC0wfwQWlcw0a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	9wiC0wfwQWlcw0a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	9wiC0wfwQWlcw0a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	9wiC0wfwQWlcw0a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.x64.dll	9wiC0wfwQWlcw0a.exe
File opened for modification	C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.x64.dll	9wiC0wfwQWlcw0a.exe
File created	C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.dll	9wiC0wfwQWlcw0a.exe
File opened for modification	C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.dll	9wiC0wfwQWlcw0a.exe
File created	C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.tlb	9wiC0wfwQWlcw0a.exe
File opened for modification	C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.tlb	9wiC0wfwQWlcw0a.exe
File created	C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.dat	9wiC0wfwQWlcw0a.exe
File opened for modification	C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.dat	9wiC0wfwQWlcw0a.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1556	1344	f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742.exe	26
PID 1344 wrote to memory of 1556	1344	f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742.exe	26
PID 1344 wrote to memory of 1556	1344	f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742.exe	26
PID 1344 wrote to memory of 1556	1344	f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742.exe	26
PID 1556 wrote to memory of 952	1556	9wiC0wfwQWlcw0a.exe	27
PID 1556 wrote to memory of 952	1556	9wiC0wfwQWlcw0a.exe	27
PID 1556 wrote to memory of 952	1556	9wiC0wfwQWlcw0a.exe	27
PID 1556 wrote to memory of 952	1556	9wiC0wfwQWlcw0a.exe	27
PID 1556 wrote to memory of 952	1556	9wiC0wfwQWlcw0a.exe	27
PID 1556 wrote to memory of 952	1556	9wiC0wfwQWlcw0a.exe	27
PID 1556 wrote to memory of 952	1556	9wiC0wfwQWlcw0a.exe	27
PID 952 wrote to memory of 1936	952	regsvr32.exe	28
PID 952 wrote to memory of 1936	952	regsvr32.exe	28
PID 952 wrote to memory of 1936	952	regsvr32.exe	28
PID 952 wrote to memory of 1936	952	regsvr32.exe	28
PID 952 wrote to memory of 1936	952	regsvr32.exe	28
PID 952 wrote to memory of 1936	952	regsvr32.exe	28
PID 952 wrote to memory of 1936	952	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742.exe
"C:\Users\Admin\AppData\Local\Temp\f6ed38b9a0203b8ebdbadef1a96a81a31a7cb9ed91b45c93c111df06898aa742.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\9wiC0wfwQWlcw0a.exe
  .\9wiC0wfwQWlcw0a.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.dat

Filesize
6KB

MD5
e1fb791f874e6daead9715bdbd99ded5

SHA1
e820cb4810f8d39ba706e8996d0c0527b6f6f3ae

SHA256
5a4864578ae61b8339c1e3c3f16db5ce28525788687749a7db59e2e130bc4520

SHA512
e1850afbb9d456a5bf9b1fb2369ee9f6f6f005f0d3e64f2a27d1554ad84af32ece1eeb0d6e94b3bf3a5057be8c6883c5407beeeb0974bf462a6a83c646a7140e

Download Submit
C:\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.x64.dll

Filesize
686KB

MD5
793a36af8b6c6f5a86d5c8781f13b166

SHA1
5ea93c1b58bc0c2df3e7258ff4ef31fe77d61fd7

SHA256
885104c4082c1b441ae70ff3c673db3618e62295c2729720c88f553af6c0a585

SHA512
a737c2f5e6f93bf4a8973cc439fb7419ed2764bb7bfb4a01c4bdcc7983b24cd22132867b70a39446c613221934ff29c2bab7c382acd01eb2a2e9719a9e0cf255

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\149g9humjW1nsV.dll

Filesize
605KB

MD5
af43f08751e421342670294664fa448a

SHA1
072972dce4232cbd9640ffc07e42ae63b8077fde

SHA256
2f5cc3fdf547907d7a3b5ac5b52adea636d59d1344038c137275d9f1b109bb1d

SHA512
ab4b22d360590cbd2900b27aa67dd7471b7f01df94b14a8ee8e1edefb67e32eaaa1a4efe03deab8f8ff1e4954c264bfc739ad45fd7a46a7a50e34e0d596235f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\149g9humjW1nsV.tlb

