3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac

Analysis

max time kernel
38s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac.exe
Size

2.0MB
MD5

f77dbad3a63a65649408c1dfe959b10a
SHA1

688f2302efd35b5e6c3067398640d55225c0717a
SHA256

3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac
SHA512

82ccfbd93346ed4aa55b7b536c1720b7147820646057295c36027eb7db735437e60f2a823a2d2028cfa143a749f4be9a69e17cdd16bffd2737bacf8cc2a06f5d
SSDEEP

24576:h1OYdaOT8MtJWa++eHCk6GTOnJOZTtahifhUHz2RcZ01tj/W100azDRVBY8IGcyh:h1Os/JaTxZTtCChUT2vgorvcyXx

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1172	d1JeAnMjkheXZAe.exe

Loads dropped DLL 4 IoCs

pid	Process
1184	3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac.exe
1172	d1JeAnMjkheXZAe.exe
944	regsvr32.exe
2044	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjjpnjehmhhfpdjlcfgbjaplhjgbbjeb\1.0\manifest.json	d1JeAnMjkheXZAe.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjjpnjehmhhfpdjlcfgbjaplhjgbbjeb\1.0\manifest.json	d1JeAnMjkheXZAe.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjjpnjehmhhfpdjlcfgbjaplhjgbbjeb\1.0\manifest.json	d1JeAnMjkheXZAe.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	d1JeAnMjkheXZAe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	d1JeAnMjkheXZAe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	d1JeAnMjkheXZAe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	d1JeAnMjkheXZAe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	d1JeAnMjkheXZAe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.dat	d1JeAnMjkheXZAe.exe
File created	C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.x64.dll	d1JeAnMjkheXZAe.exe
File opened for modification	C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.x64.dll	d1JeAnMjkheXZAe.exe
File created	C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.dll	d1JeAnMjkheXZAe.exe
File opened for modification	C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.dll	d1JeAnMjkheXZAe.exe
File created	C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.tlb	d1JeAnMjkheXZAe.exe
File opened for modification	C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.tlb	d1JeAnMjkheXZAe.exe
File created	C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.dat	d1JeAnMjkheXZAe.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1172	1184	3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac.exe	26
PID 1184 wrote to memory of 1172	1184	3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac.exe	26
PID 1184 wrote to memory of 1172	1184	3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac.exe	26
PID 1184 wrote to memory of 1172	1184	3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac.exe	26
PID 1172 wrote to memory of 944	1172	d1JeAnMjkheXZAe.exe	27
PID 1172 wrote to memory of 944	1172	d1JeAnMjkheXZAe.exe	27
PID 1172 wrote to memory of 944	1172	d1JeAnMjkheXZAe.exe	27
PID 1172 wrote to memory of 944	1172	d1JeAnMjkheXZAe.exe	27
PID 1172 wrote to memory of 944	1172	d1JeAnMjkheXZAe.exe	27
PID 1172 wrote to memory of 944	1172	d1JeAnMjkheXZAe.exe	27
PID 1172 wrote to memory of 944	1172	d1JeAnMjkheXZAe.exe	27
PID 944 wrote to memory of 2044	944	regsvr32.exe	28
PID 944 wrote to memory of 2044	944	regsvr32.exe	28
PID 944 wrote to memory of 2044	944	regsvr32.exe	28
PID 944 wrote to memory of 2044	944	regsvr32.exe	28
PID 944 wrote to memory of 2044	944	regsvr32.exe	28
PID 944 wrote to memory of 2044	944	regsvr32.exe	28
PID 944 wrote to memory of 2044	944	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac.exe
"C:\Users\Admin\AppData\Local\Temp\3184716a2fece1fc6f6379b74c0038e221db3beee6262f64b8ebcb07592037ac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\d1JeAnMjkheXZAe.exe
  .\d1JeAnMjkheXZAe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.dat

Filesize
6KB

MD5
ac1af2bb907e79fdba20fb7c7cb3931e

SHA1
7f5a6e7e605b31850eb57d8e514440fa3b790577

SHA256
cdf2c7ec2b8efd3b0864174d86666de20c46e06650366dc1f934a63d4cde38e4

SHA512
704f02f334c091f1da9bcdfb0a6a4aff5071aab9b0f7c04c17c451e52fdd14c77ece9e1acd614c9b505f4f766a4368eb2613e71beb21faf41e30a363bba6bca7

Download Submit
C:\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.x64.dll

Filesize
690KB

MD5
3abba853e3f56ca70c68e2b5df4dd7d2

SHA1
c930ed364d473be5ea573dddee48d956e36e2c3a

SHA256
3d6dd31f0c3decfbc21205b543a72b2bc4a9406323bdbb7c995a2db31709249d

SHA512
615c75f083827a8a1117eae47debe00b411565550a9e35d58a35c83e739e822dafdc3c217a33429334547d0ced6e950c0336ac8224ffcf345fa56df10971c3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
bed35c1429c7475e037e770eec980231

