2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74.exe
Size

2.1MB
MD5

8239afab3dcce1c8a7c4ee4b2392e527
SHA1

bbfbf0a368b81beb1bebaa97524df5fcca9cb446
SHA256

2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74
SHA512

608b6774cd93776e4e69b314dfe39bbf07b6712a726c4883ca1d19018b8d9648b8254d96283bf09cdf719c4f5d1996a1587c45b2ba60e8d3b518352fec48e837
SSDEEP

49152:h1OsuNQToNVxbNrInKtDSwSm7CXH9e77LP1C4bTMz/rwkFdhcoglXNRA:h1O7NQUNVxNpSmGXu7brFzw

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1352	wigJxvFcuXNEgPe.exe

Loads dropped DLL 4 IoCs

pid	Process
1600	2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74.exe
1352	wigJxvFcuXNEgPe.exe
468	regsvr32.exe
1704	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghmdedjfhkppkfaokmfgnnngkeehnenb\3.7\manifest.json	wigJxvFcuXNEgPe.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghmdedjfhkppkfaokmfgnnngkeehnenb\3.7\manifest.json	wigJxvFcuXNEgPe.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghmdedjfhkppkfaokmfgnnngkeehnenb\3.7\manifest.json	wigJxvFcuXNEgPe.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	wigJxvFcuXNEgPe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	wigJxvFcuXNEgPe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	wigJxvFcuXNEgPe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	wigJxvFcuXNEgPe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	wigJxvFcuXNEgPe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.dat	wigJxvFcuXNEgPe.exe
File opened for modification	C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.dat	wigJxvFcuXNEgPe.exe
File created	C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.x64.dll	wigJxvFcuXNEgPe.exe
File opened for modification	C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.x64.dll	wigJxvFcuXNEgPe.exe
File created	C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.dll	wigJxvFcuXNEgPe.exe
File opened for modification	C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.dll	wigJxvFcuXNEgPe.exe
File created	C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.tlb	wigJxvFcuXNEgPe.exe
File opened for modification	C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.tlb	wigJxvFcuXNEgPe.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1352	wigJxvFcuXNEgPe.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1352	1600	2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74.exe	27
PID 1600 wrote to memory of 1352	1600	2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74.exe	27
PID 1600 wrote to memory of 1352	1600	2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74.exe	27
PID 1600 wrote to memory of 1352	1600	2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74.exe	27
PID 1352 wrote to memory of 468	1352	wigJxvFcuXNEgPe.exe	28
PID 1352 wrote to memory of 468	1352	wigJxvFcuXNEgPe.exe	28
PID 1352 wrote to memory of 468	1352	wigJxvFcuXNEgPe.exe	28
PID 1352 wrote to memory of 468	1352	wigJxvFcuXNEgPe.exe	28
PID 1352 wrote to memory of 468	1352	wigJxvFcuXNEgPe.exe	28
PID 1352 wrote to memory of 468	1352	wigJxvFcuXNEgPe.exe	28
PID 1352 wrote to memory of 468	1352	wigJxvFcuXNEgPe.exe	28
PID 468 wrote to memory of 1704	468	regsvr32.exe	29
PID 468 wrote to memory of 1704	468	regsvr32.exe	29
PID 468 wrote to memory of 1704	468	regsvr32.exe	29
PID 468 wrote to memory of 1704	468	regsvr32.exe	29
PID 468 wrote to memory of 1704	468	regsvr32.exe	29
PID 468 wrote to memory of 1704	468	regsvr32.exe	29
PID 468 wrote to memory of 1704	468	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74.exe
"C:\Users\Admin\AppData\Local\Temp\2edc9da82504dd8491b1607ab8331da2ea24daef2fdb7f7dcfc170808e656c74.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\wigJxvFcuXNEgPe.exe
  .\wigJxvFcuXNEgPe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.dat

Filesize
6KB

MD5
65a0ed27f6a546941aaf8306cb90611c

SHA1
068291b8bcf3edf3d2e8070928dba1c0a3b190da

SHA256
c4a9d6fe28d470546975bf95b604e1614489a310cefacc0890e46be9f9529847

SHA512
2c8fc92756ae52a13a1de14496a0cf9395b05b2f82a97e12b37cf0fc793ee462d47a78a51dfda70afdf92ccc1ee472bd43ac80bcafe8d5fdb69a2c955447cf6d

