e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6

Analysis

max time kernel
46s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6.exe
Size

2.0MB
MD5

36760c20fab79991bc9bca1a291d6106
SHA1

16e2dfaab63579285773934620a3aa9dcf8c930c
SHA256

e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6
SHA512

4961edb1786818dfd4f6825c60f6d7280b58c677dd2981a6d3fd9321f56b0e8e71b9915f3b19c9b74a7bdfae81954598d744fa35e246fcb9f81319f1990c1168
SSDEEP

49152:h1OswUpag+Qk/+ouXBVm/KLp0f5fR6Tu3PHYwxzILQJsa7/:h1O7UpAWouXBVm/KLp0+Tu3j/

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1900	msxRIDySBzkEgMR.exe

Loads dropped DLL 4 IoCs

pid	Process
908	e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6.exe
1900	msxRIDySBzkEgMR.exe
1988	regsvr32.exe
2000	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cefbhdfneplhkklabmmafmmmkinpmgii\200\manifest.json	msxRIDySBzkEgMR.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cefbhdfneplhkklabmmafmmmkinpmgii\200\manifest.json	msxRIDySBzkEgMR.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cefbhdfneplhkklabmmafmmmkinpmgii\200\manifest.json	msxRIDySBzkEgMR.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	msxRIDySBzkEgMR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	msxRIDySBzkEgMR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	msxRIDySBzkEgMR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	msxRIDySBzkEgMR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	msxRIDySBzkEgMR.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.tlb	msxRIDySBzkEgMR.exe
File created	C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.dat	msxRIDySBzkEgMR.exe
File opened for modification	C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.dat	msxRIDySBzkEgMR.exe
File created	C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.x64.dll	msxRIDySBzkEgMR.exe
File opened for modification	C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.x64.dll	msxRIDySBzkEgMR.exe
File created	C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.dll	msxRIDySBzkEgMR.exe
File opened for modification	C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.dll	msxRIDySBzkEgMR.exe
File created	C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.tlb	msxRIDySBzkEgMR.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1900	908	e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6.exe	27
PID 908 wrote to memory of 1900	908	e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6.exe	27
PID 908 wrote to memory of 1900	908	e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6.exe	27
PID 908 wrote to memory of 1900	908	e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6.exe	27
PID 1900 wrote to memory of 1988	1900	msxRIDySBzkEgMR.exe	28
PID 1900 wrote to memory of 1988	1900	msxRIDySBzkEgMR.exe	28
PID 1900 wrote to memory of 1988	1900	msxRIDySBzkEgMR.exe	28
PID 1900 wrote to memory of 1988	1900	msxRIDySBzkEgMR.exe	28
PID 1900 wrote to memory of 1988	1900	msxRIDySBzkEgMR.exe	28
PID 1900 wrote to memory of 1988	1900	msxRIDySBzkEgMR.exe	28
PID 1900 wrote to memory of 1988	1900	msxRIDySBzkEgMR.exe	28
PID 1988 wrote to memory of 2000	1988	regsvr32.exe	29
PID 1988 wrote to memory of 2000	1988	regsvr32.exe	29
PID 1988 wrote to memory of 2000	1988	regsvr32.exe	29
PID 1988 wrote to memory of 2000	1988	regsvr32.exe	29
PID 1988 wrote to memory of 2000	1988	regsvr32.exe	29
PID 1988 wrote to memory of 2000	1988	regsvr32.exe	29
PID 1988 wrote to memory of 2000	1988	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6.exe
"C:\Users\Admin\AppData\Local\Temp\e6bd97f6d5ce039901f00ae862e61348c8c2798d099dec5eb4f1ebfa3b5ccfd6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\msxRIDySBzkEgMR.exe
  .\msxRIDySBzkEgMR.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.dat

Filesize
6KB

MD5
3f38f106b6913261a1b877c499e70c67

SHA1
6a11a5b105abc20fcad18f660988f2201f192f0e

SHA256
59a5b76b93e7739edc09ec4481ead0a66be6d0a2227985e8d6c0d5dbb5386b4b

SHA512
4d528eb5a63e3d918ae85de2255270a4df8462bae0cba464804d61cd43e3ac280a5aeaf26bcb129da8e5d641202ba19a459e123b1e74052e11960a9e6be28e2e

Download Submit
C:\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
3fb11131e269895e1ffe98c4174c40ec

SHA1
2da8aeeab79b97d9d2cbc688421a307223bcefce

SHA256
6808cc69c05ef8c73c88f36d70c3fb72a5fe39d66f2b54abe07d85abc5b4f13d

SHA512
0a14ade593c8df84fb882ee0702d26bb0b85e2e5f3e3aefdaf2abbb6f6275578f4057a065d0e9102583a2fd3dcf7d7374cc06fcbe5ee1c7cdbe1f7f5252eefd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
bc3eb39f615bfb89889a44e2f079b5e8