SHA1
2d6c6e35f8141f9b1bf3d1a2e37e676cff4c9525

SHA256
eb2fe59b056600f9885b4667f9f743b1f84cfe4b3f669c1818c5ca03ef1f250f

SHA512
22f6dff2246090164780fbb0d7ea412cbfcf80734c4f933f3dd3a19e54969e1f5d2c422739b691d4594b5953e06cbcd27c52634f80836b38fc070cbeff538b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
52e76751c9d768fc8f37b26205bcddcb

SHA1
92b187f96b7aaadb9f63d047671fe8c7cd98a9a5

SHA256
a03479f9daec7a6bb3cb38d3ae1e1447702657118f6d6c530d26e3ab98f104ea

SHA512
8a0f854a850cf8e6da8ac7119938585f2ac5fa99061780dd8656184b8a06b7c677602e2920dda1851476acf2a48c603737d0e5566d4f57fcb2a83954cb32d772

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\[email protected]\install.rdf

Filesize
607B

MD5
cdd9ea50e22868b21102d7300a21d902

SHA1
324dd21ee32f10adfda3edbab5840d001b8d66b4

SHA256
bb0aba8c46432c53d462c7533433e46206509b1e8fc7bccce5a26d36478ef2bc

SHA512
9a23a328805899949382a4e05c3a68cd80b532f55d1be4b1b070c0d4be201503b32ba06a9bd1c049fce702e723786c6078fc2f884c0585a1e9f8e4e15ff74862

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\cjjpnjehmhhfpdjlcfgbjaplhjgbbjeb\background.html

Filesize
145B

MD5
d768ded60afda9afa960a2218855c5ca

SHA1
cbb873c368b46bf340eeb9c7c4702ca693a66d24

SHA256
08a1fea1d96cb1eab946d597d26cc76bfa2be507b17c7a2e0beee5a703279972

SHA512
5b8076cd19cfb1c4d0507aff0e69f8a527c70070944924c9a57071b5b9cc506962d03075dd0821b70bef24162f48b8d573710c4ddccc326194a37b1b009896d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\cjjpnjehmhhfpdjlcfgbjaplhjgbbjeb\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\cjjpnjehmhhfpdjlcfgbjaplhjgbbjeb\jVFvdx31.js

Filesize
5KB

MD5
aee5e2185b0cc479d2c290351e125935

SHA1
971b222422e58f98b7f9884b075a6c225f9ae675

SHA256
67a90d7058d3d66075e8734beeb644ee44a2b2091b4d08f60c59f6108af4e0c0

SHA512
045d0fd861004a22361bb8049fa2fd0ec2c9b5d658dcf4fa816bec91f44ab29ef1514791df09b43aff92921b808cd34fa2a4ccc405c3c4251286ef20516fb476

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\cjjpnjehmhhfpdjlcfgbjaplhjgbbjeb\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\cjjpnjehmhhfpdjlcfgbjaplhjgbbjeb\manifest.json

Filesize
508B

MD5
33c675108f86d80e1d7b36d7cee118c1

SHA1
49cc5d7c3576200c98021e75b5e44b1891a40faf

SHA256
351c77f83bd2750c05c9085b8ac8c1d7b5b842bb477172a391a346e71bef99cd

SHA512
2d96052d78744fb8bf13faef5c556058b9e8d41ca998385f421605c9525490be61fc15eca6d1f1ce59c2274b7f3a511f448a11543cee290aed4808e7f08e55c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\d1JeAnMjkheXZAe.dat

Filesize
6KB

MD5
ac1af2bb907e79fdba20fb7c7cb3931e

SHA1
7f5a6e7e605b31850eb57d8e514440fa3b790577

SHA256
cdf2c7ec2b8efd3b0864174d86666de20c46e06650366dc1f934a63d4cde38e4

SHA512
704f02f334c091f1da9bcdfb0a6a4aff5071aab9b0f7c04c17c451e52fdd14c77ece9e1acd614c9b505f4f766a4368eb2613e71beb21faf41e30a363bba6bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\d1JeAnMjkheXZAe.exe

Filesize
629KB

MD5
05b7b07469fca4597eb03a03eedb19cd

SHA1
a0510838e7a5e9977d513c495ba969494c26ffbf

SHA256
9254129be296968c1a9705ea7c5d39aa6537245a162543bcc79da756c9cf1ead

SHA512
2531eb759bed4dc95cfdc4f4b7b09ecd069f8376ceb6b843ffbce6dd01c6676a9ba130b0153b014678a8c3f74d347bc8313d1cd618e53a0703882d7497648569

