f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944

Analysis

max time kernel
246s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944.exe
Size

2.1MB
MD5

717e2baa66a5c4c78377f26cd324c13b
SHA1

f964823296fc2ef23bd9cca1109ef47f489e8fac
SHA256

f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944
SHA512

140de606a5039eed53329edaabeecce7368023ff859d2eebc3275a45b8b96a98b8c4a93ccd48f33ee726ce7a918b60a9590435ebe47a8b3cd1c13d7b4121170f
SSDEEP

49152:h1Os2a+y5xECQXXb/tUkOHelsTTCjqYxqw:h1OdtBOHSbR

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
468	QJkl97NA97MTphK.exe

Loads dropped DLL 4 IoCs

pid	Process
772	f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944.exe
468	QJkl97NA97MTphK.exe
540	regsvr32.exe
1672	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpncefkgpiiibkfmgdlocgpkdabdldld\200\manifest.json	QJkl97NA97MTphK.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpncefkgpiiibkfmgdlocgpkdabdldld\200\manifest.json	QJkl97NA97MTphK.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpncefkgpiiibkfmgdlocgpkdabdldld\200\manifest.json	QJkl97NA97MTphK.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	QJkl97NA97MTphK.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	QJkl97NA97MTphK.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	QJkl97NA97MTphK.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	QJkl97NA97MTphK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	QJkl97NA97MTphK.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.tlb	QJkl97NA97MTphK.exe
File created	C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.dat	QJkl97NA97MTphK.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.dat	QJkl97NA97MTphK.exe
File created	C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.x64.dll	QJkl97NA97MTphK.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.x64.dll	QJkl97NA97MTphK.exe
File created	C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.dll	QJkl97NA97MTphK.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.dll	QJkl97NA97MTphK.exe
File created	C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.tlb	QJkl97NA97MTphK.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 468	772	f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944.exe	27
PID 772 wrote to memory of 468	772	f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944.exe	27
PID 772 wrote to memory of 468	772	f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944.exe	27
PID 772 wrote to memory of 468	772	f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944.exe	27
PID 468 wrote to memory of 540	468	QJkl97NA97MTphK.exe	28
PID 468 wrote to memory of 540	468	QJkl97NA97MTphK.exe	28
PID 468 wrote to memory of 540	468	QJkl97NA97MTphK.exe	28
PID 468 wrote to memory of 540	468	QJkl97NA97MTphK.exe	28
PID 468 wrote to memory of 540	468	QJkl97NA97MTphK.exe	28
PID 468 wrote to memory of 540	468	QJkl97NA97MTphK.exe	28
PID 468 wrote to memory of 540	468	QJkl97NA97MTphK.exe	28
PID 540 wrote to memory of 1672	540	regsvr32.exe	29
PID 540 wrote to memory of 1672	540	regsvr32.exe	29
PID 540 wrote to memory of 1672	540	regsvr32.exe	29
PID 540 wrote to memory of 1672	540	regsvr32.exe	29
PID 540 wrote to memory of 1672	540	regsvr32.exe	29
PID 540 wrote to memory of 1672	540	regsvr32.exe	29
PID 540 wrote to memory of 1672	540	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944.exe
"C:\Users\Admin\AppData\Local\Temp\f49bd8372dfaaa003cf00b71ce8545a4b7e365b208fe1bf3c445ae8c117ba944.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\QJkl97NA97MTphK.exe
  .\QJkl97NA97MTphK.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.dat

Filesize
6KB

MD5
2b82b0bd3a4372eeaaef94084ba62237

SHA1
bc98f4a20285da89194d45f4a9e0f54b666b1ecd

SHA256
cd0cef7c5b9c44e9012aa61fce4c227cb570690b62fd42f8dfc328982afbe13b

SHA512
7cf82f4989573fbf457cc9d08dc0e66f17d95e913b6fd6061d00e1e5fa311e353b8b583c2a6e5899ce76c2d7022c9256e5a94328f111727aec21af8b0d0ab2c0

Download Submit
C:\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\QJkl97NA97MTphK.dat

Filesize
6KB

MD5
2b82b0bd3a4372eeaaef94084ba62237

SHA1
bc98f4a20285da89194d45f4a9e0f54b666b1ecd

SHA256
cd0cef7c5b9c44e9012aa61fce4c227cb570690b62fd42f8dfc328982afbe13b

SHA512
7cf82f4989573fbf457cc9d08dc0e66f17d95e913b6fd6061d00e1e5fa311e353b8b583c2a6e5899ce76c2d7022c9256e5a94328f111727aec21af8b0d0ab2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\QJkl97NA97MTphK.exe

Filesize
624KB

MD5
8440fce178bb6c85832b0fbcc81c160c

SHA1
4d9672221d8e16ad24a706d2ba02552d59e9172d

SHA256
f5778940bb1f43bdf05ed87ca14fe95026455aa35c4a71f2b6912f6ed858baaa

SHA512
8160eaff06cf00ea502e570616a4d89778163c2cf7f175801519ed38fb528a753cc32aa17cf627cd738689e213acf747836ecf42571422f2adede6026904e3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\QJkl97NA97MTphK.exe

Filesize
624KB

MD5
8440fce178bb6c85832b0fbcc81c160c

SHA1
4d9672221d8e16ad24a706d2ba02552d59e9172d

SHA256
f5778940bb1f43bdf05ed87ca14fe95026455aa35c4a71f2b6912f6ed858baaa

SHA512
8160eaff06cf00ea502e570616a4d89778163c2cf7f175801519ed38fb528a753cc32aa17cf627cd738689e213acf747836ecf42571422f2adede6026904e3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
b4ad4751f3c4529d90192d32a8d1b627