SHA1
50dec11b4a4534823249aa3af03466a14cb6ce52

SHA256
a7fb8898ad42aa5aed8215fdd3cc9d563994096acfbc61a0145f04d5e6692e00

SHA512
771dc1f31b8431f58b637068d3a1e92951441600b9d15f8e2aaf70520a787ca302e5d251a3c720ec4a9b53b4dad83630cc915fa0ec2e66a1856b6d59ac8e8209

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\[email protected]\install.rdf

Filesize
605B

MD5
e37e5cd831bce20615f5c43144573ed0

SHA1
7772636243c72c7e6551df4ae9e8440eeb223c0a

SHA256
746c2a98fa10d56e3d7524a907ee4cd5328dee0ec057b6da6ad53ec4473d66eb

SHA512
98ba586c90b29816cf1585bc50fdb511bed7dadcb478e3ba7492619d916755f645f88b59ade77d1fa5c90fd29db4fe2376a05ebddac34f12de5620f536bf59f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\cefbhdfneplhkklabmmafmmmkinpmgii\background.html

Filesize
141B

MD5
52f75194daf2872e804fef89de62cac1

SHA1
b39581096990c1a8e12bfc9260d7fb59b24124c8

SHA256
07e096cb3f6754bae18b76f66a02b6d8504bd13c246e6736f706d83ef2347b92

SHA512
ba1ebdcdacadcf2c63ef9c0410829f349a4e451feeae4d8e3378a6073f990819967601b31e5b4d355b8529f21601ff61e6f26d0b519851fe1ecdf73b6a959256

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\cefbhdfneplhkklabmmafmmmkinpmgii\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\cefbhdfneplhkklabmmafmmmkinpmgii\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\cefbhdfneplhkklabmmafmmmkinpmgii\manifest.json

Filesize
508B

MD5
4af5eedbadffc60dfaa8de68990ee4ec

SHA1
1ae3019089429e234db43071ceebbe84b7a789f0

SHA256
6851487fcabe90d7695af0116c81032ec7ece43757c1424c6949d00b1f12f091

SHA512
76741b06cf6c0a4ffdeb74e470ed495c2ddf6af7cdaaf7a64d7d86237d1831bbf1f60aa8ac23f801b3b770fe1392fd24399bc7761ed60776964ac84353ffe2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\cefbhdfneplhkklabmmafmmmkinpmgii\xv2m.js

Filesize
5KB

MD5
16c937dd8dfae22d7e61726def4ce869

SHA1
ddc8dc254f3991148eabedb8f6374302850357a0

SHA256
50871fa8e3da7c0748022f2493c4d58f56c9f871b1cffc9d2227a5ae735e64a9

SHA512
688256129d9607a68934a2c99a288bafa1e0f0b9ed49625a85c7ba14eb30dc7b18de539fa3aa0b106a7ae43f30eee7aecb30b68317743143b100cc4fb9ef86dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\djKAQxxXFlNJxt.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\djKAQxxXFlNJxt.tlb

Filesize
3KB

MD5
08b4ac9069400749555355a5f1e6b8ad

SHA1
ec078fae45087bb2ab63497cd2b4b844c178ec3c

SHA256
f996571eef02335d08b6c073024cef3ea616bb39f9d9742ffa6783f4e22c3997

SHA512
5001f7ca20cca5e85f9c6c1d90ffc2f9a25606d877ee4e6d33a727b6f689989b0486dbea62c66d2d1097194a353566de9d8b6b2bff33613a7ab763c98ca1e1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\djKAQxxXFlNJxt.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\msxRIDySBzkEgMR.dat

Filesize
6KB

MD5
3f38f106b6913261a1b877c499e70c67

SHA1
6a11a5b105abc20fcad18f660988f2201f192f0e

SHA256
59a5b76b93e7739edc09ec4481ead0a66be6d0a2227985e8d6c0d5dbb5386b4b

SHA512
4d528eb5a63e3d918ae85de2255270a4df8462bae0cba464804d61cd43e3ac280a5aeaf26bcb129da8e5d641202ba19a459e123b1e74052e11960a9e6be28e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\msxRIDySBzkEgMR.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\msxRIDySBzkEgMR.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
\Program Files (x86)\BrioawseraiShopo\djKAQxxXFlNJxt.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS76A7.tmp\msxRIDySBzkEgMR.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
memory/908-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1900-56-0x0000000000000000-mapping.dmp

Download
memory/1988-73-0x0000000000000000-mapping.dmp

Download
memory/2000-77-0x0000000000000000-mapping.dmp

Download
memory/2000-78-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download