Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 06:55
Static task
static1
Behavioral task
behavioral1
Sample
14a82e2336f0d8f064eaef68352653dd291c179b562e4e3316c7d4dd0dbdf69e.exe
Resource
win7-20221111-en
General
-
Target
14a82e2336f0d8f064eaef68352653dd291c179b562e4e3316c7d4dd0dbdf69e.exe
-
Size
2.1MB
-
MD5
a45c86d5a87d4faa5d2f2932633d8986
-
SHA1
cdc03c3802d6cab20afd1b364623a9ef64a6f257
-
SHA256
14a82e2336f0d8f064eaef68352653dd291c179b562e4e3316c7d4dd0dbdf69e
-
SHA512
28edb77a28e1ed8965053078a6e555f67dd1b0a363616c9fddc7209c671e9cfd4883de94bd5f9f0fe077283047dc5797aa3989c63ab06e76533102aec515c37d
-
SSDEEP
49152:h1Os2NQToNVxbNrInKtDSwSm7CXH9e7RSlSAn5RjFdzgD20XrXTy:h1OhNQUNVxNpSmGX9FdsD20X6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
yO0pqZSd7JD1hgn.exepid process 3136 yO0pqZSd7JD1hgn.exe -
Loads dropped DLL 3 IoCs
Processes:
yO0pqZSd7JD1hgn.exeregsvr32.exeregsvr32.exepid process 3136 yO0pqZSd7JD1hgn.exe 4984 regsvr32.exe 4988 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
yO0pqZSd7JD1hgn.exedescription ioc process File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bogkdjcdclkdniabkibpijpmkgocbmef\200\manifest.json yO0pqZSd7JD1hgn.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bogkdjcdclkdniabkibpijpmkgocbmef\200\manifest.json yO0pqZSd7JD1hgn.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bogkdjcdclkdniabkibpijpmkgocbmef\200\manifest.json yO0pqZSd7JD1hgn.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bogkdjcdclkdniabkibpijpmkgocbmef\200\manifest.json yO0pqZSd7JD1hgn.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bogkdjcdclkdniabkibpijpmkgocbmef\200\manifest.json yO0pqZSd7JD1hgn.exe -
Installs/modifies Browser Helper Object 2 TTPs 9 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
yO0pqZSd7JD1hgn.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} yO0pqZSd7JD1hgn.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects yO0pqZSd7JD1hgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ yO0pqZSd7JD1hgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} yO0pqZSd7JD1hgn.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
yO0pqZSd7JD1hgn.exedescription ioc process File opened for modification C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.dat yO0pqZSd7JD1hgn.exe File created C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.x64.dll yO0pqZSd7JD1hgn.exe File opened for modification C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.x64.dll yO0pqZSd7JD1hgn.exe File created C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.dll yO0pqZSd7JD1hgn.exe File opened for modification C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.dll yO0pqZSd7JD1hgn.exe File created C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.tlb yO0pqZSd7JD1hgn.exe File opened for modification C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.tlb yO0pqZSd7JD1hgn.exe File created C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.dat yO0pqZSd7JD1hgn.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
yO0pqZSd7JD1hgn.exepid process 3136 yO0pqZSd7JD1hgn.exe 3136 yO0pqZSd7JD1hgn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