Download Submit
C:\Program Files (x86)\wwebesavE\RE571hYUuhAupz.x64.dll

Filesize
677KB

MD5
129bfecce3a827676fe29ce868d7fcec

SHA1
299297b7ec7a4a208984f87a273d7cac0661b5f3

SHA256
79b304ba4cbe1e697ec94eb0fec53dcc0f01c3f3e254fd8878e070d01e1d5cb9

SHA512
2b0023b950deadf1fbb08459da531fdadc65a29a1f0afa4f012fd373aa7747f81f17c229ea340ba3c12b885b3e19a9d16db15f6baffe3f757341136fd6c1293f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\RE571hYUuhAupz.dll

Filesize
546KB

MD5
8d04d29dc0047df1bf4e2dbff3ce9767

SHA1
22d58c15ba11a18e2cbda0b42cae396a0e7987f0

SHA256
e9601e309166bcf5639c6a56d4225a0d0e0963ec5e3de7d7d1aa4f96b431f539

SHA512
d3158327ed65a62531a0651495c13960fd59bb5e6244f0dd6b2a79205a8c981fc9918552d9e0a8c40685d66cd69db1c7e0784fc6963412f53ca9420a25b9017b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\RE571hYUuhAupz.tlb

Filesize
3KB

MD5
cf57859d4870e1907e52503d4ffcbb7c

SHA1
fb0b87195347f8274e3fa046e0a34c3e57ff1e35

SHA256
273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40

SHA512
955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\RE571hYUuhAupz.x64.dll

Filesize
677KB

MD5
129bfecce3a827676fe29ce868d7fcec

SHA1
299297b7ec7a4a208984f87a273d7cac0661b5f3

SHA256
79b304ba4cbe1e697ec94eb0fec53dcc0f01c3f3e254fd8878e070d01e1d5cb9

SHA512
2b0023b950deadf1fbb08459da531fdadc65a29a1f0afa4f012fd373aa7747f81f17c229ea340ba3c12b885b3e19a9d16db15f6baffe3f757341136fd6c1293f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\ghmdedjfhkppkfaokmfgnnngkeehnenb\background.html

Filesize
140B

MD5
f80f1da9e01c22bb1f15387c0c5463f3

SHA1
4bbbab83140f0d851b1638f8cdbe053240bd13c7

SHA256
8bce3f698e0e34cf41de9e70c74ccc9debdb6479d84465496f083c8c4b4b1950

SHA512
0b62e4c31b7a0667dd8c4e20ee871a99e00e9166cc96173edb2977eea5dc7e507358fb04ffbc03c37bae55567def0a24c015ccce264c8d3d92e3e5c66e5ea65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\ghmdedjfhkppkfaokmfgnnngkeehnenb\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\ghmdedjfhkppkfaokmfgnnngkeehnenb\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\ghmdedjfhkppkfaokmfgnnngkeehnenb\manifest.json

Filesize
501B

MD5
29b726e59e66dbdfe5c4cdf74f9d2a08

SHA1
f615d8628891169c5aa69b97e58c8f45d44629e1

SHA256
c13cff8d23f2e11b6797285b8f85c3d0af86c2a4642681d2445063510cac3aaf

SHA512
5d589c07ef12d81f0d34930cdd782849b77ccfe8002b8613047356d435a9758cd3be00075327e92645717ed9a1a8e4b234aad7a313072a714cfe52b30900da26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\ghmdedjfhkppkfaokmfgnnngkeehnenb\pIo.js

Filesize
5KB

MD5
7646697a85f7b1cd89f815e3292ac8e7

SHA1
abc6c0be67f3562d290b3731e2ea3c310411c385

SHA256
ea3446c904e4512a48085c541fa38c048b3b382bed695c853249e0404ac3d340

SHA512
17bf9f230f88816934f9e9d25a07ca1e001e53d7f1b8ffc43d616cb20b6699c3616ce0e1a40f72b6728b56f0e4ff77e091ecd1345cc542dcdfcb385f91c38c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a762d69aefa67a59fc70120f0fe522d0

