14ae40577ad9960becb821aa04c53de3c31c72745ad3506a841f3388c5f73c13

Analysis

max time kernel
176s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14ae40577ad9960becb821aa04c53de3c31c72745ad3506a841f3388c5f73c13.exe
Size

2.5MB
MD5

87748633a0e3be63028a34c4ec287b9b
SHA1

d2cd99922dafb8df456d40811e6394958b21f4cc
SHA256

14ae40577ad9960becb821aa04c53de3c31c72745ad3506a841f3388c5f73c13
SHA512

d6e939cad5b07b47a1f9e9e391c7b65d34dd458252523bb2c337e9423991a877c034381f0518c322c22fc53dade4dcb6f26834da17b0e96f4bd85fed9717a35b
SSDEEP

49152:h1OsUxNHPhw+gUPu1hTyleJDaSZulHdZAYokFKJr3CJRO6:h1OLD5EPhelwlCJ06

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2952	1Zry1VgsRvFDWkq.exe

Loads dropped DLL 3 IoCs

pid	Process
2952	1Zry1VgsRvFDWkq.exe
1204	regsvr32.exe
3380	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\geekcpngncajnlnalhjganjgdgegefph\200\manifest.json	1Zry1VgsRvFDWkq.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\geekcpngncajnlnalhjganjgdgegefph\200\manifest.json	1Zry1VgsRvFDWkq.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\geekcpngncajnlnalhjganjgdgegefph\200\manifest.json	1Zry1VgsRvFDWkq.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\geekcpngncajnlnalhjganjgdgegefph\200\manifest.json	1Zry1VgsRvFDWkq.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\geekcpngncajnlnalhjganjgdgegefph\200\manifest.json	1Zry1VgsRvFDWkq.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	1Zry1VgsRvFDWkq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	1Zry1VgsRvFDWkq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	1Zry1VgsRvFDWkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	1Zry1VgsRvFDWkq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.x64.dll	1Zry1VgsRvFDWkq.exe
File created	C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.dll	1Zry1VgsRvFDWkq.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.dll	1Zry1VgsRvFDWkq.exe
File created	C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.tlb	1Zry1VgsRvFDWkq.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.tlb	1Zry1VgsRvFDWkq.exe
File created	C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.dat	1Zry1VgsRvFDWkq.exe
File opened for modification	C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.dat	1Zry1VgsRvFDWkq.exe
File created	C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.x64.dll	1Zry1VgsRvFDWkq.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2952	1Zry1VgsRvFDWkq.exe
2952	1Zry1VgsRvFDWkq.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 2952	220	14ae40577ad9960becb821aa04c53de3c31c72745ad3506a841f3388c5f73c13.exe	82
PID 220 wrote to memory of 2952	220	14ae40577ad9960becb821aa04c53de3c31c72745ad3506a841f3388c5f73c13.exe	82
PID 220 wrote to memory of 2952	220	14ae40577ad9960becb821aa04c53de3c31c72745ad3506a841f3388c5f73c13.exe	82
PID 2952 wrote to memory of 1204	2952	1Zry1VgsRvFDWkq.exe	86
PID 2952 wrote to memory of 1204	2952	1Zry1VgsRvFDWkq.exe	86
PID 2952 wrote to memory of 1204	2952	1Zry1VgsRvFDWkq.exe	86
PID 1204 wrote to memory of 3380	1204	regsvr32.exe	87
PID 1204 wrote to memory of 3380	1204	regsvr32.exe	87

C:\Users\Admin\AppData\Local\Temp\14ae40577ad9960becb821aa04c53de3c31c72745ad3506a841f3388c5f73c13.exe
"C:\Users\Admin\AppData\Local\Temp\14ae40577ad9960becb821aa04c53de3c31c72745ad3506a841f3388c5f73c13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\1Zry1VgsRvFDWkq.exe
  .\1Zry1VgsRvFDWkq.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.dat

Filesize
6KB

MD5
f7e974854ff02ebe00f7b0b23a2b5683

SHA1
abeb41d8b49a4b88ac8772ab55cf54af8a2df0ec

SHA256
1e4d9255c353c7caeecf609a260e4fed630ec3afafcd9b9d141a6271fc77c541

SHA512
f7f8f5587145bdbec7d6ab687c8e378076bc9508b0f1196858bd7148cdeef8d888a14179cfaacbe4beeec8c5f3a7d1691f0b895dba3ac6ea697c31d5d2ed8ecd

