89439f118ea41d91ff6a3703871adeb7f15b7c4c853ba22f93b6a53fd89c2661

Analysis

max time kernel
119s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89439f118ea41d91ff6a3703871adeb7f15b7c4c853ba22f93b6a53fd89c2661.exe
Size

2.1MB
MD5

0ee42b69cdb6eb699a7685744aad68bb
SHA1

954b99171693eb7718424812c6dc4868ad67e2ef
SHA256

89439f118ea41d91ff6a3703871adeb7f15b7c4c853ba22f93b6a53fd89c2661
SHA512

4e4001dc3b313d0b2a5f1cea3f8d3fc4d92bd5ab7fb13097d4146cb53d98394bdb4334f479512b00dcd59e74d2b46fa1f39446da6a4cdedd0828718c1dafa4f4
SSDEEP

49152:h1OsfPtqGqK2M8f3h4UO2sEYYQvLZwQE5m4or:h1OgHoxLYYav

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4960	mbMuywoIJX0Az7h.exe

Loads dropped DLL 3 IoCs

pid	Process
4960	mbMuywoIJX0Az7h.exe
4620	regsvr32.exe
508	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pibknlenjocopdpaelanlofmnjkebpnd\200\manifest.json	mbMuywoIJX0Az7h.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pibknlenjocopdpaelanlofmnjkebpnd\200\manifest.json	mbMuywoIJX0Az7h.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pibknlenjocopdpaelanlofmnjkebpnd\200\manifest.json	mbMuywoIJX0Az7h.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pibknlenjocopdpaelanlofmnjkebpnd\200\manifest.json	mbMuywoIJX0Az7h.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pibknlenjocopdpaelanlofmnjkebpnd\200\manifest.json	mbMuywoIJX0Az7h.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	mbMuywoIJX0Az7h.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	mbMuywoIJX0Az7h.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	mbMuywoIJX0Az7h.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	mbMuywoIJX0Az7h.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.dat	mbMuywoIJX0Az7h.exe
File opened for modification	C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.dat	mbMuywoIJX0Az7h.exe
File created	C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.x64.dll	mbMuywoIJX0Az7h.exe
File opened for modification	C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.x64.dll	mbMuywoIJX0Az7h.exe
File created	C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.dll	mbMuywoIJX0Az7h.exe
File opened for modification	C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.dll	mbMuywoIJX0Az7h.exe
File created	C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.tlb	mbMuywoIJX0Az7h.exe
File opened for modification	C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.tlb	mbMuywoIJX0Az7h.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4960	4888	89439f118ea41d91ff6a3703871adeb7f15b7c4c853ba22f93b6a53fd89c2661.exe	80
PID 4888 wrote to memory of 4960	4888	89439f118ea41d91ff6a3703871adeb7f15b7c4c853ba22f93b6a53fd89c2661.exe	80
PID 4888 wrote to memory of 4960	4888	89439f118ea41d91ff6a3703871adeb7f15b7c4c853ba22f93b6a53fd89c2661.exe	80
PID 4960 wrote to memory of 4620	4960	mbMuywoIJX0Az7h.exe	81
PID 4960 wrote to memory of 4620	4960	mbMuywoIJX0Az7h.exe	81
PID 4960 wrote to memory of 4620	4960	mbMuywoIJX0Az7h.exe	81
PID 4620 wrote to memory of 508	4620	regsvr32.exe	82
PID 4620 wrote to memory of 508	4620	regsvr32.exe	82

C:\Users\Admin\AppData\Local\Temp\89439f118ea41d91ff6a3703871adeb7f15b7c4c853ba22f93b6a53fd89c2661.exe
"C:\Users\Admin\AppData\Local\Temp\89439f118ea41d91ff6a3703871adeb7f15b7c4c853ba22f93b6a53fd89c2661.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\mbMuywoIJX0Az7h.exe
  .\mbMuywoIJX0Az7h.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.dat

Filesize
6KB

MD5
040aa71cfd88d735976d9ae53d474c3e

SHA1
e82fcbf026525b1effb9954b7d1b3f6192cba0cf

SHA256
94c34422141336c99c0825673092569c73f7715a1e74b3f1617293eb081fc45c

SHA512
14ca1f2bf1753849110a0d489b9af65ba658f028312fe2d530e7ce7ec78810b1ff239a1dd0a1dfe92f094390066eaf2e82aa06e203a7890452ae6c4a8f1a443c

Download Submit
C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Program Files (x86)\Browser aShoop\FKFs2PqhnKDxnd.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\FKFs2PqhnKDxnd.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\FKFs2PqhnKDxnd.tlb

