9ab6b319af824f26fe2dd28bc89e8af995b45fb1b0a9a0f9e9adae819ad93d31

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ab6b319af824f26fe2dd28bc89e8af995b45fb1b0a9a0f9e9adae819ad93d31.exe
Size

2.1MB
MD5

d12497b31fa3257454d0089c133eaa6c
SHA1

252e5d30db50abfdc51b7605a8bd00fda2fb8050
SHA256

9ab6b319af824f26fe2dd28bc89e8af995b45fb1b0a9a0f9e9adae819ad93d31
SHA512

f672c3396342cf4c76ccb8e0b3f649ba52fb302ccc9e10ad0b70dc60e357f4032f84f94d8eb4824922b2a22b75dacddcd0bcad6daab222e71f091517d944d7f3
SSDEEP

49152:h1OsgYSwNMswVQjXY5MrbjcG1qV8OXaDoblqv6:h1OPswVWzbjA

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2060	iNVObgTSf8XEp1b.exe

Loads dropped DLL 3 IoCs

pid	Process
2060	iNVObgTSf8XEp1b.exe
3636	regsvr32.exe
480	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbapandeipiecghbdnngeelnfpbccidk\3.18\manifest.json	iNVObgTSf8XEp1b.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbapandeipiecghbdnngeelnfpbccidk\3.18\manifest.json	iNVObgTSf8XEp1b.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbapandeipiecghbdnngeelnfpbccidk\3.18\manifest.json	iNVObgTSf8XEp1b.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbapandeipiecghbdnngeelnfpbccidk\3.18\manifest.json	iNVObgTSf8XEp1b.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbapandeipiecghbdnngeelnfpbccidk\3.18\manifest.json	iNVObgTSf8XEp1b.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	iNVObgTSf8XEp1b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	iNVObgTSf8XEp1b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	iNVObgTSf8XEp1b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	iNVObgTSf8XEp1b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.dat	iNVObgTSf8XEp1b.exe
File opened for modification	C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.dat	iNVObgTSf8XEp1b.exe
File created	C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.x64.dll	iNVObgTSf8XEp1b.exe
File opened for modification	C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.x64.dll	iNVObgTSf8XEp1b.exe
File created	C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.dll	iNVObgTSf8XEp1b.exe
File opened for modification	C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.dll	iNVObgTSf8XEp1b.exe
File created	C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.tlb	iNVObgTSf8XEp1b.exe
File opened for modification	C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.tlb	iNVObgTSf8XEp1b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 2060	4640	9ab6b319af824f26fe2dd28bc89e8af995b45fb1b0a9a0f9e9adae819ad93d31.exe	80
PID 4640 wrote to memory of 2060	4640	9ab6b319af824f26fe2dd28bc89e8af995b45fb1b0a9a0f9e9adae819ad93d31.exe	80
PID 4640 wrote to memory of 2060	4640	9ab6b319af824f26fe2dd28bc89e8af995b45fb1b0a9a0f9e9adae819ad93d31.exe	80
PID 2060 wrote to memory of 3636	2060	iNVObgTSf8XEp1b.exe	81
PID 2060 wrote to memory of 3636	2060	iNVObgTSf8XEp1b.exe	81
PID 2060 wrote to memory of 3636	2060	iNVObgTSf8XEp1b.exe	81
PID 3636 wrote to memory of 480	3636	regsvr32.exe	82
PID 3636 wrote to memory of 480	3636	regsvr32.exe	82

C:\Users\Admin\AppData\Local\Temp\9ab6b319af824f26fe2dd28bc89e8af995b45fb1b0a9a0f9e9adae819ad93d31.exe
"C:\Users\Admin\AppData\Local\Temp\9ab6b319af824f26fe2dd28bc89e8af995b45fb1b0a9a0f9e9adae819ad93d31.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\iNVObgTSf8XEp1b.exe
  .\iNVObgTSf8XEp1b.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.dat

Filesize
6KB

MD5
ea24bfa268e74eacf097ef41a90b18f0

SHA1
ad73fad6033d755f577deeb69b423a0c0f945936

SHA256
720c28059caadd39ff3b1c4a41be1c86796b6bc99d388e60081b1dd3d1afbbd9

SHA512
b103b90dc074f1b1cc57b61207393ed81a31f0ad6b9f9cc2da10de82253a2e6aa733401c6648a47877cd752f73243ee669ab5bad2f6bc90100182732ca5e6627

Download Submit
C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.dll

Filesize
625KB

MD5
ab367f215107cbb61b8f1648b5b6f7ed

SHA1
86f770a443f7a271f31b3c630e4eb0f738f666e7

SHA256
54788dc2fd9d66bfe8f875b357871087f7e771fd53653b451a4ca26294ead451

SHA512
1f17e942fd7be2e143a6c2247af1c73dd555203d5fe4adbd3cd17216313476ecf498ff55c345c9d09ae551d321b3f52b1f802bafe71e1b76d3aff539a38f7a31

Download Submit
C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.x64.dll

Filesize
703KB

MD5
0d6061b4f5aa8ee53f87ca691107c0fd

SHA1
e587fe688c093ce19232fc778cfb1bd52a648025

SHA256
cc427f459e87d67fcc8a57a30e98864567bf000118e88a4365731d3b529df083

SHA512
4730cc581ef45b0f551483b7b78b4f08b45001acad275c4e7bb847a4e0e7b670e812c99f19a451daf52c76a84d693a2beedffcfccd0896e76d36f7ed6ea250aa

Download Submit
C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.x64.dll

Filesize
703KB

MD5
0d6061b4f5aa8ee53f87ca691107c0fd

SHA1
e587fe688c093ce19232fc778cfb1bd52a648025

SHA256
cc427f459e87d67fcc8a57a30e98864567bf000118e88a4365731d3b529df083

SHA512
4730cc581ef45b0f551483b7b78b4f08b45001acad275c4e7bb847a4e0e7b670e812c99f19a451daf52c76a84d693a2beedffcfccd0896e76d36f7ed6ea250aa

Download Submit
C:\Program Files (x86)\OOptaOn\GDzdQmHstVb4cb.x64.dll

Filesize
703KB

MD5
0d6061b4f5aa8ee53f87ca691107c0fd

SHA1
e587fe688c093ce19232fc778cfb1bd52a648025

SHA256
cc427f459e87d67fcc8a57a30e98864567bf000118e88a4365731d3b529df083

SHA512
4730cc581ef45b0f551483b7b78b4f08b45001acad275c4e7bb847a4e0e7b670e812c99f19a451daf52c76a84d693a2beedffcfccd0896e76d36f7ed6ea250aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\GDzdQmHstVb4cb.dll

Filesize
625KB

MD5
ab367f215107cbb61b8f1648b5b6f7ed

SHA1
86f770a443f7a271f31b3c630e4eb0f738f666e7

SHA256
54788dc2fd9d66bfe8f875b357871087f7e771fd53653b451a4ca26294ead451

SHA512
1f17e942fd7be2e143a6c2247af1c73dd555203d5fe4adbd3cd17216313476ecf498ff55c345c9d09ae551d321b3f52b1f802bafe71e1b76d3aff539a38f7a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\GDzdQmHstVb4cb.tlb

Filesize
3KB

MD5
a536a00d723aaa8ac36e128c0d280fbc

SHA1
c1613d21e2c3618db804bf768893d518136611f0

SHA256
21112e01fc5d21b7b4de5a0fa8ed5a1132c82461ec13cc716930ad9cd444c792

SHA512
5a68401bcaaf5b6c668ad567621f6373cc1261b93733fc6943ee7a85c86cd9ea4d1abef79816e7afd77701a76c3958ef21910409a8fdc1693c772983d4f4f9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\GDzdQmHstVb4cb.x64.dll

Filesize
703KB

MD5
0d6061b4f5aa8ee53f87ca691107c0fd

SHA1
e587fe688c093ce19232fc778cfb1bd52a648025

SHA256
cc427f459e87d67fcc8a57a30e98864567bf000118e88a4365731d3b529df083

SHA512
4730cc581ef45b0f551483b7b78b4f08b45001acad275c4e7bb847a4e0e7b670e812c99f19a451daf52c76a84d693a2beedffcfccd0896e76d36f7ed6ea250aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
1438581d223b50e5d6f271e9c9b6c631

SHA1
a150ce5722c0f3b163de23b9a721227e842e4fc3

SHA256
90510e3c2ef455650ebe8e716343f99c8e67498a2d03c10d39a1c65a56be2945

SHA512
d107291d29e45c240ba6c1479738afa88062efa4a36c8b68520dc4e6dbbbf9ccf8e195c8507f9077a0b60388a1ae0c001e7b5ecf43e143a1d1253348ae827adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
21d70e40dfa5440a375b8764a134da69

