639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b

Analysis

max time kernel
39s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b.exe
Size

2.0MB
MD5

f8c53b6cd797e10875663fe1c8cef6b5
SHA1

909672c0f22d4cf5139e1cde4b0d0b77a82907e9
SHA256

639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b
SHA512

ac3142c60f8cf10de1a678b77dae81e6154b19cd1b8edb959837755f40095b20c24ab0f1bb717c5d299a4b5edbe69c1e3b29d18d64eaf3ff89b26d9f16a4fb88
SSDEEP

49152:h1Os3arVSg041fkjuYbgXToVxA4fxDKzUoNJ:h1OwaUtRjuxToszD

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2008	t1V93sMXVqcBTNR.exe

Loads dropped DLL 4 IoCs

pid	Process
856	639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b.exe
2008	t1V93sMXVqcBTNR.exe
784	regsvr32.exe
1484	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hapogkmaggjbbbefidaghconelcfkbhj\200\manifest.json	t1V93sMXVqcBTNR.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hapogkmaggjbbbefidaghconelcfkbhj\200\manifest.json	t1V93sMXVqcBTNR.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hapogkmaggjbbbefidaghconelcfkbhj\200\manifest.json	t1V93sMXVqcBTNR.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	t1V93sMXVqcBTNR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	t1V93sMXVqcBTNR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	t1V93sMXVqcBTNR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	t1V93sMXVqcBTNR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	t1V93sMXVqcBTNR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.x64.dll	t1V93sMXVqcBTNR.exe
File created	C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.dll	t1V93sMXVqcBTNR.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.dll	t1V93sMXVqcBTNR.exe
File created	C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.tlb	t1V93sMXVqcBTNR.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.tlb	t1V93sMXVqcBTNR.exe
File created	C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.dat	t1V93sMXVqcBTNR.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.dat	t1V93sMXVqcBTNR.exe
File created	C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.x64.dll	t1V93sMXVqcBTNR.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 2008	856	639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b.exe	26
PID 856 wrote to memory of 2008	856	639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b.exe	26
PID 856 wrote to memory of 2008	856	639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b.exe	26
PID 856 wrote to memory of 2008	856	639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b.exe	26
PID 2008 wrote to memory of 784	2008	t1V93sMXVqcBTNR.exe	27
PID 2008 wrote to memory of 784	2008	t1V93sMXVqcBTNR.exe	27
PID 2008 wrote to memory of 784	2008	t1V93sMXVqcBTNR.exe	27
PID 2008 wrote to memory of 784	2008	t1V93sMXVqcBTNR.exe	27
PID 2008 wrote to memory of 784	2008	t1V93sMXVqcBTNR.exe	27
PID 2008 wrote to memory of 784	2008	t1V93sMXVqcBTNR.exe	27
PID 2008 wrote to memory of 784	2008	t1V93sMXVqcBTNR.exe	27
PID 784 wrote to memory of 1484	784	regsvr32.exe	28
PID 784 wrote to memory of 1484	784	regsvr32.exe	28
PID 784 wrote to memory of 1484	784	regsvr32.exe	28
PID 784 wrote to memory of 1484	784	regsvr32.exe	28
PID 784 wrote to memory of 1484	784	regsvr32.exe	28
PID 784 wrote to memory of 1484	784	regsvr32.exe	28
PID 784 wrote to memory of 1484	784	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b.exe
"C:\Users\Admin\AppData\Local\Temp\639702b29593716b30ce5447cbead59fe26ed90ab7692d1c6cc77b6112677e1b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\t1V93sMXVqcBTNR.exe
  .\t1V93sMXVqcBTNR.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.dat

Filesize
6KB

MD5
cece8666ef0cefbc83d50c3cc523c281

SHA1
402404843f3b3f22ca0a828c5bd761b02c61e46f

SHA256
e0c61b0e9bd3eb13272272cd3b76e497b856dcdce7b819164f147982fbc257e3

SHA512
fa38308b036f4b5ce0cb35e5167d9e3794880785ab4136073460caeb55d12bb164c848eba8ba74be11059d5414325cb51827784dd667d73fb0173075c4cbee82

Download Submit
C:\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.x64.dll

Filesize
690KB

MD5
ab91ec5e21166a3ddae814ef1e3ceb3d

SHA1
16fd5cbd57915622a00d2097cde5892cf9a9aafc

SHA256
572e6027916f88025379a27c58d1148c06a2afd132ce8d859a3a9fc6bf980e5d

SHA512
3e457b795f9fab1b756f0552b4f5a57d9a1075ff332cecd0f268e9e35eda8575bb8d03910e3182896d29e26c35181b2ab41867193e216ce80440e032307fbc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\4YUH95zUouMWBk.dll

Filesize
612KB

MD5
1a08953d578fde31c69aad70ffc8843b

SHA1
def14be28cdfdbc14e860a19a69b3bb304357a17

SHA256
8d93c8f0bd4e85cd960321d03b52c1832f3131424c13df0c42a033d55d5abeb9

SHA512
34275ca2feee29e7b3447a47e1edbb2fe18d921d10322efe94f84986f041701e76f6fbb85c9f7582bfbeadbc92993d4dcdcfc3c35c421f340fcce835b8ad720e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\4YUH95zUouMWBk.tlb

Filesize
3KB

MD5
e54f4f2fa4156050e1b34115a3fad7b1

SHA1
fcea121f093562e611f3b2632610a709817f293f

SHA256
05c718a1e3a7360311b6bcd2fcc1ec5ec3afd43063d3d937e18e8d318f609898

SHA512
0efa8a7f85ca4111456b26a8a9bfeda0cef15dc9b84535db65195a760a9f8afc7908e2a1beb37af038a708b6f6c5360398879082fd34d4a1abccfe6e7fe65ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\4YUH95zUouMWBk.x64.dll

Filesize
690KB

MD5
ab91ec5e21166a3ddae814ef1e3ceb3d

SHA1
16fd5cbd57915622a00d2097cde5892cf9a9aafc

SHA256
572e6027916f88025379a27c58d1148c06a2afd132ce8d859a3a9fc6bf980e5d

SHA512
3e457b795f9fab1b756f0552b4f5a57d9a1075ff332cecd0f268e9e35eda8575bb8d03910e3182896d29e26c35181b2ab41867193e216ce80440e032307fbc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
aa02deaf1af47c6398e93296419b9407

SHA1
5e3afb19d86caa9a1d4a18268fefcbf3f3e748d7

SHA256
5ad43bf47d088850734157dfe8ea1084e7f2f9a9340df24db57de08e16518e85

SHA512
3999bdcf309c9259b2bf80de8da6b21cb398c2f0179c387e245d823d2f20670910ec0addccd70be21607873e0979b2cc2ccac729fcebdb96bf6ab7045ba9e9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
f38fd30d833509f3b5611ccbd05d703d

SHA1
4af2826478c7d2b4b946fdd0b613022c86bd0509

SHA256
48026f07a2970cda59d71c4c1e63487c5046fc8b148f469a05b568ba1bc1986b

SHA512
22fb875ee24f201753dc79cc758ba34bbc64d289dd1fb4b505124eaa7b96801176bcae8b4734de7e9ea03d9ee9fb6e78a9ccb9922141f45deb41a22041ddbd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\[email protected]\install.rdf

Filesize
604B

MD5
4659f47e510e7dff8f26b0da60d29b89

SHA1
d52bec4f81aec348439ef8457e90d1c4858a4c28

SHA256
ba0b5a1eeae73075de8c75d86816d19a7fd0c854e48883248dab6cda3babdef0

SHA512
c9757441968206d9ed3960bcf4fe51e87a962303c356627000ef5988db75452b6667ab417b285424b6c38fcc0d88754532cca1f896dc8f32fa9baf6079705339

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\hapogkmaggjbbbefidaghconelcfkbhj\background.html

Filesize
147B

MD5
6398b500e9351904bc21dd6d72cc2ca8

SHA1
604260f7151f496d1985e9bfe6d369c5708a1c1e

SHA256
7f89380bdbff501777ddf275f65ac15cfda6517a8dd5d7b993995ceb87b20171

SHA512
1995dc00666680c52a9d61e2ed806c9e83875d09400bc293879b6102b2619b0db48be2c0bf10d69023c0b98875a0c6fe3acf0f3ad1caa6a970f7c06658dace62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\hapogkmaggjbbbefidaghconelcfkbhj\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\hapogkmaggjbbbefidaghconelcfkbhj\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\hapogkmaggjbbbefidaghconelcfkbhj\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\hapogkmaggjbbbefidaghconelcfkbhj\xeG2TcaQ8W.js

