2e7ac0335c885165e08843a9f98215e56675f3a7b9f7c2482568528fa93173fa

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39b57491ea23d9d883688d426df69ee0.exe
Size

250KB
MD5

39b57491ea23d9d883688d426df69ee0
SHA1

4ee4a6fab08873a550729995a1eb355b9b505ceb
SHA256

2e7ac0335c885165e08843a9f98215e56675f3a7b9f7c2482568528fa93173fa
SHA512

207686867a59dac741ff2e8c3e2db7dc48280bb553206ac3be1bc086014579468567051795d6f33202dc5fd48fad551af5a66de7987aa6956ded5f6a9dc4c5b2
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5t67HxQ7GdBLmdm39Jc52:h1OgLdaOCHx0GfLm0tJd

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	51113f32a9f2a.exe

Loads dropped DLL 5 IoCs

pid	Process
1056	39b57491ea23d9d883688d426df69ee0.exe
2748	51113f32a9f2a.exe
2748	51113f32a9f2a.exe
2748	51113f32a9f2a.exe
2748	51113f32a9f2a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2748-87-0x0000000074F70000-0x0000000074F7A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcgpijmfoefohlbodhamgajkoipfkdhc\1\manifest.json	51113f32a9f2a.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A069D90-AA4F-56C9-306B-98C6D0835900}	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5A069D90-AA4F-56C9-306B-98C6D0835900}\ = "ADDICT-THING"	51113f32a9f2a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5A069D90-AA4F-56C9-306B-98C6D0835900}\NoExplorer = "1"	51113f32a9f2a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000163d4-33.dat	nsis_installer_1
behavioral1/files/0x00060000000163d4-33.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A069D90-AA4F-56C9-306B-98C6D0835900}\ = "ADDICT-THING"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A069D90-AA4F-56C9-306B-98C6D0835900}\ProgID\ = "ADDICT-THING.1"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A069D90-AA4F-56C9-306B-98C6D0835900}\InProcServer32\ThreadingModel = "Apartment"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5A069D90-AA4F-56C9-306B-98C6D0835900}\ProgID	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\51113f32a9f63.tlb"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5A069D90-AA4F-56C9-306B-98C6D0835900}\InProcServer32	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5A069D90-AA4F-56C9-306B-98C6D0835900}	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A069D90-AA4F-56C9-306B-98C6D0835900}\InProcServer32\ = "C:\\ProgramData\\ADDICT-THING\\51113f32a9f63.dll"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	51113f32a9f2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	51113f32a9f2a.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2748	1056	39b57491ea23d9d883688d426df69ee0.exe	14
PID 1056 wrote to memory of 2748	1056	39b57491ea23d9d883688d426df69ee0.exe	14
PID 1056 wrote to memory of 2748	1056	39b57491ea23d9d883688d426df69ee0.exe	14
PID 1056 wrote to memory of 2748	1056	39b57491ea23d9d883688d426df69ee0.exe	14
PID 1056 wrote to memory of 2748	1056	39b57491ea23d9d883688d426df69ee0.exe	14
PID 1056 wrote to memory of 2748	1056	39b57491ea23d9d883688d426df69ee0.exe	14
PID 1056 wrote to memory of 2748	1056	39b57491ea23d9d883688d426df69ee0.exe	14

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	51113f32a9f2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5A069D90-AA4F-56C9-306B-98C6D0835900} = "1"	51113f32a9f2a.exe

C:\Users\Admin\AppData\Local\Temp\7zSBB4.tmp\51113f32a9f2a.exe
.\51113f32a9f2a.exe /s
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Modifies registry class
- System policy modification
PID:2748

C:\Users\Admin\AppData\Local\Temp\39b57491ea23d9d883688d426df69ee0.exe
"C:\Users\Admin\AppData\Local\Temp\39b57491ea23d9d883688d426df69ee0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSBB4.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
3845978dfc15d2da3240b47562984ed4

SHA1
048da97a8483f7ba8976625903590a022f459653

SHA256
3057dada90d8f27dcdc11a539a678960d77c576df1803b8bc6256b97fca0cf2b

SHA512
5884b384ad9cda49d352bb3c05df7631c0b6dcf66c5b7f4c76f381fe72dc1a4f58ff8c51b58022c436b6f422eab619c98c02bd4dcd62a102531ca5df000063c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB4.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
a75ca54fdd14e97f0d76745441563592

SHA1
7b218c57c3fe8825cc61c95f4870712eecdf0004

SHA256
7400a50aa6614bc5d405937dd7df39d111abdfe7149bb3459000b615ab09f153

SHA512
4f5ef71befb90f8f6ffdf9cbdca647f9b059107c2340ab567ecbe62f70ac8a9725d0088f45e05b4c8254c8c7a98c5aa42f03a0cd9303b99ba86c2d167bb0d476

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB4.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
1e93e3cb3bde7da182a7073165bac5fe

SHA1
b1a79a85e0010abd0414bc15749df8048ed30507

SHA256
4053e1b87c110462b583a69c046010e06017583420f98f752642c6c5263b0bad

SHA512
53bf902a25905a069acd8301b9c1b204880bd22d6f75a42824f516c3a6bd7103c979949c90b04c7e674c4052e457ffd899c8321f6879b53f55fb5381e6a24984

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB4.tmp\51113f32a9f2a.exe

Filesize
71KB

MD5
b78633fae8aaf5f7e99e9c736f44f9c5

SHA1
26fc60e29c459891ac0909470ac6c61a1eca1544

SHA256
d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22

SHA512
3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBB4.tmp\settings.ini

Filesize
6KB

MD5
222037c179eec6ad7fbe876921370ca9

SHA1
221dd7dbf0f6eff1b3dadc719d89bd492055d873

SHA256
67a2a76892aadcbb61d0ee266ed5a85e159f3fa3fe20022bec0b863898da8146

SHA512
f2bd436532592e2d11d4f64785212ccae3ee66c51cdbe4ce538d7ddace9f9f65a4d83a0d16acb927a30165901730f691ceee78312a4d644345966259eb5da1af

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC03.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
memory/2748-87-0x0000000074F70000-0x0000000074F7A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads