bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432.exe
Size

2.1MB
MD5

6f85c766a77c792498fb1c792f154fc8
SHA1

6167541b7009b876bd130ad160ea434d4d60eaf4
SHA256

bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432
SHA512

4102d57ca492123b532849631079327917e708202c461bda11ba5a8d0aa790ca3ef576cb123bd0978425b64d83d416f8bca426457cbcdc3368644443854d91c8
SSDEEP

49152:h1Os5NQToNVxbNrInKtDSwSm7CXH9e7Y6JPvXiNjOFdzQJ20d1tT2:h1OQNQUNVxNpSmGXQlvXdkJ20dW

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	TFCMzZbYU92WGxi.exe

Loads dropped DLL 4 IoCs

pid	Process
1112	bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432.exe
1928	TFCMzZbYU92WGxi.exe
1788	regsvr32.exe
1732	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\edpmchcjpgkdciallafbnndhmelfheod\200\manifest.json	TFCMzZbYU92WGxi.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\edpmchcjpgkdciallafbnndhmelfheod\200\manifest.json	TFCMzZbYU92WGxi.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\edpmchcjpgkdciallafbnndhmelfheod\200\manifest.json	TFCMzZbYU92WGxi.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	TFCMzZbYU92WGxi.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	TFCMzZbYU92WGxi.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	TFCMzZbYU92WGxi.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	TFCMzZbYU92WGxi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	TFCMzZbYU92WGxi.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.tlb	TFCMzZbYU92WGxi.exe
File opened for modification	C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.tlb	TFCMzZbYU92WGxi.exe
File created	C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.dat	TFCMzZbYU92WGxi.exe
File opened for modification	C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.dat	TFCMzZbYU92WGxi.exe
File created	C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.x64.dll	TFCMzZbYU92WGxi.exe
File opened for modification	C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.x64.dll	TFCMzZbYU92WGxi.exe
File created	C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.dll	TFCMzZbYU92WGxi.exe
File opened for modification	C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.dll	TFCMzZbYU92WGxi.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1928	TFCMzZbYU92WGxi.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1928	1112	bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432.exe	28
PID 1112 wrote to memory of 1928	1112	bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432.exe	28
PID 1112 wrote to memory of 1928	1112	bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432.exe	28
PID 1112 wrote to memory of 1928	1112	bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432.exe	28
PID 1928 wrote to memory of 1788	1928	TFCMzZbYU92WGxi.exe	29
PID 1928 wrote to memory of 1788	1928	TFCMzZbYU92WGxi.exe	29
PID 1928 wrote to memory of 1788	1928	TFCMzZbYU92WGxi.exe	29
PID 1928 wrote to memory of 1788	1928	TFCMzZbYU92WGxi.exe	29
PID 1928 wrote to memory of 1788	1928	TFCMzZbYU92WGxi.exe	29
PID 1928 wrote to memory of 1788	1928	TFCMzZbYU92WGxi.exe	29
PID 1928 wrote to memory of 1788	1928	TFCMzZbYU92WGxi.exe	29
PID 1788 wrote to memory of 1732	1788	regsvr32.exe	30
PID 1788 wrote to memory of 1732	1788	regsvr32.exe	30
PID 1788 wrote to memory of 1732	1788	regsvr32.exe	30
PID 1788 wrote to memory of 1732	1788	regsvr32.exe	30
PID 1788 wrote to memory of 1732	1788	regsvr32.exe	30
PID 1788 wrote to memory of 1732	1788	regsvr32.exe	30
PID 1788 wrote to memory of 1732	1788	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432.exe
"C:\Users\Admin\AppData\Local\Temp\bb78e6e217219f4e7f9189028ee6b7c29aec5e71f16a878a2d8d530a31b98432.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\TFCMzZbYU92WGxi.exe
  .\TFCMzZbYU92WGxi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.dat