14a82e2336f0d8f064eaef68352653dd291c179b562e4e3316c7d4dd0dbdf69e.exeyO0pqZSd7JD1hgn.exeregsvr32.exedescription pid process target process PID 2672 wrote to memory of 3136 2672 14a82e2336f0d8f064eaef68352653dd291c179b562e4e3316c7d4dd0dbdf69e.exe yO0pqZSd7JD1hgn.exe PID 2672 wrote to memory of 3136 2672 14a82e2336f0d8f064eaef68352653dd291c179b562e4e3316c7d4dd0dbdf69e.exe yO0pqZSd7JD1hgn.exe PID 2672 wrote to memory of 3136 2672 14a82e2336f0d8f064eaef68352653dd291c179b562e4e3316c7d4dd0dbdf69e.exe yO0pqZSd7JD1hgn.exe PID 3136 wrote to memory of 4984 3136 yO0pqZSd7JD1hgn.exe regsvr32.exe PID 3136 wrote to memory of 4984 3136 yO0pqZSd7JD1hgn.exe regsvr32.exe PID 3136 wrote to memory of 4984 3136 yO0pqZSd7JD1hgn.exe regsvr32.exe PID 4984 wrote to memory of 4988 4984 regsvr32.exe regsvr32.exe PID 4984 wrote to memory of 4988 4984 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14a82e2336f0d8f064eaef68352653dd291c179b562e4e3316c7d4dd0dbdf69e.exe"C:\Users\Admin\AppData\Local\Temp\14a82e2336f0d8f064eaef68352653dd291c179b562e4e3316c7d4dd0dbdf69e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\yO0pqZSd7JD1hgn.exe.\yO0pqZSd7JD1hgn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.datFilesize
6KB
MD50f1c63ddcd8724a7c0a0350cbba27af8
SHA1f370fc0ac0aebb8933a4c67f084fe39d142ff838
SHA2562ed0fd03cfb07228a8e6c42ab502a781960690c3f244e1c65d787971de5e2df9
SHA512f68b5e6dd8723079c6387fbc91b9115e871657571608d5ee929ee3dcb73c7b2184f6287b1e39a696987740972a79858eb5995954226b834b2ab2789b3abac064
-
C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.dllFilesize
549KB
MD5aa482eddd64245769b9350f18fb48387
SHA10a78b93b628153ba6c133d3de6c2c28570822b20
SHA256fb4f5650fed042fc66d19ff0e6126fca8e078542820c24d21fdefb561a55bee8
SHA512849c02dae5ffd6bb2cec1f6927988ecbb536bb879063efdebaf687ee655e9af21d16d3eb12308f470d50d50edc86c7e93901ad77a05ac19d9f1219098b711120
-
C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.x64.dllFilesize
681KB
MD5e9475db8431e218fb9e93001a029d450
SHA165c9d72f51edaedad5ad5b644578f8f25da68bd0
SHA25633a7d43f85d41bea61dd46a31d911f1762c945ca031e62d57195f50caa7eb8ea
SHA5127d19e936ae4227c786dacda35a1bd4bd94a3147403ec04cc4d12ca4af2386e9cb17c6c3000e0360ea5d258ddd0a842d2044e80ddcce4d7117c2b94b0c43bdb11
-
C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.x64.dllFilesize
681KB
MD5e9475db8431e218fb9e93001a029d450
SHA165c9d72f51edaedad5ad5b644578f8f25da68bd0
SHA25633a7d43f85d41bea61dd46a31d911f1762c945ca031e62d57195f50caa7eb8ea
SHA5127d19e936ae4227c786dacda35a1bd4bd94a3147403ec04cc4d12ca4af2386e9cb17c6c3000e0360ea5d258ddd0a842d2044e80ddcce4d7117c2b94b0c43bdb11
-
C:\Program Files (x86)\BBrowser Shop\80gg5ZjzEPlreG.x64.dllFilesize
681KB
MD5e9475db8431e218fb9e93001a029d450
SHA165c9d72f51edaedad5ad5b644578f8f25da68bd0
SHA25633a7d43f85d41bea61dd46a31d911f1762c945ca031e62d57195f50caa7eb8ea
SHA5127d19e936ae4227c786dacda35a1bd4bd94a3147403ec04cc4d12ca4af2386e9cb17c6c3000e0360ea5d258ddd0a842d2044e80ddcce4d7117c2b94b0c43bdb11
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\80gg5ZjzEPlreG.dllFilesize
549KB
MD5aa482eddd64245769b9350f18fb48387
SHA10a78b93b628153ba6c133d3de6c2c28570822b20
SHA256fb4f5650fed042fc66d19ff0e6126fca8e078542820c24d21fdefb561a55bee8
SHA512849c02dae5ffd6bb2cec1f6927988ecbb536bb879063efdebaf687ee655e9af21d16d3eb12308f470d50d50edc86c7e93901ad77a05ac19d9f1219098b711120
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\80gg5ZjzEPlreG.tlbFilesize
3KB
MD5cf57859d4870e1907e52503d4ffcbb7c
SHA1fb0b87195347f8274e3fa046e0a34c3e57ff1e35
SHA256273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40
SHA512955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\80gg5ZjzEPlreG.x64.dllFilesize
681KB
MD5e9475db8431e218fb9e93001a029d450
SHA165c9d72f51edaedad5ad5b644578f8f25da68bd0
SHA25633a7d43f85d41bea61dd46a31d911f1762c945ca031e62d57195f50caa7eb8ea
SHA5127d19e936ae4227c786dacda35a1bd4bd94a3147403ec04cc4d12ca4af2386e9cb17c6c3000e0360ea5d258ddd0a842d2044e80ddcce4d7117c2b94b0c43bdb11
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\R@NmzjBDAk.net\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\R@NmzjBDAk.net\chrome.manifestFilesize
