da9b15a430253c50a690163727fe1e63fb1b9b3afc9894c7ef5ebee3ff93bf40

Analysis

max time kernel
141s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 04:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

da9b15a430253c50a690163727fe1e63fb1b9b3afc9894c7ef5ebee3ff93bf40.exe
Size

2.1MB
MD5

85dcd5176743821853a3f553230878d8
SHA1

903e92319cb7bd27c2920e17f8c6ac811b4adf54
SHA256

da9b15a430253c50a690163727fe1e63fb1b9b3afc9894c7ef5ebee3ff93bf40
SHA512

2a12844404041de2286786d161c9b1aeea1956edd9e13141b9ee7427cd6f943055916ca98f517125d2f97d44d6e5a712a889dd7de6727ba1db8df0798355dd49
SSDEEP

49152:h1OsDNQToNVxbNrInKtDSwSm7CXH9e7e6JPvXikFKrhcoglfL+8:h1O8NQUNVxNpSmGXGlvtzZ

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1308	C00IjrPQkWwC3Ld.exe

Loads dropped DLL 3 IoCs

pid	Process
1308	C00IjrPQkWwC3Ld.exe
2612	regsvr32.exe
332	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kljepbefoeognpbckbcjkilmolkgdbfa\1.3\manifest.json	C00IjrPQkWwC3Ld.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kljepbefoeognpbckbcjkilmolkgdbfa\1.3\manifest.json	C00IjrPQkWwC3Ld.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kljepbefoeognpbckbcjkilmolkgdbfa\1.3\manifest.json	C00IjrPQkWwC3Ld.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kljepbefoeognpbckbcjkilmolkgdbfa\1.3\manifest.json	C00IjrPQkWwC3Ld.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kljepbefoeognpbckbcjkilmolkgdbfa\1.3\manifest.json	C00IjrPQkWwC3Ld.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	C00IjrPQkWwC3Ld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	C00IjrPQkWwC3Ld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	C00IjrPQkWwC3Ld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	C00IjrPQkWwC3Ld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.tlb	C00IjrPQkWwC3Ld.exe
File created	C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.dat	C00IjrPQkWwC3Ld.exe
File opened for modification	C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.dat	C00IjrPQkWwC3Ld.exe
File created	C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.x64.dll	C00IjrPQkWwC3Ld.exe
File opened for modification	C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.x64.dll	C00IjrPQkWwC3Ld.exe
File created	C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.dll	C00IjrPQkWwC3Ld.exe
File opened for modification	C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.dll	C00IjrPQkWwC3Ld.exe
File created	C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.tlb	C00IjrPQkWwC3Ld.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1308	C00IjrPQkWwC3Ld.exe
1308	C00IjrPQkWwC3Ld.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 1308	4756	da9b15a430253c50a690163727fe1e63fb1b9b3afc9894c7ef5ebee3ff93bf40.exe	83
PID 4756 wrote to memory of 1308	4756	da9b15a430253c50a690163727fe1e63fb1b9b3afc9894c7ef5ebee3ff93bf40.exe	83
PID 4756 wrote to memory of 1308	4756	da9b15a430253c50a690163727fe1e63fb1b9b3afc9894c7ef5ebee3ff93bf40.exe	83
PID 1308 wrote to memory of 2612	1308	C00IjrPQkWwC3Ld.exe	84
PID 1308 wrote to memory of 2612	1308	C00IjrPQkWwC3Ld.exe	84
PID 1308 wrote to memory of 2612	1308	C00IjrPQkWwC3Ld.exe	84
PID 2612 wrote to memory of 332	2612	regsvr32.exe	85
PID 2612 wrote to memory of 332	2612	regsvr32.exe	85

C:\Users\Admin\AppData\Local\Temp\da9b15a430253c50a690163727fe1e63fb1b9b3afc9894c7ef5ebee3ff93bf40.exe
"C:\Users\Admin\AppData\Local\Temp\da9b15a430253c50a690163727fe1e63fb1b9b3afc9894c7ef5ebee3ff93bf40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\C00IjrPQkWwC3Ld.exe
  .\C00IjrPQkWwC3Ld.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.dat