Download Submit
C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.dll

Filesize
747KB

MD5
fbd6155016ae7229bbbad131bbcb18cf

SHA1
a9319b2aa5886a9455005bc3ffe4e3b21d308bcf

SHA256
ef1b2743bd6f3f3a08c5ca9ff29f11e55e041275598b745eef574c2c304876d7

SHA512
8e3fda3af63116d5113beb8dbbea7dd49dee9eb768d52cc6bbf1634b3dc3c4b927fca5f5549ce60090fcf59ced27f650d7db9c4621a2fb30fa9eba1f46a792a3

Download Submit
C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.x64.dll

Filesize
882KB

MD5
ae74fb5f756eb2f4fbf03e5b92c15850

SHA1
4f5ecec030636b00cf82dfc18486791b6a4f9ca7

SHA256
8c8e7a12d5c581fa8731e9fb952594913b6a904aca853d43fb6a229d82a48443

SHA512
3e925f37547519bbfcc562133e12ebd726922b2341bd025403528973d17a7e0a72a1cea552d0f76fe0c3c094ef4e47bd78fe5a292093d0c31c3a631f212aba59

Download Submit
C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.x64.dll

Filesize
882KB

MD5
ae74fb5f756eb2f4fbf03e5b92c15850

SHA1
4f5ecec030636b00cf82dfc18486791b6a4f9ca7

SHA256
8c8e7a12d5c581fa8731e9fb952594913b6a904aca853d43fb6a229d82a48443

SHA512
3e925f37547519bbfcc562133e12ebd726922b2341bd025403528973d17a7e0a72a1cea552d0f76fe0c3c094ef4e47bd78fe5a292093d0c31c3a631f212aba59

Download Submit
C:\Program Files (x86)\Browser Shop\y9L3UikD4AZXCl.x64.dll

Filesize
882KB

MD5
ae74fb5f756eb2f4fbf03e5b92c15850

SHA1
4f5ecec030636b00cf82dfc18486791b6a4f9ca7

SHA256
8c8e7a12d5c581fa8731e9fb952594913b6a904aca853d43fb6a229d82a48443

SHA512
3e925f37547519bbfcc562133e12ebd726922b2341bd025403528973d17a7e0a72a1cea552d0f76fe0c3c094ef4e47bd78fe5a292093d0c31c3a631f212aba59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\1Zry1VgsRvFDWkq.dat

Filesize
6KB

MD5
f7e974854ff02ebe00f7b0b23a2b5683

SHA1
abeb41d8b49a4b88ac8772ab55cf54af8a2df0ec

SHA256
1e4d9255c353c7caeecf609a260e4fed630ec3afafcd9b9d141a6271fc77c541

SHA512
f7f8f5587145bdbec7d6ab687c8e378076bc9508b0f1196858bd7148cdeef8d888a14179cfaacbe4beeec8c5f3a7d1691f0b895dba3ac6ea697c31d5d2ed8ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\1Zry1VgsRvFDWkq.exe

Filesize
775KB

MD5
80279b30cde0b5c95cdb4931c503a589

SHA1
55b4d7b89a833b3a0b6d822abca26f3d9786d955

SHA256
7240b37f191708f08afc82648d481d3212d0fab13b04935fafc269aaafaed086

SHA512
edcdfe116af71a79ea38df49ed41d8f5c421b9ff7b002c3d470f08cc261a4895a69371f4acc75e8b108d112a614d70706190b97d6b173a9ab6cc6f304e3a23af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\1Zry1VgsRvFDWkq.exe

Filesize
775KB

MD5
80279b30cde0b5c95cdb4931c503a589

SHA1
55b4d7b89a833b3a0b6d822abca26f3d9786d955

SHA256
7240b37f191708f08afc82648d481d3212d0fab13b04935fafc269aaafaed086

SHA512
edcdfe116af71a79ea38df49ed41d8f5c421b9ff7b002c3d470f08cc261a4895a69371f4acc75e8b108d112a614d70706190b97d6b173a9ab6cc6f304e3a23af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
071ef0c462fd6cbd7b8b3dabc55c1917

SHA1
1485fad26e8d7d627229df58ae13b9a44a88fbaa

SHA256
bb412888caeb1d8e50ce9dc6b211bcaf2b09afd9ddf3991154ff989e30760675

SHA512
fcc8987737d4f440de8d48eaa47980c697a5fd7982ca1002e80b3e5769c0d6bfad65be4e9c48410b0acb8c528811336359cc9d7efb938a6bbede47e099a9a47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
1bf13b06b9780d6195619bfbdbdcee33

