9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8

Analysis

max time kernel
63s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8.exe
Size

2.0MB
MD5

a922717f6ca530e8a005f812532b6191
SHA1

c11b172a1463f297d7bb2ef8a673d7930aad24c5
SHA256

9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8
SHA512

3f100a8d5702934dfec753bd5b548816509ef11d35c06946a9762b176b98452b7e7c79e4182130d750bac5500d4f71cd61b367081ebd27aca897a34fe1dc445f
SSDEEP

49152:h1OsYUpag+Qk/+ouXBVm/KLp0f5fR6Tu3PHYwxzILQJsa7o:h1O5UpAWouXBVm/KLp0+Tu3jo

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1264	z6ZwhegKWsiyT79.exe

Loads dropped DLL 4 IoCs

pid	Process
1444	9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8.exe
1264	z6ZwhegKWsiyT79.exe
1712	regsvr32.exe
964	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkppcafmbhbcgihleokaepopcfnmdhoc\1.0\manifest.json	z6ZwhegKWsiyT79.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkppcafmbhbcgihleokaepopcfnmdhoc\1.0\manifest.json	z6ZwhegKWsiyT79.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkppcafmbhbcgihleokaepopcfnmdhoc\1.0\manifest.json	z6ZwhegKWsiyT79.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	z6ZwhegKWsiyT79.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	z6ZwhegKWsiyT79.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	z6ZwhegKWsiyT79.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	z6ZwhegKWsiyT79.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	z6ZwhegKWsiyT79.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.x64.dll	z6ZwhegKWsiyT79.exe
File opened for modification	C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.x64.dll	z6ZwhegKWsiyT79.exe
File created	C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.dll	z6ZwhegKWsiyT79.exe
File opened for modification	C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.dll	z6ZwhegKWsiyT79.exe
File created	C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.tlb	z6ZwhegKWsiyT79.exe
File opened for modification	C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.tlb	z6ZwhegKWsiyT79.exe
File created	C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.dat	z6ZwhegKWsiyT79.exe
File opened for modification	C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.dat	z6ZwhegKWsiyT79.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1264	1444	9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8.exe	28
PID 1444 wrote to memory of 1264	1444	9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8.exe	28
PID 1444 wrote to memory of 1264	1444	9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8.exe	28
PID 1444 wrote to memory of 1264	1444	9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8.exe	28
PID 1264 wrote to memory of 1712	1264	z6ZwhegKWsiyT79.exe	29
PID 1264 wrote to memory of 1712	1264	z6ZwhegKWsiyT79.exe	29
PID 1264 wrote to memory of 1712	1264	z6ZwhegKWsiyT79.exe	29
PID 1264 wrote to memory of 1712	1264	z6ZwhegKWsiyT79.exe	29
PID 1264 wrote to memory of 1712	1264	z6ZwhegKWsiyT79.exe	29
PID 1264 wrote to memory of 1712	1264	z6ZwhegKWsiyT79.exe	29
PID 1264 wrote to memory of 1712	1264	z6ZwhegKWsiyT79.exe	29
PID 1712 wrote to memory of 964	1712	regsvr32.exe	30
PID 1712 wrote to memory of 964	1712	regsvr32.exe	30
PID 1712 wrote to memory of 964	1712	regsvr32.exe	30
PID 1712 wrote to memory of 964	1712	regsvr32.exe	30
PID 1712 wrote to memory of 964	1712	regsvr32.exe	30
PID 1712 wrote to memory of 964	1712	regsvr32.exe	30
PID 1712 wrote to memory of 964	1712	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8.exe
"C:\Users\Admin\AppData\Local\Temp\9a7b33f1da5049a590d8891b4f4288111ead544fbf69f3dc1b801a65a6494fc8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\z6ZwhegKWsiyT79.exe
  .\z6ZwhegKWsiyT79.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.dat

Filesize
6KB

MD5
bab7c5b2bacc5df70d8288375a92f49a

SHA1
b79c4d82fc4d337583520fcb29eda8618c8cc7d6

SHA256
affdf14435007d0a6d37e0f3b918cc99af656d48deb0e17ba1dd4aedd30abddd

SHA512
45086198b23a79fb3ff53912c7e331f1cda66faa6c7f555ced17bc41a420566b0ce1649536181993df5d5aa033bf94d7af53dfff812b7d746fdb5a5d38f1cfd8

Download Submit
C:\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a442b318f01f81af1fc27cff203fd960