SHA1
1a4f8c33829d45797ee18f11136bf8b8aa3248c6

SHA256
2256bfa67d713fbe5ce0399ae8964970d7ad7a9b7e9d2da8933fb2bc2cea0ef5

SHA512
d897a575f524b2b401b835782bef8871ae02f8405c97a4abda40a0d72ffbbeddf9bf8042ab98693a8cf15270d69cb0dee6664682c1e3f527fdd7ef889ab978d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
b9c601dc4b9739af0cd45c1454d6c497

SHA1
176acb2c036715fdb9a353f7ffc4d7e24a2079c4

SHA256
ba28eefdb8101a35f82dff29cfd2abc450f135777d87a274c02c3e5b3da43064

SHA512
8c5c0c49b8fa87b470a973f20ad1083f31cad5d7ba913ae6c86c1b343ea7d754672f08d6df38b5c881e97c80f0b02915458f26447e8a0b8a0892dc4fe718999f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\[email protected]\install.rdf

Filesize
598B

MD5
51f2e6660e0bbb2e293b47b6d076de87

SHA1
43c30496c00146dcfd7b816e5057c5dde95304d5

SHA256
29e24ea9461f7c1ac7f75a89099fe79f301ca21035b2bdeb42a31869b597b651

SHA512
1b375d7108d052c1940f4e4e685588493a196a84cbb511c15ead682d09e44625e9e32e6d1f27b0720add2000fd0d7a0e79f8f7a8700b9cd0198af279e27f14cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\wigJxvFcuXNEgPe.dat

Filesize
6KB

MD5
65a0ed27f6a546941aaf8306cb90611c

SHA1
068291b8bcf3edf3d2e8070928dba1c0a3b190da

SHA256
c4a9d6fe28d470546975bf95b604e1614489a310cefacc0890e46be9f9529847

SHA512
2c8fc92756ae52a13a1de14496a0cf9395b05b2f82a97e12b37cf0fc793ee462d47a78a51dfda70afdf92ccc1ee472bd43ac80bcafe8d5fdb69a2c955447cf6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\wigJxvFcuXNEgPe.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\wigJxvFcuXNEgPe.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
\Program Files (x86)\wwebesavE\RE571hYUuhAupz.dll

Filesize
546KB

MD5
8d04d29dc0047df1bf4e2dbff3ce9767

SHA1
22d58c15ba11a18e2cbda0b42cae396a0e7987f0

SHA256
e9601e309166bcf5639c6a56d4225a0d0e0963ec5e3de7d7d1aa4f96b431f539

SHA512
d3158327ed65a62531a0651495c13960fd59bb5e6244f0dd6b2a79205a8c981fc9918552d9e0a8c40685d66cd69db1c7e0784fc6963412f53ca9420a25b9017b

Download Submit
\Program Files (x86)\wwebesavE\RE571hYUuhAupz.x64.dll

Filesize
677KB

MD5
129bfecce3a827676fe29ce868d7fcec

SHA1
299297b7ec7a4a208984f87a273d7cac0661b5f3

SHA256
79b304ba4cbe1e697ec94eb0fec53dcc0f01c3f3e254fd8878e070d01e1d5cb9

SHA512
2b0023b950deadf1fbb08459da531fdadc65a29a1f0afa4f012fd373aa7747f81f17c229ea340ba3c12b885b3e19a9d16db15f6baffe3f757341136fd6c1293f

Download Submit
\Program Files (x86)\wwebesavE\RE571hYUuhAupz.x64.dll

Filesize
677KB

MD5
129bfecce3a827676fe29ce868d7fcec

SHA1
299297b7ec7a4a208984f87a273d7cac0661b5f3

SHA256
79b304ba4cbe1e697ec94eb0fec53dcc0f01c3f3e254fd8878e070d01e1d5cb9

SHA512
2b0023b950deadf1fbb08459da531fdadc65a29a1f0afa4f012fd373aa7747f81f17c229ea340ba3c12b885b3e19a9d16db15f6baffe3f757341136fd6c1293f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS10D3.tmp\wigJxvFcuXNEgPe.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/468-73-0x0000000000000000-mapping.dmp

Download
memory/1352-56-0x0000000000000000-mapping.dmp

Download
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1704-77-0x0000000000000000-mapping.dmp

Download
memory/1704-78-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download