Filesize
6KB

MD5
92305aeb5805ea1e1bdc2ecc3adb7c5e

SHA1
ec5576baa7c63d34b4f88c6c40e5748038a7a239

SHA256
ab9d1ccc533ae70ff93cbd49d36af12405ccfa336843d6b7a161f4ba2c5d4210

SHA512
8b66612fbac6b341aa15fb025b4680a8995d28bd3e8129c6c4d473e80262ffe744c0357189ec03b7980f9dc265b3d18c99739849b4602733fe84c480302c3b00

Download Submit
C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.dll

Filesize
552KB

MD5
f18ccfc924270205b4866c4d6449b885

SHA1
78f8140fec756185048617b18ffa8ef790310b91

SHA256
b65ab4176e71be5e138f8caed5cd0192bd59e474be9a9a09da7375cc08a21587

SHA512
034000e67480d6088119f630cc953218bf438b20c9f5283ca2afd0b81406ea34c0d437c1ff8a34a97157c85a42488930760dc7fc2865e27a88146f05b1a58c41

Download Submit
C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.x64.dll

Filesize
677KB

MD5
559f3754adb3a564c32be61f6993c5ae

SHA1
00dd27145b132f5c14c8e5883bf083cc74e98e3d

SHA256
b391808c2af840e994f2891593caa1d4b61b2620d7e51be9b341e4e4e437654b

SHA512
4ece92cf994f98d4f61222c76cdbafe2b6990f025b6254a39a711c463d9c362211bdfb55d1f28e7a5027a135051c0a2aa957075a2ad1efabf73b68ac6db9e748

Download Submit
C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.x64.dll

Filesize
677KB

MD5
559f3754adb3a564c32be61f6993c5ae

SHA1
00dd27145b132f5c14c8e5883bf083cc74e98e3d

SHA256
b391808c2af840e994f2891593caa1d4b61b2620d7e51be9b341e4e4e437654b

SHA512
4ece92cf994f98d4f61222c76cdbafe2b6990f025b6254a39a711c463d9c362211bdfb55d1f28e7a5027a135051c0a2aa957075a2ad1efabf73b68ac6db9e748

Download Submit
C:\Program Files (x86)\Vaauudix\Ms9bxoaNHo7taP.x64.dll

Filesize
677KB

MD5
559f3754adb3a564c32be61f6993c5ae

SHA1
00dd27145b132f5c14c8e5883bf083cc74e98e3d

SHA256
b391808c2af840e994f2891593caa1d4b61b2620d7e51be9b341e4e4e437654b

SHA512
4ece92cf994f98d4f61222c76cdbafe2b6990f025b6254a39a711c463d9c362211bdfb55d1f28e7a5027a135051c0a2aa957075a2ad1efabf73b68ac6db9e748

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\C00IjrPQkWwC3Ld.dat

Filesize
6KB

MD5
92305aeb5805ea1e1bdc2ecc3adb7c5e

SHA1
ec5576baa7c63d34b4f88c6c40e5748038a7a239

SHA256
ab9d1ccc533ae70ff93cbd49d36af12405ccfa336843d6b7a161f4ba2c5d4210

SHA512
8b66612fbac6b341aa15fb025b4680a8995d28bd3e8129c6c4d473e80262ffe744c0357189ec03b7980f9dc265b3d18c99739849b4602733fe84c480302c3b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\C00IjrPQkWwC3Ld.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\C00IjrPQkWwC3Ld.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
b219195ac80cb688769733103774965e

SHA1
b0dbdd4248092c8392e39ea28edecc9a776255db

SHA256
b9a0b83639b2894565a2860c4b36f6385b86dc01b45ab2ac424812d184d9c833

SHA512
7f02f35c0179867a87f34fdd6b23ce3569e8c9645033870561150da0ba97746e661d94d9c5a9cdfecddd71a02cbb9da417361612b5c0788581f3389c2e77e0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
4e219be49912d36bdc09cab3255dc339