SHA1
63d146f74e1a4e9a4d5845740fd2be6f5cd7e67e

SHA256
e220e807e54680aa08335bfbb49b7fb12928cccf27f5f288d92dc8b8c86748ab

SHA512
fcb57f28f5e79b65c84ae339e88ef42b4c2979852a371c88ca281c5901974b22a6996b1fdbf252c0f1a63384da0c0fe39a31fcb0c313830ee3aef6c7873c20a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\[email protected]\install.rdf

Filesize
595B

MD5
886f0f7b83353b35ebedeb015f5f743a

SHA1
7d875c665b989ec9e43aca5705307168f863258d

SHA256
50e652400f4cb939d1533e8b9e1eed3dac4f5908529ee2a5e0e511fc7b26a078

SHA512
75a0dc25adafebe5aff277f499bf573dccbe1408bcef1da0a044f796edad87b5f48736509ae76a633ae3dd94a8bee8dfb4605c68d0ca1fd00a2f05a71c0e9733

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\iNVObgTSf8XEp1b.dat

Filesize
6KB

MD5
ea24bfa268e74eacf097ef41a90b18f0

SHA1
ad73fad6033d755f577deeb69b423a0c0f945936

SHA256
720c28059caadd39ff3b1c4a41be1c86796b6bc99d388e60081b1dd3d1afbbd9

SHA512
b103b90dc074f1b1cc57b61207393ed81a31f0ad6b9f9cc2da10de82253a2e6aa733401c6648a47877cd752f73243ee669ab5bad2f6bc90100182732ca5e6627

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\iNVObgTSf8XEp1b.exe

Filesize
629KB

MD5
bf0455cd4372f05ee076b8c19c6ec36a

SHA1
30e4c2b995667b5818d52fe956b8bd4d604ae03d

SHA256
18421382c4e7f7277915731880a9006e447b75f1559c046eb1d4deb6eb8e1bdd

SHA512
552c915571fda32a00389fd1e77812b7c7e0418d81bfe97c422784320dd250875f31c5c9d5332382773c2528136ab6b4fccceb1af952098cd32aed66dbae034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\iNVObgTSf8XEp1b.exe

Filesize
629KB

MD5
bf0455cd4372f05ee076b8c19c6ec36a

SHA1
30e4c2b995667b5818d52fe956b8bd4d604ae03d

SHA256
18421382c4e7f7277915731880a9006e447b75f1559c046eb1d4deb6eb8e1bdd

SHA512
552c915571fda32a00389fd1e77812b7c7e0418d81bfe97c422784320dd250875f31c5c9d5332382773c2528136ab6b4fccceb1af952098cd32aed66dbae034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\nbapandeipiecghbdnngeelnfpbccidk\background.html

Filesize
142B

MD5
620f42576b853c9a859818cc6ff0b9df

SHA1
aa8e3566071f59318ad1c26eb2ed3ca58790f6ff

SHA256
1558484bf86d48181d11ab536776c6ed80801224ca6171d31506b096fee2f83a

SHA512
0c9bf06998110735d6fe7a2e88fe12812e7de983395281dbc57f2c7100c9c683e83e35c42c58798efbd7b4356e144b7ba81b9d6bd11acede10a7c81964db6215

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\nbapandeipiecghbdnngeelnfpbccidk\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\nbapandeipiecghbdnngeelnfpbccidk\dhino.js

Filesize
5KB

MD5
35d83b888ccfe6bc50ff0eda2670d88d

SHA1
242c58b1502cd50039cb887c99a2b2fa33666165

SHA256
851e0b4abcc0ce96089348ce9d2205878f62fab08910c01178674ebc730fd4d2

SHA512
b087f5d5d35b8eeecf7c63a3429efdf1f1b959bc699f1021d0a426306e210366ff90c2be9afba94ffefc8006a1f0f566f7a80f2681a58e3f598d182eb4a70bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\nbapandeipiecghbdnngeelnfpbccidk\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC24B.tmp\nbapandeipiecghbdnngeelnfpbccidk\manifest.json

Filesize
500B

MD5
14172feff4791b630fba94f0d8822d5d

SHA1
81f74a56df7e1d0dff7d29f9aa9b914c05b0449a

SHA256
ace7c4e05b8440d0e3a29ac514853b875e2dc68a78bfafe7801260950c2bfd23

SHA512
4db33c43fa695a6f3712a4b7285917924115f0a9cc579876e80ed08b0ee75be42cf060cde2814db704aa229331f8e63fe48c33a6e96cfc1828dfa16a20fe4f69

Download Submit
memory/480-152-0x0000000000000000-mapping.dmp

Download
memory/2060-132-0x0000000000000000-mapping.dmp

Download
memory/3636-149-0x0000000000000000-mapping.dmp

Download