46e8adf87c4249e1cfe61f679f8ffcf9ce7ff1c12240a8cbd468870b8e43949f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c4b7a2fc5d006058bc89f1351741c9.exe
Size

250KB
MD5

f6c4b7a2fc5d006058bc89f1351741c9
SHA1

24e9d4d6f019921b36a784889585f046b9415ee5
SHA256

46e8adf87c4249e1cfe61f679f8ffcf9ce7ff1c12240a8cbd468870b8e43949f
SHA512

98997d972256a519a1b2cbb7f6bc34c5361693a379efb96c3774ba4fd3be35022063e51a622bfe570238780b66a6b70f237b1bf0edbb8a135c3d7c6e9207e372
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5LxcQjtc4qRD6d8pCQk:h1OgLdaOLxcBRmFQk

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	50f9678f802fe.exe

Loads dropped DLL 5 IoCs

pid	Process
1252	f6c4b7a2fc5d006058bc89f1351741c9.exe
2808	50f9678f802fe.exe
2808	50f9678f802fe.exe
2808	50f9678f802fe.exe
2808	50f9678f802fe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2808-80-0x0000000074D80000-0x0000000074D8A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcpnfmojoflgmjjjnmddojbljfebbigi\1\manifest.json	50f9678f802fe.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\ = "Download and Sa"	50f9678f802fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\NoExplorer = "1"	50f9678f802fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000015d57-33.dat	nsis_installer_1
behavioral1/files/0x0006000000015d57-33.dat	nsis_installer_2
behavioral1/files/0x0006000000015d57-34.dat	nsis_installer_1
behavioral1/files/0x0006000000015d57-34.dat	nsis_installer_2
behavioral1/files/0x0006000000015d57-30.dat	nsis_installer_1
behavioral1/files/0x0006000000015d57-30.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\InProcServer32	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\ProgID	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\InProcServer32\ThreadingModel = "Apartment"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\ProgID\ = "Download and Sa.1"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\ = "Download and Sa"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Download and Sa\\50f9678f80335.tlb"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Download and Sa"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\InProcServer32\ = "C:\\ProgramData\\Download and Sa\\50f9678f80335.dll"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50f9678f802fe.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2808	1252	f6c4b7a2fc5d006058bc89f1351741c9.exe	16
PID 1252 wrote to memory of 2808	1252	f6c4b7a2fc5d006058bc89f1351741c9.exe	16
PID 1252 wrote to memory of 2808	1252	f6c4b7a2fc5d006058bc89f1351741c9.exe	16
PID 1252 wrote to memory of 2808	1252	f6c4b7a2fc5d006058bc89f1351741c9.exe	16
PID 1252 wrote to memory of 2808	1252	f6c4b7a2fc5d006058bc89f1351741c9.exe	16
PID 1252 wrote to memory of 2808	1252	f6c4b7a2fc5d006058bc89f1351741c9.exe	16
PID 1252 wrote to memory of 2808	1252	f6c4b7a2fc5d006058bc89f1351741c9.exe	16

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96} = "1"	50f9678f802fe.exe

C:\Users\Admin\AppData\Local\Temp\f6c4b7a2fc5d006058bc89f1351741c9.exe
"C:\Users\Admin\AppData\Local\Temp\f6c4b7a2fc5d006058bc89f1351741c9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\50f9678f802fe.exe
  .\50f9678f802fe.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
7d2d22116753df1e9900d1707ffdcd7c

SHA1
8e06acbacf9850437683d56f1109f1b5339e7460

SHA256
170de5a79fd02ffb986d058d8929e77bb2e05a01df26760bc169751c9f53c92c

SHA512
ba73a7aa6ee1bd95bf2c89b9419fa0f384b041675bb9f7f9d814d9dec07879074e6d49bb0634ea114f0782b51525094b0abb97c4fffd2a23d09838475fe143d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
2790646675e356d177debceb93b48d76

