e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b

Analysis

max time kernel
39s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b.exe
Size

2.1MB
MD5

57399de2c1edef507788b2b83a787470
SHA1

4fd6a150cc64f9f41821bb21f186051836f7aa02
SHA256

e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b
SHA512

915dd979fe74615adce08ec5950d299e6b7d4401c1475a43d60b46f8e6da39f0f288d8668417c72e82a3c44013302c1eb989a5559b55c1f91f4cf1c6381fe959
SSDEEP

49152:h1OseNQToNVxbNrInKtDSwSm7CXH9e7RSlSAn5RjFdzgD20XrXTn:h1O3NQUNVxNpSmGX9FdsD20XP

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1380	LP5gTMS8HdBzne1.exe

Loads dropped DLL 4 IoCs

pid	Process
1348	e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b.exe
1380	LP5gTMS8HdBzne1.exe
1780	regsvr32.exe
788	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\amndmpbppcgnfgpjficpjodfaahiclpm\3.7\manifest.json	LP5gTMS8HdBzne1.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\amndmpbppcgnfgpjficpjodfaahiclpm\3.7\manifest.json	LP5gTMS8HdBzne1.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\amndmpbppcgnfgpjficpjodfaahiclpm\3.7\manifest.json	LP5gTMS8HdBzne1.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	LP5gTMS8HdBzne1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	LP5gTMS8HdBzne1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	LP5gTMS8HdBzne1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	LP5gTMS8HdBzne1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	LP5gTMS8HdBzne1.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.dat	LP5gTMS8HdBzne1.exe
File opened for modification	C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.dat	LP5gTMS8HdBzne1.exe
File created	C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.x64.dll	LP5gTMS8HdBzne1.exe
File opened for modification	C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.x64.dll	LP5gTMS8HdBzne1.exe
File created	C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.dll	LP5gTMS8HdBzne1.exe
File opened for modification	C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.dll	LP5gTMS8HdBzne1.exe
File created	C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.tlb	LP5gTMS8HdBzne1.exe
File opened for modification	C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.tlb	LP5gTMS8HdBzne1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1380	LP5gTMS8HdBzne1.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1380	1348	e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b.exe	26
PID 1348 wrote to memory of 1380	1348	e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b.exe	26
PID 1348 wrote to memory of 1380	1348	e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b.exe	26
PID 1348 wrote to memory of 1380	1348	e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b.exe	26
PID 1380 wrote to memory of 1780	1380	LP5gTMS8HdBzne1.exe	27
PID 1380 wrote to memory of 1780	1380	LP5gTMS8HdBzne1.exe	27
PID 1380 wrote to memory of 1780	1380	LP5gTMS8HdBzne1.exe	27
PID 1380 wrote to memory of 1780	1380	LP5gTMS8HdBzne1.exe	27
PID 1380 wrote to memory of 1780	1380	LP5gTMS8HdBzne1.exe	27
PID 1380 wrote to memory of 1780	1380	LP5gTMS8HdBzne1.exe	27
PID 1380 wrote to memory of 1780	1380	LP5gTMS8HdBzne1.exe	27
PID 1780 wrote to memory of 788	1780	regsvr32.exe	28
PID 1780 wrote to memory of 788	1780	regsvr32.exe	28
PID 1780 wrote to memory of 788	1780	regsvr32.exe	28
PID 1780 wrote to memory of 788	1780	regsvr32.exe	28
PID 1780 wrote to memory of 788	1780	regsvr32.exe	28
PID 1780 wrote to memory of 788	1780	regsvr32.exe	28
PID 1780 wrote to memory of 788	1780	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b.exe
"C:\Users\Admin\AppData\Local\Temp\e13cabb3e382b1c2e3969474f5ba7b3babac5e27d4405b92b30e2b97e78ab99b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\LP5gTMS8HdBzne1.exe
  .\LP5gTMS8HdBzne1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.dat

Filesize
6KB

MD5
381142d06909571acaf1861140eef3a9

SHA1
1235533e8f2b9df0dc64901b6a60cce92b868857

SHA256
a91dcbc46924ef3828890c90dfc4056ef948c8a00500796c77c4168685fd148f

SHA512
e14258f7cc8483ef0c67221ed08e8b7c2ea552e0a6633e165520ae060121315138b482179f67f412fb445a687afffe1449682e297875c3fc42f1a3c61f5ca1cb

