fd4f7865ab8818bd8a1674ead9fc0b0c1d1cd9da7e475eb494bcdb19087f4c2a

Analysis

max time kernel
194s
max time network
230s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fd4f7865ab8818bd8a1674ead9fc0b0c1d1cd9da7e475eb494bcdb19087f4c2a.exe
Size

2.1MB
MD5

1a417bb502f1bfd88c4600cdbb2b2851
SHA1

6f75bd89de721d4764dfed6a786c1d749b33b682
SHA256

fd4f7865ab8818bd8a1674ead9fc0b0c1d1cd9da7e475eb494bcdb19087f4c2a
SHA512

d0a3dc8d8265c41468e9b5d59b8f8946b29b9e5dc4abadea925c6441e43b3207f1e9a426ad6d9efaf3171c717b109cbce841a0914ab9b3ff9c82e5d206937c3d
SSDEEP

49152:h1OsghvaZG1MVEtzijkTvu2x/uw4B8FHFF6Q:h1ONvaxMziy3D

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4900	kyhrv264ANtRfj4.exe

Loads dropped DLL 3 IoCs

pid	Process
4900	kyhrv264ANtRfj4.exe
1292	regsvr32.exe
2860	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iiannmipailehfoebjoichinimgifjda\200\manifest.json	kyhrv264ANtRfj4.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\iiannmipailehfoebjoichinimgifjda\200\manifest.json	kyhrv264ANtRfj4.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iiannmipailehfoebjoichinimgifjda\200\manifest.json	kyhrv264ANtRfj4.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\iiannmipailehfoebjoichinimgifjda\200\manifest.json	kyhrv264ANtRfj4.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iiannmipailehfoebjoichinimgifjda\200\manifest.json	kyhrv264ANtRfj4.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	kyhrv264ANtRfj4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	kyhrv264ANtRfj4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	kyhrv264ANtRfj4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	kyhrv264ANtRfj4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.x64.dll	kyhrv264ANtRfj4.exe
File created	C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.dll	kyhrv264ANtRfj4.exe
File opened for modification	C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.dll	kyhrv264ANtRfj4.exe
File created	C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.tlb	kyhrv264ANtRfj4.exe
File opened for modification	C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.tlb	kyhrv264ANtRfj4.exe
File created	C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.dat	kyhrv264ANtRfj4.exe
File opened for modification	C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.dat	kyhrv264ANtRfj4.exe
File created	C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.x64.dll	kyhrv264ANtRfj4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4900	4960	fd4f7865ab8818bd8a1674ead9fc0b0c1d1cd9da7e475eb494bcdb19087f4c2a.exe	81
PID 4960 wrote to memory of 4900	4960	fd4f7865ab8818bd8a1674ead9fc0b0c1d1cd9da7e475eb494bcdb19087f4c2a.exe	81
PID 4960 wrote to memory of 4900	4960	fd4f7865ab8818bd8a1674ead9fc0b0c1d1cd9da7e475eb494bcdb19087f4c2a.exe	81
PID 4900 wrote to memory of 1292	4900	kyhrv264ANtRfj4.exe	82
PID 4900 wrote to memory of 1292	4900	kyhrv264ANtRfj4.exe	82
PID 4900 wrote to memory of 1292	4900	kyhrv264ANtRfj4.exe	82
PID 1292 wrote to memory of 2860	1292	regsvr32.exe	83
PID 1292 wrote to memory of 2860	1292	regsvr32.exe	83

C:\Users\Admin\AppData\Local\Temp\fd4f7865ab8818bd8a1674ead9fc0b0c1d1cd9da7e475eb494bcdb19087f4c2a.exe
"C:\Users\Admin\AppData\Local\Temp\fd4f7865ab8818bd8a1674ead9fc0b0c1d1cd9da7e475eb494bcdb19087f4c2a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\kyhrv264ANtRfj4.exe
  .\kyhrv264ANtRfj4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.dat

Filesize
6KB

MD5
392c3d8328e761372f855d686c1adb54

SHA1
3dca89cedc9c4a8147f6dbcd058cb1faff91ed7d

SHA256
dcc4b3fc81871fe9a837ba891034dcb8eb6f27ce118a70911707421e88d32b42

SHA512
a8d38f983714a4183843d928e03d7a4fed3017b962fcae928d9ab52dec2eb5d6729117b1a05c22106f2ca6f3effac28e6aa730e1cac593f4aa622ceb44e67c47

Download Submit
C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.dll

Filesize
618KB

MD5
f180a95d8673cd01ce4af0ff678fa099

SHA1
8592fe958436e14ef9ace437ac4445ecca22e35e

SHA256
d40aa49822621713e0f79f6c9a187468251fc22559cb1bbd6b5f71a94819eeb7

SHA512
3dda5f3133df4c00c03d8b3fb539b37e2e6b26d0384d3674cefa9595136f9eaa4b9d21c0e806a9ec3cfadfb782a30e344145abbf87bca813de056f84c6fb13c9

Download Submit
C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.x64.dll

Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.x64.dll

Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Program Files (x86)\BrrowsseraShoip\Ywob0h7KhNig6c.x64.dll

Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
623eb76c154706425d4d3db4848917f6

SHA1
c666d621903777aeca3d380d02d4d6bf71fafe07

SHA256
b07e867d6adac630fefd8fa6a686ecb49aeb2daee977b868a88b6c174e8a4a27

SHA512
bf10a1a1c61e91dd8c5f71e464082795263f26f562815cc53c466fe3991d9ce196a49245da2ade575e712124831839e72029da813172c9a5cc167904c43597a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
68692b9ed3c9d1dbceddc425104f731c