SHA1
f20d0640dc3e5ad01bc03ad8bf22ca5e09636926

SHA256
7703cb1800510ea5c12c6ce54ec1e5294c8c069b13aa8039193cdac80cbbb38d

SHA512
f1bd8cc90921a0f35e063ce41223deb1cfb061e6ceca6dc3430fba191b90e9f924a094570ea63c4d1eb9937a4d3c4f9b1e7999a883a38018be89ab95fb050763

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\[email protected]\install.rdf

Filesize
599B

MD5
f177f387fee1e698abed385289eb8fd1

SHA1
8a7f2e7e818fff5771af0ce3071869016251a8bb

SHA256
5113421c82db8c07c953ad05f70097ea62ab2e7f9dbf605e85aaee945bc2f13c

SHA512
3b83acd905d882a7b6cb42075430488756382f9979ac3cfd95f35e02d6a358d514c39d2e4a515262703d0d531cef285f3f4c90d4088824b112739c3bd7c6b163

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\geekcpngncajnlnalhjganjgdgegefph\TWGdpL76Y.js

Filesize
5KB

MD5
deecef76a7633a89313b4d7fb806873d

SHA1
4d8e9f2e474f3b47d551af37b3634a78ce2c1112

SHA256
fb4dbae588776c0a4b4f50cc45ea80d241c7c573a04fc08390383841fdd56692

SHA512
e8411b18eb75a90b922a5b6dba8462b1480b438c931c61981babc99b4a25c5dd3c9b2bccc39286f9c6bb610df77438642c8dc2fbc27aa139524b985d24e91992

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\geekcpngncajnlnalhjganjgdgegefph\background.html

Filesize
146B

MD5
27f944192300c18c0db33327b5581861

SHA1
f8a8bd442ce862377097e63932ebbabeed41d42a

SHA256
e964dad0ec231159144fb56b292d4f5c3cabb907d691e3e4f749c3ee760ebd71

SHA512
358f6a38cfa03293813a09d584d0875f86a5375eeb2de8f52fd2186875269e5e76d34106f1072f3bedf3140dcca493f8935a658c37ffbfa09037278a40647011

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\geekcpngncajnlnalhjganjgdgegefph\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\geekcpngncajnlnalhjganjgdgegefph\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\geekcpngncajnlnalhjganjgdgegefph\manifest.json

Filesize
504B

MD5
d532994175ac6e4e8fea2ae07edef6ff

SHA1
5646eab3cebc8b0a804103b63f08a63db784a77d

SHA256
f9a190f8cfafdeddfe9627366bcd108e42b7fa07c8d074f1570bd77489f39c4d

SHA512
ba6ddc11423c0b0d93de3e3ecb9eeebe29470723282165aa67de4329a5f9af7e390869a7cbd0834c1ff115a1ed0a274bed686b4b6630e98b268ec1f2a9a8dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\y9L3UikD4AZXCl.dll

Filesize
747KB

MD5
fbd6155016ae7229bbbad131bbcb18cf

SHA1
a9319b2aa5886a9455005bc3ffe4e3b21d308bcf

SHA256
ef1b2743bd6f3f3a08c5ca9ff29f11e55e041275598b745eef574c2c304876d7

SHA512
8e3fda3af63116d5113beb8dbbea7dd49dee9eb768d52cc6bbf1634b3dc3c4b927fca5f5549ce60090fcf59ced27f650d7db9c4621a2fb30fa9eba1f46a792a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\y9L3UikD4AZXCl.tlb

Filesize
3KB

MD5
f7d250789cb98f934c5af3f887881802

SHA1
23057d35d87c3381449342b68d2224691cc9a62b

SHA256
bd9d6d040d89576ede9657e27dc52522518e43aafc869396d1a80f59251ed1fa

SHA512
b0f24ff20654fc6b168f899f45b3d866ca45125651076b0ef65ac25264f4cfe02c6be4df258ef31d419cfd32f4319c3ad41e52e3088ed50cc8e11d5fbfc29401

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3577.tmp\y9L3UikD4AZXCl.x64.dll

Filesize
882KB

MD5
ae74fb5f756eb2f4fbf03e5b92c15850

SHA1
4f5ecec030636b00cf82dfc18486791b6a4f9ca7

SHA256
8c8e7a12d5c581fa8731e9fb952594913b6a904aca853d43fb6a229d82a48443

SHA512
3e925f37547519bbfcc562133e12ebd726922b2341bd025403528973d17a7e0a72a1cea552d0f76fe0c3c094ef4e47bd78fe5a292093d0c31c3a631f212aba59

Download Submit