Filesize
3KB

MD5
45dab8a859ca3e9f625d893a6f7d273e

SHA1
b6cc5caeb2ad0a60509304d0bb1b5450ee702971

SHA256
8aba29d675b958b133eaf33ba476c9751a40f539ccc3208cc1b489b6df816b40

SHA512
0cc3b41567890e4e14c6153fbf612043a724e5617140ab15a18b3e68eeb478c134971c8e971e61cd5ffd8eeeec560f2fbd4e210237cd783d501428bc12ec81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\149g9humjW1nsV.x64.dll

Filesize
686KB

MD5
793a36af8b6c6f5a86d5c8781f13b166

SHA1
5ea93c1b58bc0c2df3e7258ff4ef31fe77d61fd7

SHA256
885104c4082c1b441ae70ff3c673db3618e62295c2729720c88f553af6c0a585

SHA512
a737c2f5e6f93bf4a8973cc439fb7419ed2764bb7bfb4a01c4bdcc7983b24cd22132867b70a39446c613221934ff29c2bab7c382acd01eb2a2e9719a9e0cf255

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
751175d77334551dcb05c1eb0ceab169

SHA1
c16b090d83dc60769b9c2180951a4a7e612bb57a

SHA256
8dfd712b445957ced13ba0943194b483e9f1ff7d4221a20a435864c3bf5438bf

SHA512
331311d153336cbde3de6700398b86e7c1441608721af8974642e995527f4fa8056711ff7f5bab71b8a32621b2723f28eabc49afcfe3b13d68c92535ded81f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
56d998326dfedf6277244079fc05b555

SHA1
07cc51169eca72e142894e03d65a1a587b0ffb2c

SHA256
a0400458cbdf31ae8de7e405501cb8cfe4b5d4e92692dbcd5fa0463a324fe69b

SHA512
c9aa9ce78b9ec6f44e57dafe1f439f91fa8618646071147eb79da5d593f1f62ac125fc747d8f1bdb9c0d6308f13243b42ef83637ed9ec5b6da166561f42ac7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\[email protected]\install.rdf

Filesize
607B

MD5
aa9be72cb019b01e604d64ebd272c04a

SHA1
1df5292b67b044af6167867f145c756a17b22627

SHA256
1c7d49639139736d1e338d15dbf0626d638121c7dd5b38b2caa1f0ab17dcea70

SHA512
3fc8b19f8a38f3880c5bf5abb819b4bda3ec998b761a3fc94d99b67aedc0d292a541bc3eb7f682f6a5a39b745762c1b758b8865ea4134d742a986b93b0bc8662

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\9wiC0wfwQWlcw0a.dat

Filesize
6KB

MD5
e1fb791f874e6daead9715bdbd99ded5

SHA1
e820cb4810f8d39ba706e8996d0c0527b6f6f3ae

SHA256
5a4864578ae61b8339c1e3c3f16db5ce28525788687749a7db59e2e130bc4520

SHA512
e1850afbb9d456a5bf9b1fb2369ee9f6f6f005f0d3e64f2a27d1554ad84af32ece1eeb0d6e94b3bf3a5057be8c6883c5407beeeb0974bf462a6a83c646a7140e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\9wiC0wfwQWlcw0a.exe

Filesize
642KB

MD5
bab80a5c1288acb341e60c3ddabb3eba

SHA1
64ec624991fa8724cd15764315ac5706c4a8beff

SHA256
2cfbe6b48a770670ba9e14b592c682f1a5b26226517fd86257866ea0b1dc66f8

SHA512
5eef891ee5005320248ea9ed9c79da47f1480a5528abf4d9dcb7150428bff20662ece5b6f09d9d4b5b3ca774fa32954f775f3b48ef913d4e9614e4623366fc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\9wiC0wfwQWlcw0a.exe

Filesize
642KB

MD5
bab80a5c1288acb341e60c3ddabb3eba

SHA1
64ec624991fa8724cd15764315ac5706c4a8beff

SHA256
2cfbe6b48a770670ba9e14b592c682f1a5b26226517fd86257866ea0b1dc66f8

SHA512
5eef891ee5005320248ea9ed9c79da47f1480a5528abf4d9dcb7150428bff20662ece5b6f09d9d4b5b3ca774fa32954f775f3b48ef913d4e9614e4623366fc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\imnmecnhpldiabjnmfehafpbafcjkefp\background.html