Filesize
6KB

MD5
47f2bc9544b9c025cec07fb6400701de

SHA1
ce5cbe97eb0678a5c83ef09a3a7427517c2afe11

SHA256
e39ac79077a28bd9373055c18171d2f325c2ac589846cf081ddf1a61ef7f11ef

SHA512
f496389733e1847c1ed8a306086c71e3867bd44f12f6d8bee6e19181d39177a02d3e10e090ffacc245e5dc03cf5105f97b708e3875f7b761616af74dc9df8853

Download Submit
C:\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.x64.dll

Filesize
681KB

MD5
0aedc14a24dfb1f5343720ba5e3a254c

SHA1
94f3775b263110cfce86952378a444e460222f0c

SHA256
d17f56e4c49f3318fc9e3f0bf5d8e76c46d30310d7d9a5fa2d295e785b0d11e5

SHA512
ddccc1a5c8e6129ffe150b0bab23b4c5e243bfa55db2e5b43d08fceed65eca128fca45bc0ce39741380a8d6abe950e16ba9f65d04311542bb2be1c27d2b9fa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\TFCMzZbYU92WGxi.dat

Filesize
6KB

MD5
47f2bc9544b9c025cec07fb6400701de

SHA1
ce5cbe97eb0678a5c83ef09a3a7427517c2afe11

SHA256
e39ac79077a28bd9373055c18171d2f325c2ac589846cf081ddf1a61ef7f11ef

SHA512
f496389733e1847c1ed8a306086c71e3867bd44f12f6d8bee6e19181d39177a02d3e10e090ffacc245e5dc03cf5105f97b708e3875f7b761616af74dc9df8853

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\TFCMzZbYU92WGxi.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\TFCMzZbYU92WGxi.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
ec17f4edb15c45fa72adc19e02b69f42

SHA1
01c6b160266b84526eea55b1c4b940f883a0f9be

SHA256
2e258c02d7751a0e413ac9da1d341f68aace728260ae78334bf092710800a53e

SHA512
05a4576110b1df9f11376a4dd92b68212b58adb2cee601d543bc4a89cc31b608d73bda62d965eea4f2b0875d59c403f5f7c1d2c4b1c36a80cc9a6fe6a6b88c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
e5a1640e0d1ec303f3bcce173fec5056

SHA1
ab6e40bc7f03f2706df63115026beba073dceb12

SHA256
a8ae2cd7f99ef94745cef5a9db4631129b047c7e8e385e1668aeb1e073749e0a

SHA512
06dac1ac7867b7fa7db4ba88c7503cb72b3a481ef05f97661afa94a16c9c15514ca5509281db5ec0ffcb83f89184866604d91e553016742809db7412a8330fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\[email protected]\install.rdf

Filesize
600B

MD5
f5782d18fbb4314eacd191f75aa391f8

SHA1
36df4ccec18e614929a78c69c0816591f9b373d6

SHA256
731dd7b67c68060b7c4d55f76a4317e50d4a147f6d4146080abe1c8b3cd92e1d

SHA512
f10f31c2fe3b53b20990d085c0c9f5b6182a2b6c5ea0dd53aa68bd3a35ddb857b0387a3ff7520242f21bdd7af7dec6d4084439f5bb760a878561754edc210f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\edpmchcjpgkdciallafbnndhmelfheod\background.html

Filesize
146B

MD5
9a539b74c9ba81b142efd2dec3d644ea

SHA1
21576e8bb0de59ef182ff7f272895e74169bd761

SHA256
e02d8f851d6cc8e9deef0a006de2e05e5d8634a164bbbcff60859844e0be1250

SHA512
a212dd0a132997a28a3eb82c702f748eaeea526690940dbf2c1547400d40433c0d1832d34ae9ba1f7ccb9cc25c74c34cfa9f79dd9e2a43fb6a03321b89331e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\edpmchcjpgkdciallafbnndhmelfheod\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\edpmchcjpgkdciallafbnndhmelfheod\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\edpmchcjpgkdciallafbnndhmelfheod\manifest.json

Filesize
504B

MD5
308be78548635c0b83d23e731ad3696f

SHA1
fe7dccfb962c80effcd4eeb6fe544dfc4122330f

SHA256
29f46b0f747f2e8fdda5566eec8395ac2f41b19f511a430c9f627141cf71cf34

SHA512
b4070143a6690ceb5f0038f00bf5ca7b61e4a90061bc7a305ae2096e63664029358c1ce22dbf695812371a73f46d6ec6979992e6b4e5bdb5a55941f542e7bd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\edpmchcjpgkdciallafbnndhmelfheod\mrLfQayuX.js