SHA1
d3cf48c4ce205941ccb7109390a0e3b9dc66cf05

SHA256
1aad544c493879c69e4e63b4bab64203f1f94442526e6c61ba5e1ab34b6d1015

SHA512
c248d5b2cf66c72565a9c4b4f18455c8e485ae689196244a8d787d6ad2aab96d8d2609bbe0507798fae173dae16f41baffa031ef2a25c61626c0f185a94a7ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\[email protected]\install.rdf

Filesize
600B

MD5
2e21fbc7291cb25be62926872cf884ff

SHA1
fdab593ff55303f5c8fd5cb44b1529b2eac8c6ae

SHA256
75a8b83350b4ec9f717bb6e1374f37692f95f4431de590ca568565cceee1f319

SHA512
da9a876946199d8d8c6424ce419a3ee5329e563c50273efb19161f72b07562a6f73893390d77c78c9824b2571aabbfbeb0944e85018f95d714d4fc60ab10ad8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\Ms9bxoaNHo7taP.dll

Filesize
552KB

MD5
f18ccfc924270205b4866c4d6449b885

SHA1
78f8140fec756185048617b18ffa8ef790310b91

SHA256
b65ab4176e71be5e138f8caed5cd0192bd59e474be9a9a09da7375cc08a21587

SHA512
034000e67480d6088119f630cc953218bf438b20c9f5283ca2afd0b81406ea34c0d437c1ff8a34a97157c85a42488930760dc7fc2865e27a88146f05b1a58c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\Ms9bxoaNHo7taP.tlb

Filesize
3KB

MD5
cf57859d4870e1907e52503d4ffcbb7c

SHA1
fb0b87195347f8274e3fa046e0a34c3e57ff1e35

SHA256
273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40

SHA512
955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\Ms9bxoaNHo7taP.x64.dll

Filesize
677KB

MD5
559f3754adb3a564c32be61f6993c5ae

SHA1
00dd27145b132f5c14c8e5883bf083cc74e98e3d

SHA256
b391808c2af840e994f2891593caa1d4b61b2620d7e51be9b341e4e4e437654b

SHA512
4ece92cf994f98d4f61222c76cdbafe2b6990f025b6254a39a711c463d9c362211bdfb55d1f28e7a5027a135051c0a2aa957075a2ad1efabf73b68ac6db9e748

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\kljepbefoeognpbckbcjkilmolkgdbfa\bHsHdb.js

Filesize
5KB

MD5
bf023e8e973b752d95b962c243f1b508

SHA1
0778bd0109d108882b23ee561b5eaa9a1e4e5872

SHA256
e48540f266795a3afaf4dde6fba7eef3d818f861f859de2631a251b6d86bfec7

SHA512
644d9e7142fda2b370a3c253decee188ba06ed173b59388749039e9e6fbc2e94ed311693d4a4117decfa5ccbc1fc40bb08f6d045c92d627f7ca1d9ba5ea2ac6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\kljepbefoeognpbckbcjkilmolkgdbfa\background.html

Filesize
143B

MD5
77b3eff0a7638d31a2401c97599407ff

SHA1
f8a14eb1e3c419f9047fbb336587ecabb0efb2d8

SHA256
2e4fa7c2c40c1e7415c85624257a685d516fc65ade71cb02dad0127064f468e1

SHA512
cafc9c09dd054689c0afeaf23113dcdcf96b5331c3d792f3c8e090c30f6cd8d6d546cf97c41473fc10a1eff24767dc06d9d839f420c2adedeea01cf46d74fd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\kljepbefoeognpbckbcjkilmolkgdbfa\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\kljepbefoeognpbckbcjkilmolkgdbfa\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS717B.tmp\kljepbefoeognpbckbcjkilmolkgdbfa\manifest.json

Filesize
500B

MD5
cb342329bc7943dbf8894b78600bb791

SHA1
5c2708cb4dfd423aa19b5eed633623b60af18c03

SHA256
fae472d5e9d0a093fab0aae92fb81c3c4abd445676ad2397ec1064df4eaa2232

SHA512
585ff5c380afd8b76e2239ac615b2dec11e4fff8d2b60049db87632e189188d3462168c84b813eff6f4e603e88e9539d77d6a015ac2c58e5e606ec6defc9392c

Download Submit