875e718f0fd587c0be9497158b9d76b53247ee7feea14ffeae77722017421389

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

875e718f0fd587c0be9497158b9d76b53247ee7feea14ffeae77722017421389.exe
Size

2.0MB
MD5

e8b0a473c91d8a22e44ffd6033b06d3c
SHA1

ff148afd47dfdaa6d76ad193c09bfbc3cd3fbeb1
SHA256

875e718f0fd587c0be9497158b9d76b53247ee7feea14ffeae77722017421389
SHA512

a87b0857187bb13fb301ba7424403cb17c136f84e7dc82ebd7b0d69a8ed3f28f37849bc6a5c624117ad0176f44caafd9c2c030a4ce5a991b2135c51ff563c428
SSDEEP

49152:h1OsSNQToNVxbNrInKtDSwSm7CXH9e7B6cr7J30Ct40pTJ:h1OHNQUNVxNpSmGXMvxdtd

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2504	N8oyJjmUCrX6KuL.exe

Loads dropped DLL 3 IoCs

pid	Process
2504	N8oyJjmUCrX6KuL.exe
3028	regsvr32.exe
1508	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\enafkjcnbmmldoiildijoggigkjdnjbh\1.0\manifest.json	N8oyJjmUCrX6KuL.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\enafkjcnbmmldoiildijoggigkjdnjbh\1.0\manifest.json	N8oyJjmUCrX6KuL.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\enafkjcnbmmldoiildijoggigkjdnjbh\1.0\manifest.json	N8oyJjmUCrX6KuL.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\enafkjcnbmmldoiildijoggigkjdnjbh\1.0\manifest.json	N8oyJjmUCrX6KuL.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\enafkjcnbmmldoiildijoggigkjdnjbh\1.0\manifest.json	N8oyJjmUCrX6KuL.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	N8oyJjmUCrX6KuL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	N8oyJjmUCrX6KuL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	N8oyJjmUCrX6KuL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	N8oyJjmUCrX6KuL.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.tlb	N8oyJjmUCrX6KuL.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.tlb	N8oyJjmUCrX6KuL.exe
File created	C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.dat	N8oyJjmUCrX6KuL.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.dat	N8oyJjmUCrX6KuL.exe
File created	C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.x64.dll	N8oyJjmUCrX6KuL.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.x64.dll	N8oyJjmUCrX6KuL.exe
File created	C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.dll	N8oyJjmUCrX6KuL.exe
File opened for modification	C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.dll	N8oyJjmUCrX6KuL.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2504	N8oyJjmUCrX6KuL.exe
2504	N8oyJjmUCrX6KuL.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 2504	3808	875e718f0fd587c0be9497158b9d76b53247ee7feea14ffeae77722017421389.exe	83
PID 3808 wrote to memory of 2504	3808	875e718f0fd587c0be9497158b9d76b53247ee7feea14ffeae77722017421389.exe	83
PID 3808 wrote to memory of 2504	3808	875e718f0fd587c0be9497158b9d76b53247ee7feea14ffeae77722017421389.exe	83
PID 2504 wrote to memory of 3028	2504	N8oyJjmUCrX6KuL.exe	84
PID 2504 wrote to memory of 3028	2504	N8oyJjmUCrX6KuL.exe	84
PID 2504 wrote to memory of 3028	2504	N8oyJjmUCrX6KuL.exe	84
PID 3028 wrote to memory of 1508	3028	regsvr32.exe	85
PID 3028 wrote to memory of 1508	3028	regsvr32.exe	85

C:\Users\Admin\AppData\Local\Temp\875e718f0fd587c0be9497158b9d76b53247ee7feea14ffeae77722017421389.exe
"C:\Users\Admin\AppData\Local\Temp\875e718f0fd587c0be9497158b9d76b53247ee7feea14ffeae77722017421389.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\N8oyJjmUCrX6KuL.exe
  .\N8oyJjmUCrX6KuL.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.dat

Filesize
6KB

MD5
0080f928e53b7be3902c8bfcdd91dda2

SHA1
57f6efe834734dc2d957f39316c7cc2e6262acf9

SHA256
10bdf1f004d9faabd0b36f079a869821b9087dde987bb1effe13858d3c00b280

SHA512
00634b230ac9eeb6302d6a9d1c00e00b52ed742e6f70df25e90fc9fe0ac73013354ac6d7f9a994bd5b27a5a6b741305a26efd684f9b3594a17df93770d2f0f1a

Download Submit
C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.dll

Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Program Files (x86)\YoutubeAdBlockee\Nnp5k1S1bcvXvF.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\N8oyJjmUCrX6KuL.dat

