fd25ba25c32afbe03b5f9901161c1a2037faada5899ed874bb08245a886dff56

Analysis

max time kernel
187s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd25ba25c32afbe03b5f9901161c1a2037faada5899ed874bb08245a886dff56.exe
Size

2.5MB
MD5

3b4d30e86474a305130102b4a5236d08
SHA1

70bd102f60e489958ac10ffeac8a27c963e77d67
SHA256

fd25ba25c32afbe03b5f9901161c1a2037faada5899ed874bb08245a886dff56
SHA512

b49844cd478ffb92d38a697bc1b0cdb55f2f05ef4f99ac43eff4fdfa6a0b75399643d60b8fa2d643144f0aed7c23b80a68d96d9575316b5ce748167084adb75b
SSDEEP

49152:h1OscxNHPhw+gUPu1hTyleJDaSZulHdZAYokFKJr3CJROg:h1O7D5EPhelwlCJ0g

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4652	AiOaEyloKHtynpl.exe

Loads dropped DLL 3 IoCs

pid	Process
4652	AiOaEyloKHtynpl.exe
204	regsvr32.exe
1920	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgmcfillcobaecfngdgpaclpkoabmifn\1.3\manifest.json	AiOaEyloKHtynpl.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgmcfillcobaecfngdgpaclpkoabmifn\1.3\manifest.json	AiOaEyloKHtynpl.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgmcfillcobaecfngdgpaclpkoabmifn\1.3\manifest.json	AiOaEyloKHtynpl.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgmcfillcobaecfngdgpaclpkoabmifn\1.3\manifest.json	AiOaEyloKHtynpl.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgmcfillcobaecfngdgpaclpkoabmifn\1.3\manifest.json	AiOaEyloKHtynpl.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	AiOaEyloKHtynpl.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	AiOaEyloKHtynpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	AiOaEyloKHtynpl.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	AiOaEyloKHtynpl.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.dll	AiOaEyloKHtynpl.exe
File opened for modification	C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.dll	AiOaEyloKHtynpl.exe
File created	C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.tlb	AiOaEyloKHtynpl.exe
File opened for modification	C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.tlb	AiOaEyloKHtynpl.exe
File created	C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.dat	AiOaEyloKHtynpl.exe
File opened for modification	C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.dat	AiOaEyloKHtynpl.exe
File created	C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.x64.dll	AiOaEyloKHtynpl.exe
File opened for modification	C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.x64.dll	AiOaEyloKHtynpl.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4652	AiOaEyloKHtynpl.exe
4652	AiOaEyloKHtynpl.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 4652	2756	fd25ba25c32afbe03b5f9901161c1a2037faada5899ed874bb08245a886dff56.exe	84
PID 2756 wrote to memory of 4652	2756	fd25ba25c32afbe03b5f9901161c1a2037faada5899ed874bb08245a886dff56.exe	84
PID 2756 wrote to memory of 4652	2756	fd25ba25c32afbe03b5f9901161c1a2037faada5899ed874bb08245a886dff56.exe	84
PID 4652 wrote to memory of 204	4652	AiOaEyloKHtynpl.exe	85
PID 4652 wrote to memory of 204	4652	AiOaEyloKHtynpl.exe	85
PID 4652 wrote to memory of 204	4652	AiOaEyloKHtynpl.exe	85
PID 204 wrote to memory of 1920	204	regsvr32.exe	86
PID 204 wrote to memory of 1920	204	regsvr32.exe	86

C:\Users\Admin\AppData\Local\Temp\fd25ba25c32afbe03b5f9901161c1a2037faada5899ed874bb08245a886dff56.exe
"C:\Users\Admin\AppData\Local\Temp\fd25ba25c32afbe03b5f9901161c1a2037faada5899ed874bb08245a886dff56.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\AiOaEyloKHtynpl.exe
  .\AiOaEyloKHtynpl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.dat

Filesize
6KB

MD5
89e8fa407c1f798a27070836b3156c03

SHA1
57b429ccedb3adb08b0f0e4548150f2dd3eda869

SHA256
e30f331c831e46c16d29c2192a9292937a6dc01a18a6d0e1b5f5d53cb5d78f78

SHA512
fb9c710294c6a33107765591fe5bf7d736bdd8cfb9bd751d2bafa83682054f5e696ad5c29ec2c61aed967c138d580865c5d415f4a48aba7396b3f5eac4b7ee3d