SHA1
c81d6fa7304f1c7e3753dc20008b1ea05f99825a

SHA256
1f33566d716c1e74c616ac3c485f1ffacfcdc751ae3a424fb418fce0911cbda7

SHA512
fb971ed638987578605e10f06fba35ae800cf59750c3c02c737969db0a4397d96f873c91bf0a39305da547608079baa0d8f5737eee6004fb6c41374119e4d6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
4cb2db9321ef7d533f3b6352a6b13ed2

SHA1
c51c32a753a16ceaf8efc47a964556e0d30424ad

SHA256
3c2c1c44cf45fe8c5a8904f34b3aa107535edabe3cc4285fc54c7f7d3b7b5b83

SHA512
5148a434ad2164630e577163f3e20ad30d49d4aee4e5b1426c7b3b5ee4461907db4e656533198265d0e5afa9e4798df4c7dbd72aafcd531d70c51fae32414745

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\[email protected]\install.rdf

Filesize
597B

MD5
65387a2a4e60bb75ac635a95ba204ba4

SHA1
36c5fb48325978c8991e4877a01cdd4613c623f9

SHA256
4b6300f30785946fa9fad6b0c549b6c2e264b31c5665f9ec196fcda480633604

SHA512
9537e9fefb662124182da10ca6cb29ec414527d9502fed3f5d362a8e5a909defe879bd406979c55176b87cad392442cdc77e5d27fd11bc620666f1c6d27de02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\mpncefkgpiiibkfmgdlocgpkdabdldld\MPA6nrilU.js

Filesize
5KB

MD5
ca7ae46f9eb9fa40509cce1d0e4f12e9

SHA1
d558e393cddd128f52671090a87dfc81588fcc57

SHA256
d36ef75ef2e9905183375fc1507001d04adb856b716316a0d4629adef641acdb

SHA512
37c82daede66f00fc68a5088b11804e7dbce66b5784092376411b2f1d34fae4756d4de399fa8643c96383fe9f72c0c9c52555a3fd1806af2c317aacf3fdc6f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\mpncefkgpiiibkfmgdlocgpkdabdldld\background.html

Filesize
146B

MD5
222d7f22454097072199bbea51d1deb6

SHA1
cb5b8782f7993d0591a7a18b90b0340f908a1a40

SHA256
b38f39db8c2b24be425ae2126fcabfccc666bc829a4af8d33e4e2c736bf0964f

SHA512
41192b541c082b7a3b417f0a26dee09a77624cbbe5c645c7992eb6a5b65766030f33829170204b1e54bc5197ebb23675bc0b1484f38f0afc5fa07a6dd4cc74d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\mpncefkgpiiibkfmgdlocgpkdabdldld\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\mpncefkgpiiibkfmgdlocgpkdabdldld\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\mpncefkgpiiibkfmgdlocgpkdabdldld\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\ol0k8IEwcEw7B7.dll

Filesize
618KB

MD5
080d8ffcd7f74bb06445d791f818881b

SHA1
db62fc6730b548489a72d9c9de26f3a6045d25ab

SHA256
346d5c9733935935c828115a3eed81322dd67cea4574fe135059582719bc2c68

SHA512
b75dab95829d3d6cff47ae2b66218bd0b92798b114bbc55b6a9cf52d38e6baea31071a2bc34ec2210536a1e7e5f67a8ecbc0468bf0c139ead6cabdc657c47d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\ol0k8IEwcEw7B7.tlb

Filesize
3KB

MD5
16dfbf4806c531622bd907bbbf20fd4d

SHA1
388ca199001cda40623ce6fbe72660553062fb87

SHA256
c569ac7f3994c0fef451e56cbf9c2403fd52b90410d06ce0d4539a0b304b9d83

SHA512
d86f503c052e9cd3e46e29d838ab79e7ffa158f7661c336971e7dfa307cd8b03688a3f9d3b82fc01b699d2167fd25d9eef2a27b6b55f478c6fb775004e6507ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\ol0k8IEwcEw7B7.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.dll

Filesize
618KB

MD5
080d8ffcd7f74bb06445d791f818881b

SHA1
db62fc6730b548489a72d9c9de26f3a6045d25ab

SHA256
346d5c9733935935c828115a3eed81322dd67cea4574fe135059582719bc2c68

SHA512
b75dab95829d3d6cff47ae2b66218bd0b92798b114bbc55b6a9cf52d38e6baea31071a2bc34ec2210536a1e7e5f67a8ecbc0468bf0c139ead6cabdc657c47d52

Download Submit
\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
\Program Files (x86)\Browser Shop\ol0k8IEwcEw7B7.x64.dll

Filesize
700KB

MD5
0fba9bd6e998f56bfab3ec37cbe6a631

SHA1
6d6e2713ffea8a6a02b97adce0cbcf4c642f1235

SHA256
357015113e010a4bb715d6b6b8c6b08286bdb34adb87656bc249c762a0d239d1

SHA512
88da22df4bf81b3008e143a696ab636748fea4605d77594d3521533416513b9c6ca13433e613bf26fa9678c14e9968b552ff5845c2df205852743032e56bb358

Download Submit
\Users\Admin\AppData\Local\Temp\7zS19B9.tmp\QJkl97NA97MTphK.exe

Filesize
624KB

MD5
8440fce178bb6c85832b0fbcc81c160c

SHA1
4d9672221d8e16ad24a706d2ba02552d59e9172d

SHA256
f5778940bb1f43bdf05ed87ca14fe95026455aa35c4a71f2b6912f6ed858baaa

SHA512
8160eaff06cf00ea502e570616a4d89778163c2cf7f175801519ed38fb528a753cc32aa17cf627cd738689e213acf747836ecf42571422f2adede6026904e3c8

Download Submit
memory/772-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1672-78-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp

Filesize
8KB

Download