SHA1
fc0d47a103fdef32317c296f13c4a11dfa703282

SHA256
a0fc7b5f44bbe9a70a2cd9a43f6e8591abc3bad4fb297d78ca29e761ae509dd7

SHA512
42aa215e00434219c5fe50abb8f4d3e8a6262d421f3d53bd774b54c41eada1d3b6fe72a06e259cec9e4cdc4f34f00906f1567ab328357ea21971230517e29296

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
42fef462685c62215271845cb51a0bcb

SHA1
e34f1dd3f9d4214473b9f6029a59cc682c6ae926

SHA256
f89ca723bd71bd3af3eba0bd98a9ac97fce94a6f3cac4f467975db13283a6711

SHA512
1f223920b86199f72883fb882926561f52aeeffe0f09053fd774fa0a76b251c8d46d0d7bdd90b5f2ec544e5936b69487069d32362bc8f56b0ce76319b2684b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\[email protected]\install.rdf

Filesize
602B

MD5
4a7de40d296d1a47f5562ed352e2cda3

SHA1
248a0c60c2a2b016117b26606bbdb60c78ea8ce7

SHA256
fc27420b2654536836e969c2c447211a2adf3d25902567124e3d63b708e2b01f

SHA512
e398c8bfe3c3fa3c3a1b90478b685c3d1bf2742b661781138662ad324b7613b32e7765aea3efee99311aa1df081e24e488cbed895508dd14ccbabf7bd3d1854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\pkppcafmbhbcgihleokaepopcfnmdhoc\T8jsZQcpt.js

Filesize
5KB

MD5
6f207fd3d22d282fca1086e75d5dd3e7

SHA1
b6083e499cc1044faaf9660ca1d72038f8f6fe5f

SHA256
7f887b5c6109f454794ea4048406bb57d0e5babc18e00a5a39ae6176a7113f7b

SHA512
47d43e3ffc7f5e605c9cfb273b064d2e151598462e0a502219d0d1083562e6db659e1c7edaf31518a53405ef30a1f086973f4c0784ae52570d7fccc9b7e6641e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\pkppcafmbhbcgihleokaepopcfnmdhoc\background.html

Filesize
146B

MD5
d4363fb752398202d045162395ae5be9

SHA1
24a09c5fd25749257f5e3805c655146269dcbc8a

SHA256
65bf554af004d99d29074cc35029d94d258ca823f0cc8757364b1214eafd5c0b

SHA512
3d7285eb01923cd0708aa458432d821b0305cb99a9fdf9616644722c656e0b07b2eb6669e983a94b1b2ec6c386553ecf291e2e47430d53c0d2604b25d7a6bcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\pkppcafmbhbcgihleokaepopcfnmdhoc\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\pkppcafmbhbcgihleokaepopcfnmdhoc\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\pkppcafmbhbcgihleokaepopcfnmdhoc\manifest.json

Filesize
509B

MD5
5a2cd02ea05df4e6569b7c146ecf3581

SHA1
5a25ea7d2a72cc81966cae73fb47f8d54dca4c46

SHA256
2e57dbe390649370c17079b267d333bd81359f3e61e16b5433d5dc022d48c9ff

SHA512
332102c0929a707408e9134fdc832644e499b40049c33f6847d3d7b47a3ab48221453df0a430bb64fda73865c9b302c56514f6628cda4455e4065c4083b1b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\xdp8NsOgI5PHDg.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\xdp8NsOgI5PHDg.tlb

Filesize
3KB

MD5
08b4ac9069400749555355a5f1e6b8ad

SHA1
ec078fae45087bb2ab63497cd2b4b844c178ec3c

SHA256
f996571eef02335d08b6c073024cef3ea616bb39f9d9742ffa6783f4e22c3997

SHA512
5001f7ca20cca5e85f9c6c1d90ffc2f9a25606d877ee4e6d33a727b6f689989b0486dbea62c66d2d1097194a353566de9d8b6b2bff33613a7ab763c98ca1e1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\xdp8NsOgI5PHDg.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\z6ZwhegKWsiyT79.dat

Filesize
6KB

MD5
bab7c5b2bacc5df70d8288375a92f49a

SHA1
b79c4d82fc4d337583520fcb29eda8618c8cc7d6

SHA256
affdf14435007d0a6d37e0f3b918cc99af656d48deb0e17ba1dd4aedd30abddd

SHA512
45086198b23a79fb3ff53912c7e331f1cda66faa6c7f555ced17bc41a420566b0ce1649536181993df5d5aa033bf94d7af53dfff812b7d746fdb5a5d38f1cfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\z6ZwhegKWsiyT79.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\z6ZwhegKWsiyT79.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
\Program Files (x86)\YoutuboeAdBleocke\xdp8NsOgI5PHDg.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7BA6.tmp\z6ZwhegKWsiyT79.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
memory/964-78-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1444-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download