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\d1JeAnMjkheXZAe.exe

Filesize
629KB

MD5
05b7b07469fca4597eb03a03eedb19cd

SHA1
a0510838e7a5e9977d513c495ba969494c26ffbf

SHA256
9254129be296968c1a9705ea7c5d39aa6537245a162543bcc79da756c9cf1ead

SHA512
2531eb759bed4dc95cfdc4f4b7b09ecd069f8376ceb6b843ffbce6dd01c6676a9ba130b0153b014678a8c3f74d347bc8313d1cd618e53a0703882d7497648569

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\tnjTLhclA6I6eK.dll

Filesize
610KB

MD5
8630a0477e33bf7e401c82bb6f0bf9ef

SHA1
d1933549c59d151aec77010e665d2e60eb16f24c

SHA256
29d95c7d6c79159bbe46dc7c8dded2c2fc74d7a15d36c3ece2f8bbbc06718888

SHA512
759b5148b829c44d81d8941a939b1bc17ddef7998cbc03f24e82c49378bbed57298242cf8178587636590d2965f4b45227f62fc95dae98ebffc39b5f0e503832

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\tnjTLhclA6I6eK.tlb

Filesize
3KB

MD5
8956d96d82e1ff91bc7500ec1408070e

SHA1
fe73dbb0de2e727dd55073149490e7548826b42d

SHA256
4e83e6b729f8dcd42d0e2d8bac469f7cd696e6fbcb6f5edca8b91c3925b9ae5a

SHA512
9e8d87d5338d77f573787916500befbc49b93516713ac44fd8e98eb1698421c5ab536bc24071882c5179b6cd75df286c20306bde9bd59b5613f70ac53048ad15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6604.tmp\tnjTLhclA6I6eK.x64.dll

Filesize
690KB

MD5
3abba853e3f56ca70c68e2b5df4dd7d2

SHA1
c930ed364d473be5ea573dddee48d956e36e2c3a

SHA256
3d6dd31f0c3decfbc21205b543a72b2bc4a9406323bdbb7c995a2db31709249d

SHA512
615c75f083827a8a1117eae47debe00b411565550a9e35d58a35c83e739e822dafdc3c217a33429334547d0ced6e950c0336ac8224ffcf345fa56df10971c3c5

Download Submit
\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.dll

Filesize
610KB

MD5
8630a0477e33bf7e401c82bb6f0bf9ef

SHA1
d1933549c59d151aec77010e665d2e60eb16f24c

SHA256
29d95c7d6c79159bbe46dc7c8dded2c2fc74d7a15d36c3ece2f8bbbc06718888

SHA512
759b5148b829c44d81d8941a939b1bc17ddef7998cbc03f24e82c49378bbed57298242cf8178587636590d2965f4b45227f62fc95dae98ebffc39b5f0e503832

Download Submit
\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.x64.dll

Filesize
690KB

MD5
3abba853e3f56ca70c68e2b5df4dd7d2

SHA1
c930ed364d473be5ea573dddee48d956e36e2c3a

SHA256
3d6dd31f0c3decfbc21205b543a72b2bc4a9406323bdbb7c995a2db31709249d

SHA512
615c75f083827a8a1117eae47debe00b411565550a9e35d58a35c83e739e822dafdc3c217a33429334547d0ced6e950c0336ac8224ffcf345fa56df10971c3c5

Download Submit
\Program Files (x86)\YoutUbeAdBllocke\tnjTLhclA6I6eK.x64.dll

Filesize
690KB

MD5
3abba853e3f56ca70c68e2b5df4dd7d2

SHA1
c930ed364d473be5ea573dddee48d956e36e2c3a

SHA256
3d6dd31f0c3decfbc21205b543a72b2bc4a9406323bdbb7c995a2db31709249d

SHA512
615c75f083827a8a1117eae47debe00b411565550a9e35d58a35c83e739e822dafdc3c217a33429334547d0ced6e950c0336ac8224ffcf345fa56df10971c3c5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6604.tmp\d1JeAnMjkheXZAe.exe

Filesize
629KB

MD5
05b7b07469fca4597eb03a03eedb19cd

SHA1
a0510838e7a5e9977d513c495ba969494c26ffbf

SHA256
9254129be296968c1a9705ea7c5d39aa6537245a162543bcc79da756c9cf1ead

SHA512
2531eb759bed4dc95cfdc4f4b7b09ecd069f8376ceb6b843ffbce6dd01c6676a9ba130b0153b014678a8c3f74d347bc8313d1cd618e53a0703882d7497648569

Download Submit
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/2044-78-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

Filesize
8KB

Download