Analysis
-
max time kernel
91s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:42
Static task
static1
Behavioral task
behavioral1
Sample
8187ada28359a94f736ffc7e062210b7555ef328d6c65ee1b2e241226c51eea1.exe
Resource
win7-20220812-en
General
-
Target
8187ada28359a94f736ffc7e062210b7555ef328d6c65ee1b2e241226c51eea1.exe
-
Size
2.1MB
-
MD5
b4b29dd71ae8d4b486eefe6406f9decc
-
SHA1
393db232b749c6ae49c08e0f7201e1fff77b92d1
-
SHA256
8187ada28359a94f736ffc7e062210b7555ef328d6c65ee1b2e241226c51eea1
-
SHA512
9312bcd699be6502721cdded91de05f8110c13c5fa63f190644bb5dfef1c33e38bd7b33782a61b055fa9b8b8d9924a07e6e91208b8958e0fa18088dbc53c4abe
-
SSDEEP
24576:h1OYdaOh7QJkxGYNiu6+HRxMBMBtqCnd2Hoi1FLVHHD6gwDxvbZmPw5wea5nYGJ:h1OssGGYj/MOpd2H1BVgmPJ1nJJ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
U0OY21C3v0Nr1EK.exepid process 4376 U0OY21C3v0Nr1EK.exe -
Loads dropped DLL 3 IoCs
Processes:
U0OY21C3v0Nr1EK.exeregsvr32.exeregsvr32.exepid process 4376 U0OY21C3v0Nr1EK.exe 4908 regsvr32.exe 4968 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
U0OY21C3v0Nr1EK.exedescription ioc process File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\homjianiidndgndhihikjaeomlgkjomk\4\manifest.json U0OY21C3v0Nr1EK.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\homjianiidndgndhihikjaeomlgkjomk\4\manifest.json U0OY21C3v0Nr1EK.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\homjianiidndgndhihikjaeomlgkjomk\4\manifest.json U0OY21C3v0Nr1EK.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\homjianiidndgndhihikjaeomlgkjomk\4\manifest.json U0OY21C3v0Nr1EK.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\homjianiidndgndhihikjaeomlgkjomk\4\manifest.json U0OY21C3v0Nr1EK.exe -
Installs/modifies Browser Helper Object 2 TTPs 9 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
U0OY21C3v0Nr1EK.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects U0OY21C3v0Nr1EK.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} U0OY21C3v0Nr1EK.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} U0OY21C3v0Nr1EK.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ U0OY21C3v0Nr1EK.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
U0OY21C3v0Nr1EK.exedescription ioc process File opened for modification C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.tlb U0OY21C3v0Nr1EK.exe File created C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.dat U0OY21C3v0Nr1EK.exe File opened for modification C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.dat U0OY21C3v0Nr1EK.exe File created C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.x64.dll U0OY21C3v0Nr1EK.exe File opened for modification C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.x64.dll U0OY21C3v0Nr1EK.exe File created C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.dll U0OY21C3v0Nr1EK.exe File opened for modification C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.dll U0OY21C3v0Nr1EK.exe File created C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.tlb U0OY21C3v0Nr1EK.