Filesize
5KB

MD5
132613382a8f2bbee2aa4210c6f233c3

SHA1
e7bf88351b874959638ac7f8826fe2d24c6f9b9e

SHA256
f3ff17b3fd745c099182a5fbbfd00bba976293e1d2ae708c0ad28627970e6b4e

SHA512
a3b1f3325cc3ec82b2d891f3490537b615814daf7e21d6e69b5473cac50bf80bd0bc02474664ba9351519b640e7d4192f8ac2dbe7130c868ab0e84a7da1baa74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\mBElk1a8YMMhhE.dll

Filesize
552KB

MD5
29570893b7d3f496d9ff323ddfe8de61

SHA1
0bfb871926586b7d46df8f4241c1c142e685c758

SHA256
5be7a332329516e54aba72859b1078f5deb1b745e5ebde84703ee0fc050d8074

SHA512
44a95650c20a58c1e074ba00d663f50649a9b2e968a568380eec92f6e266fd0f6cebf0823e9424412f4f4f8af9313015da8a58beaa41af997a83f87d3ef6683f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\mBElk1a8YMMhhE.tlb

Filesize
3KB

MD5
cf57859d4870e1907e52503d4ffcbb7c

SHA1
fb0b87195347f8274e3fa046e0a34c3e57ff1e35

SHA256
273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40

SHA512
955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF316.tmp\mBElk1a8YMMhhE.x64.dll

Filesize
681KB

MD5
0aedc14a24dfb1f5343720ba5e3a254c

SHA1
94f3775b263110cfce86952378a444e460222f0c

SHA256
d17f56e4c49f3318fc9e3f0bf5d8e76c46d30310d7d9a5fa2d295e785b0d11e5

SHA512
ddccc1a5c8e6129ffe150b0bab23b4c5e243bfa55db2e5b43d08fceed65eca128fca45bc0ce39741380a8d6abe950e16ba9f65d04311542bb2be1c27d2b9fa6d

Download Submit
\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.dll

Filesize
552KB

MD5
29570893b7d3f496d9ff323ddfe8de61

SHA1
0bfb871926586b7d46df8f4241c1c142e685c758

SHA256
5be7a332329516e54aba72859b1078f5deb1b745e5ebde84703ee0fc050d8074

SHA512
44a95650c20a58c1e074ba00d663f50649a9b2e968a568380eec92f6e266fd0f6cebf0823e9424412f4f4f8af9313015da8a58beaa41af997a83f87d3ef6683f

Download Submit
\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.x64.dll

Filesize
681KB

MD5
0aedc14a24dfb1f5343720ba5e3a254c

SHA1
94f3775b263110cfce86952378a444e460222f0c

SHA256
d17f56e4c49f3318fc9e3f0bf5d8e76c46d30310d7d9a5fa2d295e785b0d11e5

SHA512
ddccc1a5c8e6129ffe150b0bab23b4c5e243bfa55db2e5b43d08fceed65eca128fca45bc0ce39741380a8d6abe950e16ba9f65d04311542bb2be1c27d2b9fa6d

Download Submit
\Program Files (x86)\BrowseriShOp\mBElk1a8YMMhhE.x64.dll

Filesize
681KB

MD5
0aedc14a24dfb1f5343720ba5e3a254c

SHA1
94f3775b263110cfce86952378a444e460222f0c

SHA256
d17f56e4c49f3318fc9e3f0bf5d8e76c46d30310d7d9a5fa2d295e785b0d11e5

SHA512
ddccc1a5c8e6129ffe150b0bab23b4c5e243bfa55db2e5b43d08fceed65eca128fca45bc0ce39741380a8d6abe950e16ba9f65d04311542bb2be1c27d2b9fa6d

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF316.tmp\TFCMzZbYU92WGxi.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/1112-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1732-78-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download