SHA1
9f42d0c3c382addfd89f1e545930eb4c6b913957

SHA256
382c88a4b3cfbbc7b9572b5c3bd6dd3d222c650f850b6e87c1b861e1c12daffe

SHA512
ef538719dbc5f1cf161938ef6d6f82825590a867585611f27d63ae4cc6ca156413cdbe086cdc5946d7409c99b3cf8c51f22b14480019ba74fb0197efa93363e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\[email protected]\install.rdf

Filesize
605B

MD5
7da610f828457d3eb8ec581814231096

SHA1
7514474d8e6a444b56eb4b86c2ea4fa6213dee40

SHA256
292686b41a0f2141cbf472dde1680721c0588f1e4c73369bfbd9ce77e98fcea9

SHA512
0019c3a1e46b70c1e97824604d8389a3d21bc1800857d54caf1b34e7c6188c9612d41b17b483239af07eb8c7d92896d3bc09f6e2ed4157af1b0fa2656f785cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\Ywob0h7KhNig6c.dll

Filesize
618KB

MD5
f180a95d8673cd01ce4af0ff678fa099

SHA1
8592fe958436e14ef9ace437ac4445ecca22e35e

SHA256
d40aa49822621713e0f79f6c9a187468251fc22559cb1bbd6b5f71a94819eeb7

SHA512
3dda5f3133df4c00c03d8b3fb539b37e2e6b26d0384d3674cefa9595136f9eaa4b9d21c0e806a9ec3cfadfb782a30e344145abbf87bca813de056f84c6fb13c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\Ywob0h7KhNig6c.tlb

Filesize
3KB

MD5
8af6f42a5b16ced04702514d47052053

SHA1
f06e43c9710e27b38063652217874f6fc8515ea0

SHA256
0fc752f18e2f21a6d0b45fb9769deefe70d4690e72225037a37d1dc0553ae8ed

SHA512
2d1fedf6693f0347d9265436fbc17515fa9a904db54170181ca7a6d5c64a4928494a20a1eb489d646602ed2769e570bfb5835bffd241a53a8fe64d5767b9234b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\Ywob0h7KhNig6c.x64.dll

Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\iiannmipailehfoebjoichinimgifjda\PAmIgK.js

Filesize
5KB

MD5
39c09cb3015f6bc55b2f2a3f31075176

SHA1
800df5d87d4f67412f1ffa88e8228b1c29e92fcd

SHA256
9eaa1d584e8d11fe1ab15e2f6cf4e57c902753c16860842d27f8a80371081369

SHA512
b82cc6f2b18d3fd0a1c4eaa875d2b94b792401359f4bbce261720891a1b253fbe6e231ee8d9387efe4605a0f92096cf3893e49975560da3ed905ef0aadc81a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\iiannmipailehfoebjoichinimgifjda\background.html

Filesize
143B

MD5
daf6654af37f2648523690aafb93f9e3

SHA1
160e188b44393d3b2eb695dd7a708963e0cc63b6

SHA256
282ba575caf5671961965860bb623403dbf03440738dbe05599df519d95caa66

SHA512
d69cfd34754c2df55656bf80ef10bbed52b7ebf8c334b4013c8898e9a2b5645bb3bbd50ae0a2feb45a17d090ceb133f779fe4fa433d305a02a7f84e273e5ca01

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\iiannmipailehfoebjoichinimgifjda\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\iiannmipailehfoebjoichinimgifjda\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\iiannmipailehfoebjoichinimgifjda\manifest.json

Filesize
507B

MD5
0001ef38faab71e10a42028bf45580c2

SHA1
9babc9bd1936f41af31673882442affedc4c2ac5

SHA256
ccbd87e774211aae1b41999e862a85ede19464486d47d307badc3a914adc0852

SHA512
31a7758384f517a8af41d7b7ef8a6b3f6da57432c98ad72482a559a7b6793945961f3954f4c0e103663a160cea886d766145b34dfc5dcff003f2ab6e742caa27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\kyhrv264ANtRfj4.dat

Filesize
6KB

MD5
392c3d8328e761372f855d686c1adb54

SHA1
3dca89cedc9c4a8147f6dbcd058cb1faff91ed7d

SHA256
dcc4b3fc81871fe9a837ba891034dcb8eb6f27ce118a70911707421e88d32b42

SHA512
a8d38f983714a4183843d928e03d7a4fed3017b962fcae928d9ab52dec2eb5d6729117b1a05c22106f2ca6f3effac28e6aa730e1cac593f4aa622ceb44e67c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\kyhrv264ANtRfj4.exe

Filesize
634KB

MD5
bd1503d4eaae5e7f2a8cdbd9a88ec02a

SHA1
730280a7839bb46bdeeaa47797d926f8d57e1da1

SHA256
724380928512fc5261d5f42e64f7705fcdeae1410f24a8ec6b0a2ba783675cb4

SHA512
0dc06ce8e78f6b0ebbe65723791ea4ffde8a9d55534dda1b02e81f1a109fce77f26e4bdfb9fd18b5ca9f4d9ff2454e6b05eca325539148512f762b5d2f225c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9BD.tmp\kyhrv264ANtRfj4.exe

Filesize
634KB

MD5
bd1503d4eaae5e7f2a8cdbd9a88ec02a

SHA1
730280a7839bb46bdeeaa47797d926f8d57e1da1

SHA256
724380928512fc5261d5f42e64f7705fcdeae1410f24a8ec6b0a2ba783675cb4

SHA512
0dc06ce8e78f6b0ebbe65723791ea4ffde8a9d55534dda1b02e81f1a109fce77f26e4bdfb9fd18b5ca9f4d9ff2454e6b05eca325539148512f762b5d2f225c7b

Download Submit