Filesize
3KB

MD5
713ab144897857b45ce9515c2a1e2d52

SHA1
607a46adbfe1892276898fb6b00e7c62dbf82772

SHA256
3ec756ec9b8c4b03cc723127bc372b67c406a4915fa0a82597b0fb29685096e6

SHA512
b54c6eaf989d9e51ba66278a0991daa14bde0f56e86c8c2fce67f2118e9557307b409fbc9ae48921c37c1869634b2801028d728f4cf3b871ad8971965e3004b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\FKFs2PqhnKDxnd.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\mbMuywoIJX0Az7h.dat

Filesize
6KB

MD5
040aa71cfd88d735976d9ae53d474c3e

SHA1
e82fcbf026525b1effb9954b7d1b3f6192cba0cf

SHA256
94c34422141336c99c0825673092569c73f7715a1e74b3f1617293eb081fc45c

SHA512
14ca1f2bf1753849110a0d489b9af65ba658f028312fe2d530e7ce7ec78810b1ff239a1dd0a1dfe92f094390066eaf2e82aa06e203a7890452ae6c4a8f1a443c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\mbMuywoIJX0Az7h.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\mbMuywoIJX0Az7h.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\pibknlenjocopdpaelanlofmnjkebpnd\background.html

Filesize
144B

MD5
8cca66bbe87d524df43131852148d517

SHA1
4ed689071f952211a9d3b752234bad030a59fd10

SHA256
fbf2237d2ff35b64304aa41c90a84a2d743f4c69a32801879001d7f0575861c6

SHA512
54ba7d808a5ad96f3d40ef244b677ececb5551a1cf413c3bf48bd918e2b9b106a14ff7a6c9adb4b8af0ade88ca78a77667ac2e0dd09e0b933d26d2b7c9db9902

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\pibknlenjocopdpaelanlofmnjkebpnd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\pibknlenjocopdpaelanlofmnjkebpnd\kpw7OQR.js

Filesize
5KB

MD5
0c01c36b14e3ddeb6f3b01d1b545b149

SHA1
0133de77f36edfab0a11495fc6946593e24b6519

SHA256
9897b69de7f9c64dbb3e50a34b5373961fa9faa28bbd23ee3520ff1cc6901b6f

SHA512
2b8d1f2ac944dda2407a520a9830179316aa33dc81a0025577f10ce84d26739d072dd844937f1b2a58cc22eb356d49b47ac3566edc47d4fb8837f2d8641e3a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\pibknlenjocopdpaelanlofmnjkebpnd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\pibknlenjocopdpaelanlofmnjkebpnd\manifest.json

Filesize
506B

MD5
00f6272ec90dec3b894ea5131fcd8111

SHA1
7b59c55abfc55780882819ddf088c410c724f032

SHA256
6dd5f3344d65265525431b3b71ed12eaad30bcacc6901a305d7a4a3a35a0f102

SHA512
8a3367aa422700fe84912b1a07708b832e28dfa9853bbe446c556142c3017978135e5c1a0e53a73ec3cdf7a8f2ecf32b0484706e297154c6000400844fcc5017

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
ad8e272f597333d5faea6488909e4204

SHA1
e957868dad03a5f7e14ef4a478302bb14553c184

SHA256
1056373ae7d922e4b1ab700f969c3af02167b51958234f61acd3733dba4b0126

SHA512
ea5d979a41813c37c547c1a19896c13718e52761ae6a0b3c21767b60b5efda812769500fd235288115b5638e0968c83477b5d0088adc19f1ee148ff8ccc8473d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
85dceb9a1daa1584800ba7c28d1ff0cb

SHA1
c0b98450b54cf1d28ac3186d8b9d98510044394b

SHA256
dd2a132c9b5f99edb2a893794d79205834897f95d6866858e28be4579a89d3df

SHA512
35fd994d8d60bd3cbbbf9d2d281d29f6cdc55a502dcef1bf8518e7195eb6910c12183ef41a352fcb33e8d176eaeff6e205cbf9b425df537385d5fbb9b9de9a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF3EA.tmp\[email protected]\install.rdf

Filesize
600B

MD5
8c2b83c722e8d0ec68277dc36dfb85fd

SHA1
f1aec85f5b670704979be933fa41dba5e3f32490

SHA256
2a1ea614ce1f1e4e38f01f741976b362a7bbe135932fff080c332140b1ce895b

SHA512
1bb1dea4d606322e56c9f60191ea47fd923f03dba285a0835bc8c2713c0fdf45251f2c3382a376777a9792f48db7b48a8a79baf7c32782432bff46dee31d85f9

Download Submit
memory/508-152-0x0000000000000000-mapping.dmp

Download
memory/4620-149-0x0000000000000000-mapping.dmp

Download
memory/4960-132-0x0000000000000000-mapping.dmp

Download