3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413

Analysis

max time kernel
39s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413.exe
Size

2.0MB
MD5

44768f8b682905ef6b52bb763de2f13a
SHA1

d94701105da9ff6473b463639f8ef7eba4207525
SHA256

3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413
SHA512

4b3991e9952540a38709ab77b78b2183b27f212e6c4ac9cd40acb89b00760bde13f6a6e6ddfe7d7d66e7a566940717427f555fd46a7161b25aab95b8b1c0434d
SSDEEP

24576:h1OYdaOlSuVW1jLH2NuSk/EWygQAlHE/HsvleTzEmupJcjoCQ40MMvppEWJbjSSq:h1OssyjkEWygQuk/HsNyz2pJxCeg3jp

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1104	lmZEFxVy6yMv6r6.exe

Loads dropped DLL 4 IoCs

pid	Process
1112	3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413.exe
1104	lmZEFxVy6yMv6r6.exe
2024	regsvr32.exe
960	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhghppmcjpchahhbihnmeoiimjoabmhk\1.0\manifest.json	lmZEFxVy6yMv6r6.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhghppmcjpchahhbihnmeoiimjoabmhk\1.0\manifest.json	lmZEFxVy6yMv6r6.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhghppmcjpchahhbihnmeoiimjoabmhk\1.0\manifest.json	lmZEFxVy6yMv6r6.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	lmZEFxVy6yMv6r6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	lmZEFxVy6yMv6r6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	lmZEFxVy6yMv6r6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	lmZEFxVy6yMv6r6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	lmZEFxVy6yMv6r6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.dat	lmZEFxVy6yMv6r6.exe
File opened for modification	C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.dat	lmZEFxVy6yMv6r6.exe
File created	C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.x64.dll	lmZEFxVy6yMv6r6.exe
File opened for modification	C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.x64.dll	lmZEFxVy6yMv6r6.exe
File created	C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.dll	lmZEFxVy6yMv6r6.exe
File opened for modification	C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.dll	lmZEFxVy6yMv6r6.exe
File created	C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.tlb	lmZEFxVy6yMv6r6.exe
File opened for modification	C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.tlb	lmZEFxVy6yMv6r6.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1104	1112	3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413.exe	27
PID 1112 wrote to memory of 1104	1112	3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413.exe	27
PID 1112 wrote to memory of 1104	1112	3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413.exe	27
PID 1112 wrote to memory of 1104	1112	3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413.exe	27
PID 1104 wrote to memory of 2024	1104	lmZEFxVy6yMv6r6.exe	28
PID 1104 wrote to memory of 2024	1104	lmZEFxVy6yMv6r6.exe	28
PID 1104 wrote to memory of 2024	1104	lmZEFxVy6yMv6r6.exe	28
PID 1104 wrote to memory of 2024	1104	lmZEFxVy6yMv6r6.exe	28
PID 1104 wrote to memory of 2024	1104	lmZEFxVy6yMv6r6.exe	28
PID 1104 wrote to memory of 2024	1104	lmZEFxVy6yMv6r6.exe	28
PID 1104 wrote to memory of 2024	1104	lmZEFxVy6yMv6r6.exe	28
PID 2024 wrote to memory of 960	2024	regsvr32.exe	29
PID 2024 wrote to memory of 960	2024	regsvr32.exe	29
PID 2024 wrote to memory of 960	2024	regsvr32.exe	29
PID 2024 wrote to memory of 960	2024	regsvr32.exe	29
PID 2024 wrote to memory of 960	2024	regsvr32.exe	29
PID 2024 wrote to memory of 960	2024	regsvr32.exe	29
PID 2024 wrote to memory of 960	2024	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413.exe
"C:\Users\Admin\AppData\Local\Temp\3727b5fe2b98920cd3e9553b680c81ec600c5dcc70dc935654cb46958da6a413.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lmZEFxVy6yMv6r6.exe
  .\lmZEFxVy6yMv6r6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.dat

Filesize
6KB

MD5
ea9fa9946d6660249d1481d9daaa4533

SHA1
470932155cab819d80ce15c3b8430775f6c79943

SHA256
4924e1f356d32651460840b962522bb930a8babb7a01ced979334d391e3e3b08

SHA512
485240c1c1b6f6edb3ef14ec75361a79a5618f331a0a602db45a65e0767f86c7dec3bf19c4b0707d1bf994f20fa9b2379a8620229cc3abff7d6ba4b8f36486b7

Download Submit
C:\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.x64.dll

Filesize
679KB

MD5
2248a27000a39605618b39ed313bb860

SHA1
dc83459cd843029e7e1ae82dee04c7a930a16bf8

SHA256
39f7f2287a8604c54e11b83e4ec834b8f2c9a528c231bf98c2b8b38949ab4d18

SHA512
b4207d8b954bbeb466c59c883d09de11a3c3e1169f531cfbc853fa9c6f34a1b786999b334f73637a243ba08f0a532a7f672772acb7f27d31820fcf49ca74d801