Filesize
5KB

MD5
c801c1c7f9fbdb6dbfa4a77f3b1695d8

SHA1
c93fdb5d1303eaa6f5ca8865d09601a16b6cef1e

SHA256
cdfa80f8cbc66e0e15d5af9ebdf9dce1a7f512b61640e4c5e4d1bed014aadc1c

SHA512
1305ad9404f436113126df94207f8c000e876b1bc048d18ef3a7a887c8eb5253dcc8e21422337d93caaefe32c6223d1e627b5a930d75537cf302586b91f5eb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\t1V93sMXVqcBTNR.dat

Filesize
6KB

MD5
cece8666ef0cefbc83d50c3cc523c281

SHA1
402404843f3b3f22ca0a828c5bd761b02c61e46f

SHA256
e0c61b0e9bd3eb13272272cd3b76e497b856dcdce7b819164f147982fbc257e3

SHA512
fa38308b036f4b5ce0cb35e5167d9e3794880785ab4136073460caeb55d12bb164c848eba8ba74be11059d5414325cb51827784dd667d73fb0173075c4cbee82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\t1V93sMXVqcBTNR.exe

Filesize
615KB

MD5
4b31c5b7c82ea1054f636e227d7c287f

SHA1
571275d5dc1d9014b0eaf309922c7c9b3db9aaa4

SHA256
77486b6a22124d6851c016187a7bdf7100d358c42a855065d54e9e9c1cfb2a77

SHA512
a341718979646a3c1567b463d2b33014c7f3e5f2aa13f68e449e32dc2616328c7e7c4c7703140994be4489e2873c63ac5d02d63bade3b32471ff77108485b92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5255.tmp\t1V93sMXVqcBTNR.exe

Filesize
615KB

MD5
4b31c5b7c82ea1054f636e227d7c287f

SHA1
571275d5dc1d9014b0eaf309922c7c9b3db9aaa4

SHA256
77486b6a22124d6851c016187a7bdf7100d358c42a855065d54e9e9c1cfb2a77

SHA512
a341718979646a3c1567b463d2b33014c7f3e5f2aa13f68e449e32dc2616328c7e7c4c7703140994be4489e2873c63ac5d02d63bade3b32471ff77108485b92f

Download Submit
\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.dll

Filesize
612KB

MD5
1a08953d578fde31c69aad70ffc8843b

SHA1
def14be28cdfdbc14e860a19a69b3bb304357a17

SHA256
8d93c8f0bd4e85cd960321d03b52c1832f3131424c13df0c42a033d55d5abeb9

SHA512
34275ca2feee29e7b3447a47e1edbb2fe18d921d10322efe94f84986f041701e76f6fbb85c9f7582bfbeadbc92993d4dcdcfc3c35c421f340fcce835b8ad720e

Download Submit
\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.x64.dll

Filesize
690KB

MD5
ab91ec5e21166a3ddae814ef1e3ceb3d

SHA1
16fd5cbd57915622a00d2097cde5892cf9a9aafc

SHA256
572e6027916f88025379a27c58d1148c06a2afd132ce8d859a3a9fc6bf980e5d

SHA512
3e457b795f9fab1b756f0552b4f5a57d9a1075ff332cecd0f268e9e35eda8575bb8d03910e3182896d29e26c35181b2ab41867193e216ce80440e032307fbc52

Download Submit
\Program Files (x86)\Browser Shop\4YUH95zUouMWBk.x64.dll

Filesize
690KB

MD5
ab91ec5e21166a3ddae814ef1e3ceb3d

SHA1
16fd5cbd57915622a00d2097cde5892cf9a9aafc

SHA256
572e6027916f88025379a27c58d1148c06a2afd132ce8d859a3a9fc6bf980e5d

SHA512
3e457b795f9fab1b756f0552b4f5a57d9a1075ff332cecd0f268e9e35eda8575bb8d03910e3182896d29e26c35181b2ab41867193e216ce80440e032307fbc52

Download Submit
\Users\Admin\AppData\Local\Temp\7zS5255.tmp\t1V93sMXVqcBTNR.exe

Filesize
615KB

MD5
4b31c5b7c82ea1054f636e227d7c287f

SHA1
571275d5dc1d9014b0eaf309922c7c9b3db9aaa4

SHA256
77486b6a22124d6851c016187a7bdf7100d358c42a855065d54e9e9c1cfb2a77

SHA512
a341718979646a3c1567b463d2b33014c7f3e5f2aa13f68e449e32dc2616328c7e7c4c7703140994be4489e2873c63ac5d02d63bade3b32471ff77108485b92f

Download Submit
memory/856-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1484-78-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

Filesize
8KB

Download