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8187ada28359a94f736ffc7e062210b7555ef328d6c65ee1b2e241226c51eea1.exeU0OY21C3v0Nr1EK.exeregsvr32.exedescription pid process target process PID 3392 wrote to memory of 4376 3392 8187ada28359a94f736ffc7e062210b7555ef328d6c65ee1b2e241226c51eea1.exe U0OY21C3v0Nr1EK.exe PID 3392 wrote to memory of 4376 3392 8187ada28359a94f736ffc7e062210b7555ef328d6c65ee1b2e241226c51eea1.exe U0OY21C3v0Nr1EK.exe PID 3392 wrote to memory of 4376 3392 8187ada28359a94f736ffc7e062210b7555ef328d6c65ee1b2e241226c51eea1.exe U0OY21C3v0Nr1EK.exe PID 4376 wrote to memory of 4908 4376 U0OY21C3v0Nr1EK.exe regsvr32.exe PID 4376 wrote to memory of 4908 4376 U0OY21C3v0Nr1EK.exe regsvr32.exe PID 4376 wrote to memory of 4908 4376 U0OY21C3v0Nr1EK.exe regsvr32.exe PID 4908 wrote to memory of 4968 4908 regsvr32.exe regsvr32.exe PID 4908 wrote to memory of 4968 4908 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8187ada28359a94f736ffc7e062210b7555ef328d6c65ee1b2e241226c51eea1.exe"C:\Users\Admin\AppData\Local\Temp\8187ada28359a94f736ffc7e062210b7555ef328d6c65ee1b2e241226c51eea1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\U0OY21C3v0Nr1EK.exe.\U0OY21C3v0Nr1EK.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:4968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.datFilesize
6KB
MD58fef7508e9b4cf4b91e91cdfb717b635
SHA1dbf66c8c7fd3c05ae8a2355b689d741de5412db8
SHA25681e363d8b1bbbd19bb7b024692f883b6829c63d589109a412942299b5fec0fad
SHA512d5a5d094f7d7d3b6209b17fcefac76dd485f8c4403f5e78f13c14676b0023e1f71b29ce08d830f39b854f0d0e5999e53545ef21a5b07a68c1a7491ec7d5101bd
-
C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.dllFilesize
619KB
MD5d87bbe9d29b88e94ba03b16567033ddf
SHA119102742808244a23ca403d983dfd9f7088fffe3
SHA256fdbce4dd2b45ac64620fc875bd12d8706a197bc3def75cdc33b9984f039da5b5
SHA51224ea28c1104ee07604124842a99e359a53644e7693515dcf1b9a4dc7c8258c9d1bdc8b78b7018582521b6d41aebb96a1a38b6994fe83a12e29418bb011c69d03
-
C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.x64.dllFilesize
699KB
MD51fe3d25ff48d168cb86094de5401cab0
SHA1c6e746f4c629185d8ef71d275845e1d072483923
SHA2565cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04
SHA512ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4
-
C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.x64.dllFilesize
699KB
MD51fe3d25ff48d168cb86094de5401cab0
SHA1c6e746f4c629185d8ef71d275845e1d072483923
SHA2565cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04
SHA512ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4
-
C:\Program Files (x86)\wxDDownload\n2aDGUzgWCI3VK.x64.dllFilesize
699KB
MD51fe3d25ff48d168cb86094de5401cab0
SHA1c6e746f4c629185d8ef71d275845e1d072483923
SHA2565cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04
SHA512ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\[email protected]\chrome.manifestFilesize
35B
MD50d85cdd17777fa182724262badfd2420
SHA189cc67cdadaf93506c798fc73be3673f7de0a35b
SHA256a9497036cc93d3cf2adf987c484737a53392e4231a163bcc0ac97920ab635250
SHA512b17f3f7911e60bffc00a061fe3a383d5706fc0ab52bcbec909e40ec29128d0a2da2b33fe31ad495f1c17f9ba0c8c0cdca37febc3cd165f42dbe1cdc7664e1e7f
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\[email protected]\content\bg.jsFilesize
7KB
MD5e23b0055e9d1d87d454fe166e8c0d8fd
SHA13e88b3d38bda80c0ca814a2e3f9655a9ad3b28c6
SHA2562932320a28cc866f3245a72e83bb66d335a937b8ea8741e9a5256ee5360f4f52
SHA512667cbe461b211bad77c3bd4f8adbc1ecab00c62ae84dba47209b70d5c69bbb19a67b22bd0675f2ba9a0cbae6b2d1ed3304a839aab7a2ab877051a4fd49b1fb77
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\[email protected]\install.rdfFilesize
594B
MD54b202060ad9c9da9544d731f0297261b
SHA11294d109728b745a4a54cc900590cc916ec7fa30
SHA256a55993bb53edd89b78d189ca032dc77c91507b6bc14e210f21493d39ee363a80
SHA5124fe6e27704161bfac6997aa5b3c9750cb1eb915aa96fa34401530cc1896c098f502c81de496c97d988fe6aad1b65aed4b749018b88cae772ab24736a681cfa01