35B
MD58a9ec6476e6f1fb2d8e626e3b93ab387
SHA1d4402ab4922c50220ec83ba74ee02115747aa155
SHA2561f1ed6aeb804ca6b031867c2bfd6dc8fa34a055dbdad34f029016f8579ecdd96
SHA512bb8fa68c142fcda829358827d13db663ee6e583ea4e925230f55486fbf26cb29c0f3c260db7b37920261d04eccddb3fbff32a591db74ba97d3603be509fd6dcb
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\R@NmzjBDAk.net\content\bg.jsFilesize
7KB
MD533abef3b8d8f0148af45011d5277e428
SHA10d83cbc145b926b63028790299f9abb9fbfdfea7
SHA2567b47ab5b88757b49e08f1c4c0926f67eacb9630b40ce18efc78509acf469a8f4
SHA512b6d37f5a866ef374d21217a1f5fc0952a224e245b0f9e6214959a3e64ced0a6bd88e871eb96c08b221f84dc1be1798d83182ffd2abcd867f7b471b92054ee5f3
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\R@NmzjBDAk.net\install.rdfFilesize
603B
MD51acf16f84ff96bb05b15fa35a4b3eb50
SHA10a5ff69c68f463ffb2ab17c5ed45899678eaf435
SHA256bb87e17ff699f73ff5039d08cbeb8f74fcf7efcaa1e2cce8e33d72770449a1ab
SHA512c7e290d78a2961ad591e068f9249ff25f6d0c1177d0e8b1a5427f67364efcd3c03f09c025c632e1e0745e7b13c5470e9f3cb7313da01d6acec424d1c3eee5bbc
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\bogkdjcdclkdniabkibpijpmkgocbmef\background.htmlFilesize
147B
MD56cba729f1dc8ab1af1edfd34b8f201a1
SHA1bd83c896ea24ea32ff16ba768b139a261ca84ad7
SHA256c1c58156d7f5f071403fdf4bfe931765eca920a7ee6eab66c615ef57bd7ea417
SHA5129e1bf39ec7ab0ddd6532652138c7d0ada75ee4f80f061dc30dff96fc8b2404d132c9812b53f907a9b15186bb9879135be6da54da5fd3d8b73859a296b3b52f53
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\bogkdjcdclkdniabkibpijpmkgocbmef\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\bogkdjcdclkdniabkibpijpmkgocbmef\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\bogkdjcdclkdniabkibpijpmkgocbmef\manifest.jsonFilesize
505B
MD500a0072aa128ca3ec46d16605acc1967
SHA1876d7980743f514d148a741f223ebb44281b40e8
SHA256203a58886785709bcb9769ca5c17aa37f5e2a0752b8e94f490101dc4077ccc25
SHA5124fa90648b7763823d00e7e2db3ec11647d73389e129a1428f22c4b7ae7a1118af1b4e55b68b966ecd517963bb38ec87a36d4e11ec1d7309d6b3d0ce22d072378
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\bogkdjcdclkdniabkibpijpmkgocbmef\wScPEPl8jw.jsFilesize
5KB
MD5395e4418e8b932ef493b0f29fbff3f8d
SHA187e087ed75994227d589bb62453479e10a3b4813
SHA256e47fa380d46a6a3e637920a5b02726c4b6d8e70a1c743bfb6b680716be1a79c4
SHA512e74f5b138f9172055edee21c13bf84d6ffd45dfcb88d103dec7ed5843a64336fb95151a7fe573bc1da6dddeabcd451a6b53d02e82c112cffe21120580cf97002
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\yO0pqZSd7JD1hgn.datFilesize
6KB
MD50f1c63ddcd8724a7c0a0350cbba27af8
SHA1f370fc0ac0aebb8933a4c67f084fe39d142ff838
SHA2562ed0fd03cfb07228a8e6c42ab502a781960690c3f244e1c65d787971de5e2df9
SHA512f68b5e6dd8723079c6387fbc91b9115e871657571608d5ee929ee3dcb73c7b2184f6287b1e39a696987740972a79858eb5995954226b834b2ab2789b3abac064
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\yO0pqZSd7JD1hgn.exeFilesize
766KB
MD5eb843f08b06cc5bb0e8bbe9f8aaa0ba6
SHA10813518ec2daeb0a49d7ee2c9482150cc0eb1136
SHA2561d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977
SHA51248e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4
-
C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\yO0pqZSd7JD1hgn.exeFilesize
766KB
MD5eb843f08b06cc5bb0e8bbe9f8aaa0ba6
SHA10813518ec2daeb0a49d7ee2c9482150cc0eb1136
SHA2561d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977
SHA51248e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4
-
memory/3136-132-0x0000000000000000-mapping.dmp
-
memory/4984-149-0x0000000000000000-mapping.dmp
-
memory/4988-152-0x0000000000000000-mapping.dmp