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\Dmh7IYsq9cqW3S.dll

Filesize
601KB

MD5
b2d96a149b60854cc5b1507669d2a304

SHA1
bdc467f91f97157135a105655a64cdbe0329726e

SHA256
0cf7b5e1246bb9e2ffd69eac2374f058415680a2b8c83e973c56704686f7732c

SHA512
169123d99ac34c6905abbe3f5bcb8b0f56e7c5ac5f4b51c9fd66d71c629aa71fab5f968d8b864c477fe63c47cede0fb2e59ce531f923d0e6b4729c462cead138

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\Dmh7IYsq9cqW3S.tlb

Filesize
3KB

MD5
ed92e596a3dd1aeb2a2a6f9507d95bd6

SHA1
f9e9123daf4781d41717e4a6be6e8f53d021a649

SHA256
434a86d8dcdfc895780d8346f36c99e5cde98bc919590af06d07f1e73745ee58

SHA512
ed3c52387f6e7d173c7058f13238be3a6604dd98b86cc03831ec737d43b2d2060182e2d9865b3c13d5dc39fcc7286cb589c041ba75999ca075d1e9237fab3473

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\Dmh7IYsq9cqW3S.x64.dll

Filesize
679KB

MD5
2248a27000a39605618b39ed313bb860

SHA1
dc83459cd843029e7e1ae82dee04c7a930a16bf8

SHA256
39f7f2287a8604c54e11b83e4ec834b8f2c9a528c231bf98c2b8b38949ab4d18

SHA512
b4207d8b954bbeb466c59c883d09de11a3c3e1169f531cfbc853fa9c6f34a1b786999b334f73637a243ba08f0a532a7f672772acb7f27d31820fcf49ca74d801

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
9532b45ed03a45bde235b9aabb6ee497

SHA1
633ae9cd80bcabddf8b4db86ed060ab113d150a2

SHA256
429fd1dcb6d4f11d93566e362207135ee231bd7d56ed06eb0bfc8a70dc1bcfeb

SHA512
7f7ec2bb3b6175bc1499bcc1a6ada9009f1c2999678cc3da3cecd58ebf63beb66bfced0dd5f2a15d741f92dcabd7d21a3f28258f5abf4b9550b9795ee190b32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
77c407592822ba0c0085306ebab69425

SHA1
a808b07d8d3a87bd7170d5e2487ec93e9e9e44f0

SHA256
125d1bdf3f23497dcc19bc911b4848ac0b49bb05a0871f77b9ce6a10c8bc0d09

SHA512
b3d4737c8360c4d815fb2add08daf6556943cdf92eb808d707394eb6365754b176b3f78fcc6ad30929ae88f0e3c2739dc289a1abdd45e48c91fbec7850479e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\[email protected]\install.rdf

Filesize
603B

MD5
e1752f07825c5756e74824f1cfc62c6a

SHA1
6ad6fff9b50ca8a53e407401bec738bccd2f24b9

SHA256
847e24593bf19322aa5183025e5375d501a9fa56ed31a4630b10b7119f25bed1

SHA512
bb7809fa693ae8c456c2db6493df82c838796208b2ae7c3867921dfbf5a66356e094d6289f69b6a0924ca02f13048ca5522e9fbd3b746c269077f0ce3322a1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lhghppmcjpchahhbihnmeoiimjoabmhk\ag.js

Filesize
5KB

MD5
ca07ed1b597bdba46debb3be2f58e790

SHA1
c155cc5848e6621d0e09fb057ec38333d28016b1

SHA256
80ba9561759d211d709ba3e1a3ff3883edfce014172c6a806a9e34be3c4547dc

SHA512
45f1638711c3a4aa449057df16ad4614f98aad1c62184bede7f2e6c6ac034ed9a27869cdfcb4cc96fab373229233349e57e9424df8ae256196a8324e2af6b80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lhghppmcjpchahhbihnmeoiimjoabmhk\background.html

Filesize
139B

MD5
97f590cb4355f8e3476e2ebc0a238bbe

SHA1
0903981ebfa72d58fff1902964d4fdf7c0942adc

SHA256
87dac3aae309e32e385de0009c0f3242a3a047b2ff3996f3c587d1d189874e4b

SHA512
6765a887b6b299a9356240508f96d8ce012d6aa52d17c1a6f64825755fff6be9f3cac35601c046591d3c38434fa889d8a56201a15b16fc34294d5426279bdf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lhghppmcjpchahhbihnmeoiimjoabmhk\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lhghppmcjpchahhbihnmeoiimjoabmhk\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lhghppmcjpchahhbihnmeoiimjoabmhk\manifest.json