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\U0OY21C3v0Nr1EK.datFilesize
6KB
MD58fef7508e9b4cf4b91e91cdfb717b635
SHA1dbf66c8c7fd3c05ae8a2355b689d741de5412db8
SHA25681e363d8b1bbbd19bb7b024692f883b6829c63d589109a412942299b5fec0fad
SHA512d5a5d094f7d7d3b6209b17fcefac76dd485f8c4403f5e78f13c14676b0023e1f71b29ce08d830f39b854f0d0e5999e53545ef21a5b07a68c1a7491ec7d5101bd
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\U0OY21C3v0Nr1EK.exeFilesize
632KB
MD5c40cbd955bd3bbbf7de8218b95004eeb
SHA1fe5fccf0a2166f1fc11812de679d77475e9deb36
SHA25676dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398
SHA5126fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\U0OY21C3v0Nr1EK.exeFilesize
632KB
MD5c40cbd955bd3bbbf7de8218b95004eeb
SHA1fe5fccf0a2166f1fc11812de679d77475e9deb36
SHA25676dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398
SHA5126fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\homjianiidndgndhihikjaeomlgkjomk\BOCL3uOy.jsFilesize
5KB
MD5c99705da17a7790f7e8d6fe851cf03dd
SHA106adb68c6839fb58868d603f0499848ad51e01b1
SHA256c4eb6bbc7bf91645216e1330ede0345bcd40993d981160a2ba540b0cbd4dbd9a
SHA512487b6c8cae8fc474d88485897dc50d8d505f0598744a206808a3cd7c619c3b5b18b6030039c020b4be3612faeb04be33dbf2e90922419c4814b97f0b4a30b5d1
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\homjianiidndgndhihikjaeomlgkjomk\background.htmlFilesize
145B
MD5156169eb72ccfee845f7a5129a2b9d60
SHA1a69891e6ed553688a28c0ea4da3d7ded2a724de4
SHA256e8ea3ed6d223fda97823368cb26e554ea2dc6926060648952676262322a0cfad
SHA512864a87f6f7c6f460cdcece42d49658b7ae7bf5ea7dcc97292d780ff187c587d09ac0c693ba31fb4862e185f2c760b96574ae5500fd4dfebf8273deeb75c9859b
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\homjianiidndgndhihikjaeomlgkjomk\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\homjianiidndgndhihikjaeomlgkjomk\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\homjianiidndgndhihikjaeomlgkjomk\manifest.jsonFilesize
501B
MD525eb65d7c7d3e392b27628780b5da5b2
SHA1150aa2c9a3cf0f692e8033dbbebd354b066d64d8
SHA2567ec0f553fead18c254211c396bd7152d0efa67f5935f08e319c208d52a4ee5b8
SHA51201e03abc5ab8773f8b084a546d6606ed1152a54a16f70d09e6121e3842e9ed6587a90534c59ae0b05928298f0bb9ff40be0f30d020d46230197c56bdd5603d49
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\n2aDGUzgWCI3VK.dllFilesize
619KB
MD5d87bbe9d29b88e94ba03b16567033ddf
SHA119102742808244a23ca403d983dfd9f7088fffe3
SHA256fdbce4dd2b45ac64620fc875bd12d8706a197bc3def75cdc33b9984f039da5b5
SHA51224ea28c1104ee07604124842a99e359a53644e7693515dcf1b9a4dc7c8258c9d1bdc8b78b7018582521b6d41aebb96a1a38b6994fe83a12e29418bb011c69d03
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\n2aDGUzgWCI3VK.tlbFilesize
3KB
MD5fb73184b9c1bfaa44e6cbdb593fd2909
SHA14585af18986a5e24c544fcecd9e02e3006f440d1
SHA256c89fa0e13aa5c8930b6f28648653b815d4a93cd13e8d7d0f1bf8bf1a49920edb
SHA5122e130f61d2211b7d2799905937b78d5119c3b22580c467dcfe757d8ac5b1e86c33fb69e3c67a6267f4db0a2730dc7cc399b8020d077b30d77428f54ec03523ed
-
C:\Users\Admin\AppData\Local\Temp\7zSBC21.tmp\n2aDGUzgWCI3VK.x64.dllFilesize
699KB
MD51fe3d25ff48d168cb86094de5401cab0
SHA1c6e746f4c629185d8ef71d275845e1d072483923
SHA2565cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04
SHA512ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4
-
memory/4376-132-0x0000000000000000-mapping.dmp
-
memory/4908-149-0x0000000000000000-mapping.dmp
-
memory/4968-152-0x0000000000000000-mapping.dmp