Filesize
142B

MD5
8642680f0d672e0bff86206c1cde918a

SHA1
5f5515d756f949eda8285ec18b69d0a590775abb

SHA256
79ef307bd3e9a043d588d5657513fa29d0a4574507160196d12d72c8f3f3ef5d

SHA512
ba94d7800a1c40920cda887585823ba11a350e7cc0ae6deb7427417adf2f7bce36db708d54fc25db9b97f12a0e5bd4c5b5eb81532da2d9a415eb81de303c2be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\imnmecnhpldiabjnmfehafpbafcjkefp\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\imnmecnhpldiabjnmfehafpbafcjkefp\hpcG3.js

Filesize
5KB

MD5
0fe6b4dd3d807938bb90e594b8d0ef97

SHA1
37e82013e40c33732b3e2ae2b41c4d8955d8b78f

SHA256
1e4dd2b6e3152bad480207ddd0d1afb5e6d24074f59ffcbd1a7bd72ee2c4d897

SHA512
31ad367dad1a2fe6ac4bbca2907954ad8fa07d2bfee91cc70a93e53a1241e5f533224b045ebe8049b66d859b706ec60741e0a7ba92182aab829db476bb410a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\imnmecnhpldiabjnmfehafpbafcjkefp\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\imnmecnhpldiabjnmfehafpbafcjkefp\manifest.json

Filesize
509B

MD5
f2631f15009efe15339e59c43bdc956e

SHA1
25a45b4087ccc8a3e2d1d172c35cff721e50ccef

SHA256
23f75288d22e88e2da9b9c18c81fca448444a34265a9122c0c058567c6e1f121

SHA512
50a28dab50f36c2c206e90a93aa08cc1a0c363ba2719a8dfa9f20f544b26179bbab24527a313a4784c12b14db267a54bfe63e397b9a1ce729271bfcdff432962

Download Submit
\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.dll

Filesize
605KB

MD5
af43f08751e421342670294664fa448a

SHA1
072972dce4232cbd9640ffc07e42ae63b8077fde

SHA256
2f5cc3fdf547907d7a3b5ac5b52adea636d59d1344038c137275d9f1b109bb1d

SHA512
ab4b22d360590cbd2900b27aa67dd7471b7f01df94b14a8ee8e1edefb67e32eaaa1a4efe03deab8f8ff1e4954c264bfc739ad45fd7a46a7a50e34e0d596235f4

Download Submit
\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.x64.dll

Filesize
686KB

MD5
793a36af8b6c6f5a86d5c8781f13b166

SHA1
5ea93c1b58bc0c2df3e7258ff4ef31fe77d61fd7

SHA256
885104c4082c1b441ae70ff3c673db3618e62295c2729720c88f553af6c0a585

SHA512
a737c2f5e6f93bf4a8973cc439fb7419ed2764bb7bfb4a01c4bdcc7983b24cd22132867b70a39446c613221934ff29c2bab7c382acd01eb2a2e9719a9e0cf255

Download Submit
\Program Files (x86)\YouotubeAdBloCkee\149g9humjW1nsV.x64.dll

Filesize
686KB

MD5
793a36af8b6c6f5a86d5c8781f13b166

SHA1
5ea93c1b58bc0c2df3e7258ff4ef31fe77d61fd7

SHA256
885104c4082c1b441ae70ff3c673db3618e62295c2729720c88f553af6c0a585

SHA512
a737c2f5e6f93bf4a8973cc439fb7419ed2764bb7bfb4a01c4bdcc7983b24cd22132867b70a39446c613221934ff29c2bab7c382acd01eb2a2e9719a9e0cf255

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7C52.tmp\9wiC0wfwQWlcw0a.exe

Filesize
642KB

MD5
bab80a5c1288acb341e60c3ddabb3eba

SHA1
64ec624991fa8724cd15764315ac5706c4a8beff

SHA256
2cfbe6b48a770670ba9e14b592c682f1a5b26226517fd86257866ea0b1dc66f8

SHA512
5eef891ee5005320248ea9ed9c79da47f1480a5528abf4d9dcb7150428bff20662ece5b6f09d9d4b5b3ca774fa32954f775f3b48ef913d4e9614e4623366fc82

Download Submit
memory/1344-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1936-78-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download