Download Submit
C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.dll

Filesize
747KB

MD5
fbd6155016ae7229bbbad131bbcb18cf

SHA1
a9319b2aa5886a9455005bc3ffe4e3b21d308bcf

SHA256
ef1b2743bd6f3f3a08c5ca9ff29f11e55e041275598b745eef574c2c304876d7

SHA512
8e3fda3af63116d5113beb8dbbea7dd49dee9eb768d52cc6bbf1634b3dc3c4b927fca5f5549ce60090fcf59ced27f650d7db9c4621a2fb30fa9eba1f46a792a3

Download Submit
C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.x64.dll

Filesize
882KB

MD5
ae74fb5f756eb2f4fbf03e5b92c15850

SHA1
4f5ecec030636b00cf82dfc18486791b6a4f9ca7

SHA256
8c8e7a12d5c581fa8731e9fb952594913b6a904aca853d43fb6a229d82a48443

SHA512
3e925f37547519bbfcc562133e12ebd726922b2341bd025403528973d17a7e0a72a1cea552d0f76fe0c3c094ef4e47bd78fe5a292093d0c31c3a631f212aba59

Download Submit
C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.x64.dll

Filesize
882KB

MD5
ae74fb5f756eb2f4fbf03e5b92c15850

SHA1
4f5ecec030636b00cf82dfc18486791b6a4f9ca7

SHA256
8c8e7a12d5c581fa8731e9fb952594913b6a904aca853d43fb6a229d82a48443

SHA512
3e925f37547519bbfcc562133e12ebd726922b2341bd025403528973d17a7e0a72a1cea552d0f76fe0c3c094ef4e47bd78fe5a292093d0c31c3a631f212aba59

Download Submit
C:\Program Files (x86)\Vaudix\iu4KRDceVFZQKa.x64.dll

Filesize
882KB

MD5
ae74fb5f756eb2f4fbf03e5b92c15850

SHA1
4f5ecec030636b00cf82dfc18486791b6a4f9ca7

SHA256
8c8e7a12d5c581fa8731e9fb952594913b6a904aca853d43fb6a229d82a48443

SHA512
3e925f37547519bbfcc562133e12ebd726922b2341bd025403528973d17a7e0a72a1cea552d0f76fe0c3c094ef4e47bd78fe5a292093d0c31c3a631f212aba59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\AiOaEyloKHtynpl.dat

Filesize
6KB

MD5
89e8fa407c1f798a27070836b3156c03

SHA1
57b429ccedb3adb08b0f0e4548150f2dd3eda869

SHA256
e30f331c831e46c16d29c2192a9292937a6dc01a18a6d0e1b5f5d53cb5d78f78

SHA512
fb9c710294c6a33107765591fe5bf7d736bdd8cfb9bd751d2bafa83682054f5e696ad5c29ec2c61aed967c138d580865c5d415f4a48aba7396b3f5eac4b7ee3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\AiOaEyloKHtynpl.exe

Filesize
775KB

MD5
80279b30cde0b5c95cdb4931c503a589

SHA1
55b4d7b89a833b3a0b6d822abca26f3d9786d955

SHA256
7240b37f191708f08afc82648d481d3212d0fab13b04935fafc269aaafaed086

SHA512
edcdfe116af71a79ea38df49ed41d8f5c421b9ff7b002c3d470f08cc261a4895a69371f4acc75e8b108d112a614d70706190b97d6b173a9ab6cc6f304e3a23af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\AiOaEyloKHtynpl.exe

Filesize
775KB

MD5
80279b30cde0b5c95cdb4931c503a589

SHA1
55b4d7b89a833b3a0b6d822abca26f3d9786d955

SHA256
7240b37f191708f08afc82648d481d3212d0fab13b04935fafc269aaafaed086

SHA512
edcdfe116af71a79ea38df49ed41d8f5c421b9ff7b002c3d470f08cc261a4895a69371f4acc75e8b108d112a614d70706190b97d6b173a9ab6cc6f304e3a23af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
f1a760c345f2af03fe33168c0ec6bd3a

SHA1
2b5a0dc167aa1535e5b93fc256519a48f008bbd9

SHA256
00e0d19d93653895a754ba79fba37c83e9bf4bed184ae11493af84939cbf44e0

SHA512
c6a5421202bca89a75f6fb2326026fbacb2b5588efdf5eb6dd420867722b75b5500501e2ef890f53e326d09ac8c931da8b9bb1f0b11344d5c3f59aae83f446d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
4f8148e4c4efb37f4c9104b4edf3fd48