Filesize
510B

MD5
ae8addc823a71901aacde5dea5b39af3

SHA1
fefe184f58fb11160ae8405b642d040f8671c5fb

SHA256
124963edfbc637e0e5ab136515246634dd4db2278634c9fd7c606b973aee2b71

SHA512
c18996ae0329140db8b88b04217d72e1de4cb08a25f6e4e1c2f33375946e558c185bffff0ff4c1886424bc1d8bccae9fef677e6137e9eed68d13edf32dfe848c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lmZEFxVy6yMv6r6.dat

Filesize
6KB

MD5
ea9fa9946d6660249d1481d9daaa4533

SHA1
470932155cab819d80ce15c3b8430775f6c79943

SHA256
4924e1f356d32651460840b962522bb930a8babb7a01ced979334d391e3e3b08

SHA512
485240c1c1b6f6edb3ef14ec75361a79a5618f331a0a602db45a65e0767f86c7dec3bf19c4b0707d1bf994f20fa9b2379a8620229cc3abff7d6ba4b8f36486b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lmZEFxVy6yMv6r6.exe

Filesize
649KB

MD5
524bc23df65cfdcc39056b69feba32e5

SHA1
2a88ec175c164ff14b69d1d5b21384e60400a191

SHA256
0d0d750316b3e35d6c625c8b883fcffa80ffff52c24921f324baf0197b89dcea

SHA512
483f1c25253ec362be18b1640bf24cca9439d843f12011c56a9c67f2a7622c3d26b6f1bb4e16e4435edf371a4dcb637d625ef1bceda7d1e0d76cb8accbdb67bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lmZEFxVy6yMv6r6.exe

Filesize
649KB

MD5
524bc23df65cfdcc39056b69feba32e5

SHA1
2a88ec175c164ff14b69d1d5b21384e60400a191

SHA256
0d0d750316b3e35d6c625c8b883fcffa80ffff52c24921f324baf0197b89dcea

SHA512
483f1c25253ec362be18b1640bf24cca9439d843f12011c56a9c67f2a7622c3d26b6f1bb4e16e4435edf371a4dcb637d625ef1bceda7d1e0d76cb8accbdb67bd

Download Submit
\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.dll

Filesize
601KB

MD5
b2d96a149b60854cc5b1507669d2a304

SHA1
bdc467f91f97157135a105655a64cdbe0329726e

SHA256
0cf7b5e1246bb9e2ffd69eac2374f058415680a2b8c83e973c56704686f7732c

SHA512
169123d99ac34c6905abbe3f5bcb8b0f56e7c5ac5f4b51c9fd66d71c629aa71fab5f968d8b864c477fe63c47cede0fb2e59ce531f923d0e6b4729c462cead138

Download Submit
\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.x64.dll

Filesize
679KB

MD5
2248a27000a39605618b39ed313bb860

SHA1
dc83459cd843029e7e1ae82dee04c7a930a16bf8

SHA256
39f7f2287a8604c54e11b83e4ec834b8f2c9a528c231bf98c2b8b38949ab4d18

SHA512
b4207d8b954bbeb466c59c883d09de11a3c3e1169f531cfbc853fa9c6f34a1b786999b334f73637a243ba08f0a532a7f672772acb7f27d31820fcf49ca74d801

Download Submit
\Program Files (x86)\YooutUbeoAddBloCke\Dmh7IYsq9cqW3S.x64.dll

Filesize
679KB

MD5
2248a27000a39605618b39ed313bb860

SHA1
dc83459cd843029e7e1ae82dee04c7a930a16bf8

SHA256
39f7f2287a8604c54e11b83e4ec834b8f2c9a528c231bf98c2b8b38949ab4d18

SHA512
b4207d8b954bbeb466c59c883d09de11a3c3e1169f531cfbc853fa9c6f34a1b786999b334f73637a243ba08f0a532a7f672772acb7f27d31820fcf49ca74d801

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7225.tmp\lmZEFxVy6yMv6r6.exe

Filesize
649KB

MD5
524bc23df65cfdcc39056b69feba32e5

SHA1
2a88ec175c164ff14b69d1d5b21384e60400a191

SHA256
0d0d750316b3e35d6c625c8b883fcffa80ffff52c24921f324baf0197b89dcea

SHA512
483f1c25253ec362be18b1640bf24cca9439d843f12011c56a9c67f2a7622c3d26b6f1bb4e16e4435edf371a4dcb637d625ef1bceda7d1e0d76cb8accbdb67bd

Download Submit
memory/960-77-0x0000000000000000-mapping.dmp

Download
memory/960-78-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1104-56-0x0000000000000000-mapping.dmp

Download
memory/1112-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/2024-73-0x0000000000000000-mapping.dmp

Download