Filesize
6KB

MD5
0080f928e53b7be3902c8bfcdd91dda2

SHA1
57f6efe834734dc2d957f39316c7cc2e6262acf9

SHA256
10bdf1f004d9faabd0b36f079a869821b9087dde987bb1effe13858d3c00b280

SHA512
00634b230ac9eeb6302d6a9d1c00e00b52ed742e6f70df25e90fc9fe0ac73013354ac6d7f9a994bd5b27a5a6b741305a26efd684f9b3594a17df93770d2f0f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\N8oyJjmUCrX6KuL.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\N8oyJjmUCrX6KuL.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\Nnp5k1S1bcvXvF.dll

Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\Nnp5k1S1bcvXvF.tlb

Filesize
3KB

MD5
cf57859d4870e1907e52503d4ffcbb7c

SHA1
fb0b87195347f8274e3fa046e0a34c3e57ff1e35

SHA256
273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40

SHA512
955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\Nnp5k1S1bcvXvF.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\enafkjcnbmmldoiildijoggigkjdnjbh\background.html

Filesize
138B

MD5
6ca1f3fddeec7313fa21a469a4c755d6

SHA1
6eedf483402befcfc5f6fd7a3024035e11f65323

SHA256
f7ff1a0b874563366f143b43ef597bb205748c382c88189a7c858561a60f0525

SHA512
6317b4b0b47a8afb028bd7f54efe9bc0f5ab5d9740e579daaa06269257b0ad680c13a807098156a01c0f763f095219a69fc88cda9608df0e1fef058af93dac24

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\enafkjcnbmmldoiildijoggigkjdnjbh\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\enafkjcnbmmldoiildijoggigkjdnjbh\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\enafkjcnbmmldoiildijoggigkjdnjbh\manifest.json

Filesize
508B

MD5
afeb7dd16fcfa8b7d4caf2bf52601488

SHA1
6b19b39d370c1e9df5ea7229a34420049fcb8d0c

SHA256
edc0f15863990121933f601faf1e1d437d187675433cb50baa99c1e3a5bbff8f

SHA512
4fb1e5b10aecd0fa36ae10f3406180824f6e7eba44bdfa8af35dbddead37869332fcaf8fe0f5644afaf9b6ed3faa0e6dba3b621e26a73ab9d37abe16c69bd0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\enafkjcnbmmldoiildijoggigkjdnjbh\t.js

Filesize
5KB

MD5
1e739e5b544ab567349e6a3bca025ccd

SHA1
9b3b3222e8e43e2f1999106137f0fd6513358689

SHA256
34c9e27d10088127b25fe41ddf73dfc01fd7f7cac06d72ee927275bbddb75a1e

SHA512
aa43d131c3efee8e6ac78bbe85ffc8f8f4f03a220739047dd6077e35ae2d28ad3bd071ac7195c9b06bd0106c5392f2403913f8629189033fe3fe4abc3539b980

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
8b0760cc63e872c6d6abb59763d94e87

SHA1
ccfdabc50decd07daee113d7d56ec073e9b40f10

SHA256
91a1462df4baf3d4ec4cfbaf8944f30b50d5100b58c2f47e8b2b4dcb8bee404a

SHA512
26b007ed20a1f49eb11f9e17cbc5775953ac9bd745fa8ca3ef53579e6610b326e12c1bc8359518c92e05a756548d3b734834ae6ee98c872077f4ef1eb02aa166

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
aecce3e7dc666163e60c7ac87f35b5cb

SHA1
896df6dcd848ec051002774e3b62b883d7bbbaf1

SHA256
27ffda2a46528ff3c13e8513b49c018cfb354dcce3d6cdd0557d6928fa95c96d

SHA512
e13d70727692f31ca8dd3b8b8d07a146e68054c7415317140b1e1f8d57de5f1cf587c7c794ba82e9fa02037746993f3a13caa59ecac7d667e1d5de759552b63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9261.tmp\[email protected]\install.rdf

Filesize
605B

MD5
d7c1a384d93b799c64933464605a4986

SHA1
c932ec907431ce79de65e7f9739ca1ba2628e63a

SHA256
787340ba8312485cdf0fffa7aa48c7db35c35d66890df66ee4df5490b2ce9127

SHA512
bc7e8ad19c922c69228825ec4c54e3219bc32dd0d987fca829675b5ae1cdaf8015a2d0f7348ff5a4f2e3c66085874a20d89803591a933966d9ca8d6a7ee309d8

Download Submit