Download Submit
C:\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.x64.dll

Filesize
681KB

MD5
e9475db8431e218fb9e93001a029d450

SHA1
65c9d72f51edaedad5ad5b644578f8f25da68bd0

SHA256
33a7d43f85d41bea61dd46a31d911f1762c945ca031e62d57195f50caa7eb8ea

SHA512
7d19e936ae4227c786dacda35a1bd4bd94a3147403ec04cc4d12ca4af2386e9cb17c6c3000e0360ea5d258ddd0a842d2044e80ddcce4d7117c2b94b0c43bdb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\LP5gTMS8HdBzne1.dat

Filesize
6KB

MD5
381142d06909571acaf1861140eef3a9

SHA1
1235533e8f2b9df0dc64901b6a60cce92b868857

SHA256
a91dcbc46924ef3828890c90dfc4056ef948c8a00500796c77c4168685fd148f

SHA512
e14258f7cc8483ef0c67221ed08e8b7c2ea552e0a6633e165520ae060121315138b482179f67f412fb445a687afffe1449682e297875c3fc42f1a3c61f5ca1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\LP5gTMS8HdBzne1.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\LP5gTMS8HdBzne1.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\ULM6R8Mtsuj1pL.dll

Filesize
549KB

MD5
aa482eddd64245769b9350f18fb48387

SHA1
0a78b93b628153ba6c133d3de6c2c28570822b20

SHA256
fb4f5650fed042fc66d19ff0e6126fca8e078542820c24d21fdefb561a55bee8

SHA512
849c02dae5ffd6bb2cec1f6927988ecbb536bb879063efdebaf687ee655e9af21d16d3eb12308f470d50d50edc86c7e93901ad77a05ac19d9f1219098b711120

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\ULM6R8Mtsuj1pL.tlb

Filesize
3KB

MD5
cf57859d4870e1907e52503d4ffcbb7c

SHA1
fb0b87195347f8274e3fa046e0a34c3e57ff1e35

SHA256
273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40

SHA512
955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\ULM6R8Mtsuj1pL.x64.dll

Filesize
681KB

MD5
e9475db8431e218fb9e93001a029d450

SHA1
65c9d72f51edaedad5ad5b644578f8f25da68bd0

SHA256
33a7d43f85d41bea61dd46a31d911f1762c945ca031e62d57195f50caa7eb8ea

SHA512
7d19e936ae4227c786dacda35a1bd4bd94a3147403ec04cc4d12ca4af2386e9cb17c6c3000e0360ea5d258ddd0a842d2044e80ddcce4d7117c2b94b0c43bdb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
26c09528aba59438f15813236e39ee3c

SHA1
af20def94bf9582e80f28c385ba9c8d2e0d97ee1

SHA256
ee9926b75793dcc4a67692942d76aca62ca48dba67fe13a93e971982cc92f3bf

SHA512
e131caad4c816f6012824c098649e7d00c344ca11c8860db94caf597a7bb8552d561e8059b344ec219d6f1ab14c55a30022b0f6a9d102750ec70166ddd1738be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
6d76e612ec846aa9a76852420e475e87

SHA1
c0066432a2f105df9f2da14b5d21825579791c4e

SHA256
d6d8274884edc92f6d49ca9347840b9dee9ef57a0fb7d97cd8d5d20c282a8c80

SHA512
a01772f37f73fb4203dd038fc04954a533137f9424053b5706cd41458a0f1d94e265d3f3b355d7cbe4642ae3c29aad2d322c4edc87955553a4e6eff32e6d20d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\[email protected]\install.rdf

Filesize
595B

MD5
71fc9470a0cdd9bac59806312fda38a4

SHA1
67200901bc7650018fdf2987fff7f83f025ad78b

SHA256
f1956f380a244fbdb0f21ea4ed312e30b8d1805615bbe81ef8255c3c7ca9994f

SHA512
c9818757c50bb3b2cd0c57e35a89ac044bae4bd8b11d7f507626fb678bf75837fc0af1f28e03f55139ce54e2592c39303ff148f17c17ec7dcc2f3c9bd08ad990