SHA1
92c1dc35225ae00eeb443d8b08999c2dec5f76ca

SHA256
1992dd81e06dd9a6df35cc1d00abec34f58d8e433a3c8833cb7602206ac21b6c

SHA512
ad38532ec8704e54eb06e0f8505abe8cbfd0b83d58281bfcbfb5184180d05bcfdbce35cb43af20b9586d535bb6f81f37b38c822ff354c5ef199e6e895108b6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
20502f649785f75e1d24c5a54178c9eb

SHA1
7fb79238a11ef8e58f8409ac0e5d4d8aba6ff2c9

SHA256
957dbb0c80321c0af65fb11b3551aee350c009b3cf4333f859d4189bd5b34fd1

SHA512
fc97a4f2c1f80af9c6b71654e94506bfca8d34e855fae55b1011e735d2658d3a43cec7bbdc1f1129393d37d12f42183e815531218217a0edc6abd46514dc9cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
f7f4de47e7662983768d795675e15939

SHA1
48ba622bd1a6e70debbc4e0796a52048d3029997

SHA256
e4f56360c9277a01f24c2d6ba5843f7a63414fb1e025826052d0569336090735

SHA512
5b69507863de2363653a3c4ce3a071a13cc5aef5b96088f2f5dbf61ff05c32d80c5983f2b8719f8e1d79be9dfc1c82c1ec59bffe03a95932c2ed3d08686c196c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\[email protected]\install.rdf

Filesize
718B

MD5
a18ddad43c2341558f7902bd8e9e5203

SHA1
3292fa4e39bc75577c8ee4fbaa5ddfd0d252f81f

SHA256
6077ab4d72d9b2935f2b85b2ee254ae221b9c640017205d5140bcc4a17afd628

SHA512
5ae087ea863a457503dff33918100f5eadcc98d5474c5da4fc3818be3ccedbf0d9c2f4a6a5bb49a8d805a76161416ff87fa6758ed9ac61939089e0b6acf828f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\50f9678f802fe.exe

Filesize
17KB

MD5
189c94a020fe1711b0869ea67c977287

SHA1
2b1d607d08e0b64d43d576adbf121037beebf270

SHA256
bbf198950d345d00a9b1f5fa7100111ada37e273d59eba3aa4c60a47c101e404

SHA512
e9dd95acd991478fa3735fbf0b895bc6f686256fdaa2d26c146807e9489a7c887eeed357503be567ecb235f53a008f36a7c1bd1e93ab06c2f019967bcce949ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\50f9678f802fe.exe

Filesize
65KB

MD5
ab1e64c639cf8c5a16ffd9a6f464238e

SHA1
95970153ce649e203f5b95eea5b0feb4702ca16b

SHA256
4956ee9fab68bbb4ff085198619bb1214a386def50942095199a752c5ed5106b

SHA512
73bd966bd80707517d52591b036985c5f101e37132084dd605332d7cc21db3af51cd2b5b1fdbe8514805fdd6f41c9e1d96aba41bff02c97f359312cd20e8339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\dcpnfmojoflgmjjjnmddojbljfebbigi\50f9678f801260.48419320.js

Filesize
4KB

MD5
4a32a7a2494ae26495370f45e88e4117

SHA1
273d478faa99a260b72df306d2d747a535ff756c

SHA256
cd57e172625ab3179fd44fc58fd9918576a05820a781f1b40263ffdebec48088

SHA512
8f024e270da8dc093083fe937ed25d042aed87bbf6f0dc293d2d2a0a7f50647b7e86173563ecc8207d61551415e110d120f40959f5a50759f03522a7f1eae60d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9D0.tmp\50f9678f802fe.exe

Filesize
71KB

MD5
b78633fae8aaf5f7e99e9c736f44f9c5

SHA1
26fc60e29c459891ac0909470ac6c61a1eca1544

SHA256
d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22

SHA512
3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA10.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
memory/2808-80-0x0000000074D80000-0x0000000074D8A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads