843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 20:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b.exe
Size

2.1MB
MD5

b17a408384edeb55cb6d15c915b11f6e
SHA1

44719e99b66fc670bc8e0ecb3f044954434f615a
SHA256

843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b
SHA512

94616966a39355c1e2c645ca01cf916ec3102ae4f4899d0eff0302058e2f45bf7a06aade4406ee35bf781f2674d0088d5a8792d0442dc86d7e289d1472f63237
SSDEEP

49152:h1OspNB2tcyUoc3slSeZrg1JclQ35sFDR+:h1Os36Eoc3UK0bY

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1528	up7gNs124FlJAWC.exe

Loads dropped DLL 4 IoCs

pid	Process
1464	843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b.exe
1528	up7gNs124FlJAWC.exe
1372	regsvr32.exe
808	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpeohilbdadffoljknfdgplhneiikbek\1.0\manifest.json	up7gNs124FlJAWC.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpeohilbdadffoljknfdgplhneiikbek\1.0\manifest.json	up7gNs124FlJAWC.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpeohilbdadffoljknfdgplhneiikbek\1.0\manifest.json	up7gNs124FlJAWC.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	up7gNs124FlJAWC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	up7gNs124FlJAWC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	up7gNs124FlJAWC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	up7gNs124FlJAWC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	up7gNs124FlJAWC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.dat	up7gNs124FlJAWC.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.dat	up7gNs124FlJAWC.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.x64.dll	up7gNs124FlJAWC.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.x64.dll	up7gNs124FlJAWC.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.dll	up7gNs124FlJAWC.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.dll	up7gNs124FlJAWC.exe
File created	C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.tlb	up7gNs124FlJAWC.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.tlb	up7gNs124FlJAWC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1528	up7gNs124FlJAWC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1528	1464	843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b.exe	26
PID 1464 wrote to memory of 1528	1464	843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b.exe	26
PID 1464 wrote to memory of 1528	1464	843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b.exe	26
PID 1464 wrote to memory of 1528	1464	843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b.exe	26
PID 1528 wrote to memory of 1372	1528	up7gNs124FlJAWC.exe	27
PID 1528 wrote to memory of 1372	1528	up7gNs124FlJAWC.exe	27
PID 1528 wrote to memory of 1372	1528	up7gNs124FlJAWC.exe	27
PID 1528 wrote to memory of 1372	1528	up7gNs124FlJAWC.exe	27
PID 1528 wrote to memory of 1372	1528	up7gNs124FlJAWC.exe	27
PID 1528 wrote to memory of 1372	1528	up7gNs124FlJAWC.exe	27
PID 1528 wrote to memory of 1372	1528	up7gNs124FlJAWC.exe	27
PID 1372 wrote to memory of 808	1372	regsvr32.exe	28
PID 1372 wrote to memory of 808	1372	regsvr32.exe	28
PID 1372 wrote to memory of 808	1372	regsvr32.exe	28
PID 1372 wrote to memory of 808	1372	regsvr32.exe	28
PID 1372 wrote to memory of 808	1372	regsvr32.exe	28
PID 1372 wrote to memory of 808	1372	regsvr32.exe	28
PID 1372 wrote to memory of 808	1372	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b.exe
"C:\Users\Admin\AppData\Local\Temp\843d878b0a3f55a6d5698f134a86bf04ac692732fd9594cdc95c3404df7c273b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\up7gNs124FlJAWC.exe
  .\up7gNs124FlJAWC.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.dat

Filesize
6KB

MD5
e57e0563ab3860c78cb39200ff8feb5a

SHA1
435dc92b2aa5f7001bd86018b6f3aff3dc3a5c52

SHA256
9f3653fb4161cb70be22ffc45a433d13b2e067ee996c4c69ddd1a350d4203b5b

SHA512
324b945523bc8e24bc5faf5d4abf015cf582692a151a64c8b2de9e2e9fde4d6c46fb48d46cfd31da9041e9ad13fceb36f332456294f2df889337b8a708e5d152

Download Submit
C:\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.x64.dll

Filesize
713KB

MD5
b13f442c83c893871f125e07497085d4

SHA1
4059c7e28477c9ca064fc9919f4a3c05814f1da2

SHA256
bade23037722ee9c1f4b40f249c2fddbc54499acc73353e267e350d0214689bf

SHA512
b067fcbdc174bc9c9d5d7b6b18abe74b25eebe026c83ab0927a906d822ad3486dfb5224bbfb3df1fe7736c7b4e4ab47d127d6a4786d7a6ea3c6f5728c006cc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\CDmIQrVDGZNoSp.dll

Filesize
631KB

MD5
e632e9bdbcd9337b0b85d5a437d2e2c3

SHA1
46d02d5bad7cc1819737d16d4ad0cb931f57347b

SHA256
87aa09c3eabbc691b1e422972057dccb71aae9c5dd0608a53e1e43c73818560a

SHA512
72c7a72789730d366dd808c78fb8e807cdad5d5689733cbed21220f9e232b056e342e7c0af9af0694d1c25aa681c0e75f75d4f18def24c546ebe00096a3d81a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\CDmIQrVDGZNoSp.tlb

Filesize
3KB

MD5
dd94094aed6b15f84320162edb0abb97

SHA1
b5b8f14698e1690a1dc384d55a927671619335da

SHA256
ddce9e35654a30c85f2f89a2a20d38290b5c87fb99d17a544b61f46f65441c19

SHA512
9d029b36434411b3f3f0e70abd024fda21acaa62ba0507b54f67d75cede382ea294bc0f0c82b28a0a8ab45bd7550065824869aa514b25987770c6e0339df1358

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\CDmIQrVDGZNoSp.x64.dll

Filesize
713KB

MD5
b13f442c83c893871f125e07497085d4

SHA1
4059c7e28477c9ca064fc9919f4a3c05814f1da2

SHA256
bade23037722ee9c1f4b40f249c2fddbc54499acc73353e267e350d0214689bf

SHA512
b067fcbdc174bc9c9d5d7b6b18abe74b25eebe026c83ab0927a906d822ad3486dfb5224bbfb3df1fe7736c7b4e4ab47d127d6a4786d7a6ea3c6f5728c006cc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\jpeohilbdadffoljknfdgplhneiikbek\background.html

Filesize
145B

MD5
c62cc5ed4515f4b92f7c4029b8604340

SHA1
31c8ef2bb1425835d3409fb4f2f7d2e9a7c881c1

SHA256
c9ae56d30044b940990015d8a7a637b4155e48e8f6d6aa045c9e0dcabe163fcb

SHA512
bea91193678c38ec48e15ad45fdca548268ec1b1a096305eece47dc5fc0c0d593e2a4ce392014a4d0db59da52e166d61877303bcac07737de30077c31af0c809

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\jpeohilbdadffoljknfdgplhneiikbek\cBOQJaRr.js

Filesize
5KB

MD5
2c7037b1539d25c20ff7992ad95b0787

SHA1
7af280166e4593ad78c1ac5f4ce84ff733015491

SHA256
4f97d54b2b894b739d34bb5de085b7ec925ea592e8ab0e7af6868abc43c22edc

SHA512
d2d925ca54d8d5aa317b6e7f2f2a84fe713470e8984c63de40cafc9208f2ef7c101884b4847f3f75a0bec7de50cc8d0d2046851557cc89c66ff551ea949adc31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\jpeohilbdadffoljknfdgplhneiikbek\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\jpeohilbdadffoljknfdgplhneiikbek\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\jpeohilbdadffoljknfdgplhneiikbek\manifest.json

Filesize
507B

MD5
d429395a45a9aa09e4ee9054e9196b30

SHA1
c5dbab4e27650b07d4d159c305d08a9d578c3a3e

SHA256
674fc32cde82ed69cb8595bbea9f70f69097062c39bd6a3a505227a4f4a45344

SHA512
4a5bc7c005e573bf0cdb89489d676fb26c5fe116d397a6cd7a1ebb2cae9605b3d1657378e17d354cb102e93c39b32fa8d2963f375af37c871452f3170356101e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\up7gNs124FlJAWC.dat

Filesize
6KB

MD5
e57e0563ab3860c78cb39200ff8feb5a

SHA1
435dc92b2aa5f7001bd86018b6f3aff3dc3a5c52

SHA256
9f3653fb4161cb70be22ffc45a433d13b2e067ee996c4c69ddd1a350d4203b5b

SHA512
324b945523bc8e24bc5faf5d4abf015cf582692a151a64c8b2de9e2e9fde4d6c46fb48d46cfd31da9041e9ad13fceb36f332456294f2df889337b8a708e5d152

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\up7gNs124FlJAWC.exe

Filesize
646KB

MD5
4d6bbefbd7b1947021e130c31064477e

SHA1
0eb9e06add3f44c25498d513ea1207a85e7645ca

SHA256
136568d89154d72d7968982e13aa96276e4102a98efd322c77ab2ffd149c9970

SHA512
d9d50d8509555c4816bdb32297a22ea877f0d6e9fe90624c5f74c0e9f02adae03164b1d20920047558c54fa4d1fba5d9d893cb73eca8bf2861ac49617b3ef4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\up7gNs124FlJAWC.exe

Filesize
646KB

MD5
4d6bbefbd7b1947021e130c31064477e

SHA1
0eb9e06add3f44c25498d513ea1207a85e7645ca

SHA256
136568d89154d72d7968982e13aa96276e4102a98efd322c77ab2ffd149c9970

SHA512
d9d50d8509555c4816bdb32297a22ea877f0d6e9fe90624c5f74c0e9f02adae03164b1d20920047558c54fa4d1fba5d9d893cb73eca8bf2861ac49617b3ef4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
c2348643f087220d4331f8d44f7c4ff4

SHA1
cf123234ef45c9653a9e334e7113d10e4fdd3c1f

SHA256
4560ee761150bca4fe56d7c4e0b51a74b48f35088309b841fc9c28866980ee4a

SHA512
b7490315ff29c53d700d2fb674404f0eaf8ddfa2f105d0d037d53d6eaa569790d6cfdd7648bff29add7dc34276ea2487a26de0eaa16019c2023ab034dd396038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
adb720d83bbab8c291ce10b3d5cb499d

SHA1
0aafb40cb489c771d4ffc47133e343ad2ef776fb

SHA256
609dcb762f23cae30889be7f57c303fc967ff0f793bbcffd171fc3aab81c8fb6

SHA512
cb24cf8989dee2750e9c376632eb4ddc496d50cd5fc52a85f95cd791504cde16720dadb97d75f0bb6ec5368b5df1adea04cc11257c082a97221b440a42987092

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS365D.tmp\[email protected]\install.rdf

Filesize
599B

MD5
afa7cadaf05a1d8d6636fb62cd197758

SHA1
042b2e6fd8f7b6223c0ef0ddf1df3f31d1cc6ac7

SHA256
47ff7b2706d687e3a2ce80b2a46720e05b1f0c2f431d83e67d77c57fddd55862

SHA512
9b7f61aac453050a0e2c4a6a39bcceeed3d858e62c951579457efc50c0b169a391a5199229f2903aa20f4db680188e3370afd4b364381ff742f82e173a199a9e

Download Submit
\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.dll

Filesize
631KB

MD5
e632e9bdbcd9337b0b85d5a437d2e2c3

SHA1
46d02d5bad7cc1819737d16d4ad0cb931f57347b

SHA256
87aa09c3eabbc691b1e422972057dccb71aae9c5dd0608a53e1e43c73818560a

SHA512
72c7a72789730d366dd808c78fb8e807cdad5d5689733cbed21220f9e232b056e342e7c0af9af0694d1c25aa681c0e75f75d4f18def24c546ebe00096a3d81a0

Download Submit
\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.x64.dll

Filesize
713KB

MD5
b13f442c83c893871f125e07497085d4

SHA1
4059c7e28477c9ca064fc9919f4a3c05814f1da2

SHA256
bade23037722ee9c1f4b40f249c2fddbc54499acc73353e267e350d0214689bf

SHA512
b067fcbdc174bc9c9d5d7b6b18abe74b25eebe026c83ab0927a906d822ad3486dfb5224bbfb3df1fe7736c7b4e4ab47d127d6a4786d7a6ea3c6f5728c006cc7b

Download Submit
\Program Files (x86)\YoutubeAdBlocke\CDmIQrVDGZNoSp.x64.dll

Filesize
713KB

MD5
b13f442c83c893871f125e07497085d4

SHA1
4059c7e28477c9ca064fc9919f4a3c05814f1da2

SHA256
bade23037722ee9c1f4b40f249c2fddbc54499acc73353e267e350d0214689bf

SHA512
b067fcbdc174bc9c9d5d7b6b18abe74b25eebe026c83ab0927a906d822ad3486dfb5224bbfb3df1fe7736c7b4e4ab47d127d6a4786d7a6ea3c6f5728c006cc7b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS365D.tmp\up7gNs124FlJAWC.exe

Filesize
646KB

MD5
4d6bbefbd7b1947021e130c31064477e

SHA1
0eb9e06add3f44c25498d513ea1207a85e7645ca

SHA256
136568d89154d72d7968982e13aa96276e4102a98efd322c77ab2ffd149c9970

SHA512
d9d50d8509555c4816bdb32297a22ea877f0d6e9fe90624c5f74c0e9f02adae03164b1d20920047558c54fa4d1fba5d9d893cb73eca8bf2861ac49617b3ef4a2

Download Submit
memory/808-78-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/1464-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download