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\amndmpbppcgnfgpjficpjodfaahiclpm\Y.js

Filesize
5KB

MD5
d316a5a02cfb72a24d658024edaee2a4

SHA1
6bf36ba943514687bc6f3e5d56c79bacef7a38cf

SHA256
e6e2f58fc929a70cebeb9c9f642f185d491d5d0064271d7c3f720ab7052f47a9

SHA512
b72b016b05aa7e3318c02ef57132b64791ba326e168ceb5f9a7de0b319395556d3b8c5b28dbba33f6aafacfcef4d75730359253a0343935ace7139ab8cd89735

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\amndmpbppcgnfgpjficpjodfaahiclpm\background.html

Filesize
138B

MD5
61cb784a05fb6984e0a2292c77f6690f

SHA1
22950ee3224377d39fc216eb1b107b667203e76f

SHA256
f4316aca0d838b45dbcf61c1a552c867f6a0de2c0ff4d13b784b24ad3460c211

SHA512
63511d1b432b1a84f3a22322fe957f23bbaa417bdf571e537ac71466a785bf9ca55972ee7348af619b368273086a11175b074f3fb7a6d0a47e6234051c65d494

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\amndmpbppcgnfgpjficpjodfaahiclpm\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\amndmpbppcgnfgpjficpjodfaahiclpm\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS696E.tmp\amndmpbppcgnfgpjficpjodfaahiclpm\manifest.json

Filesize
500B

MD5
42ad8c2c35ba378e4c3e4d31efb6836e

SHA1
6bedbcc63df1083fb52d0ebe24efd83deb83b039

SHA256
cb7c6dbac1cf8dfa625dca99bb3ed41860be7eca8b0cc6deee525a76051b9ebf

SHA512
abd4a8892dcd335fc61849afc1524cbd0d8a00ca9537d4b8612d133c673a39738708cadbf897aea3c84839de4dafc92e8b8ccce47fa8cfbd1c590711fdd39bdd

Download Submit
\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.dll

Filesize
549KB

MD5
aa482eddd64245769b9350f18fb48387

SHA1
0a78b93b628153ba6c133d3de6c2c28570822b20

SHA256
fb4f5650fed042fc66d19ff0e6126fca8e078542820c24d21fdefb561a55bee8

SHA512
849c02dae5ffd6bb2cec1f6927988ecbb536bb879063efdebaf687ee655e9af21d16d3eb12308f470d50d50edc86c7e93901ad77a05ac19d9f1219098b711120

Download Submit
\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.x64.dll

Filesize
681KB

MD5
e9475db8431e218fb9e93001a029d450

SHA1
65c9d72f51edaedad5ad5b644578f8f25da68bd0

SHA256
33a7d43f85d41bea61dd46a31d911f1762c945ca031e62d57195f50caa7eb8ea

SHA512
7d19e936ae4227c786dacda35a1bd4bd94a3147403ec04cc4d12ca4af2386e9cb17c6c3000e0360ea5d258ddd0a842d2044e80ddcce4d7117c2b94b0c43bdb11

Download Submit
\Program Files (x86)\webasave\ULM6R8Mtsuj1pL.x64.dll

Filesize
681KB

MD5
e9475db8431e218fb9e93001a029d450

SHA1
65c9d72f51edaedad5ad5b644578f8f25da68bd0

SHA256
33a7d43f85d41bea61dd46a31d911f1762c945ca031e62d57195f50caa7eb8ea

SHA512
7d19e936ae4227c786dacda35a1bd4bd94a3147403ec04cc4d12ca4af2386e9cb17c6c3000e0360ea5d258ddd0a842d2044e80ddcce4d7117c2b94b0c43bdb11

Download Submit
\Users\Admin\AppData\Local\Temp\7zS696E.tmp\LP5gTMS8HdBzne1.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/788-77-0x0000000000000000-mapping.dmp

Download
memory/788-78-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1348-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1380-56-0x0000000000000000-mapping.dmp

Download
memory/1780-73-0x0000000000000000-mapping.dmp

Download