SHA1
9378f83346de914e30d016efb149eeb1ae6f5c59

SHA256
f04d88e600cc438a7c23efeccafba2d6cc7154226e039502d98b6589c258485f

SHA512
a2ac31f986517109a80f29c56b8957f5892b55bc689fc5935186012d0b964bb57cfa534a0266e3c6bdbd911a36321b462de5bcbc4328b83c48540eb7f9b00897

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\[email protected]\install.rdf

Filesize
597B

MD5
cbb45dfb54140509c79409db1fc2827a

SHA1
f1a33d74259125b52c3fe0f97893f7439d56201f

SHA256
2f47bb48a409ed1bb2f2f0db3abbd40a05fefebd46268050a97c20d7e6599e34

SHA512
39635c8f52f1263c7c7e3510a0210813c974b34725d65d48ebfac33353b5ab82f2a3805a8382af3663380b9ceaad7bbfabab828d0c878d26e1ecce9e4b24c0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\cgmcfillcobaecfngdgpaclpkoabmifn\M2KdzZL.js

Filesize
5KB

MD5
376549d9d48be34051d94339aa3d14ae

SHA1
da6f58c34094d0624d5a383bcf5697f054d4ac3d

SHA256
7042244950326fed4b515c3fb21118c9683a927e6262282e6041a90c3ad9b4f8

SHA512
5642d998672dcd9d432f6fbb722660072cbc2627dbfecd55736b32ce0db5f6ee8547d7c41b7884362cb06116ad5878b3849b97f2f4c28c9a239f79435dcca80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\cgmcfillcobaecfngdgpaclpkoabmifn\background.html

Filesize
144B

MD5
8656e135ebac158e626af2ae54704768

SHA1
629c97bfb2f4e863f9c7667b7cafa4af18f07195

SHA256
a2147e223050a073683cb31849dfbd93a5a4cd0d0da2875afd8ee15c7411cecc

SHA512
f5d491ad3417c1d778c00b51cd90f754ccd864593dc123d6eb878d03593d2e789667ba225000a0bedf3e496991b681dd98b9a6d8b476bfb210ed7fabcbae9e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\cgmcfillcobaecfngdgpaclpkoabmifn\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\cgmcfillcobaecfngdgpaclpkoabmifn\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\cgmcfillcobaecfngdgpaclpkoabmifn\manifest.json

Filesize
498B

MD5
664e2884e17f23553a19eee317642194

SHA1
a28ccc088d6b6692646150f3e8f111e568723fb4

SHA256
ee4ef853224cde2aa7e54351c02bc811af939202b82e19cbd1cc011fc3565191

SHA512
b2cef8c4dfb6a0648f21c53393b982c9171d8a0344a94970c13866ebd2870de2cd99dab5984000b10802c54a748230104c7997c3d2cd3ac5e97c9355a4cb7ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\iu4KRDceVFZQKa.dll

Filesize
747KB

MD5
fbd6155016ae7229bbbad131bbcb18cf

SHA1
a9319b2aa5886a9455005bc3ffe4e3b21d308bcf

SHA256
ef1b2743bd6f3f3a08c5ca9ff29f11e55e041275598b745eef574c2c304876d7

SHA512
8e3fda3af63116d5113beb8dbbea7dd49dee9eb768d52cc6bbf1634b3dc3c4b927fca5f5549ce60090fcf59ced27f650d7db9c4621a2fb30fa9eba1f46a792a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\iu4KRDceVFZQKa.tlb

Filesize
3KB

MD5
f7d250789cb98f934c5af3f887881802

SHA1
23057d35d87c3381449342b68d2224691cc9a62b

SHA256
bd9d6d040d89576ede9657e27dc52522518e43aafc869396d1a80f59251ed1fa

SHA512
b0f24ff20654fc6b168f899f45b3d866ca45125651076b0ef65ac25264f4cfe02c6be4df258ef31d419cfd32f4319c3ad41e52e3088ed50cc8e11d5fbfc29401

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119.tmp\iu4KRDceVFZQKa.x64.dll

Filesize
882KB

MD5
ae74fb5f756eb2f4fbf03e5b92c15850

SHA1
4f5ecec030636b00cf82dfc18486791b6a4f9ca7

SHA256
8c8e7a12d5c581fa8731e9fb952594913b6a904aca853d43fb6a229d82a48443

SHA512
3e925f37547519bbfcc562133e12ebd726922b2341bd025403528973d17a7e0a72a1cea552d0f76fe0c3c094ef4e47bd78fe5a292093d0c31c3a631f212aba59

Download Submit