048205ff58f5da079e4ac98167d3d3ba8397a9f20ece36086b4f866489bafc8e

Analysis

max time kernel
133s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-05-2022 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

048205ff58f5da079e4ac98167d3d3ba8397a9f20ece36086b4f866489bafc8e.exe
Size

2.1MB
MD5

046b2d42e6b76dde97b91054239d20a0
SHA1

cd428923f2ce59a463fb94a737a2f4a8f0b7e793
SHA256

048205ff58f5da079e4ac98167d3d3ba8397a9f20ece36086b4f866489bafc8e
SHA512

993be80a9d987a7e5f609fe3420ea0afe2b33607d0a64542ddf9e671b4293a499d0fad377b7b192e918cff2bfa9907a1e52ffcc44fbc2284f2bd03e2827ecf90

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

GuJLy00M9hS2ARv.exe

pid process

3912 GuJLy00M9hS2ARv.exe
Loads dropped DLL 3 IoCs

Processes:

GuJLy00M9hS2ARv.exeregsvr32.exeregsvr32.exe

pid process

3912 GuJLy00M9hS2ARv.exe
4320 regsvr32.exe
3636 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3912	GuJLy00M9hS2ARv.exe

pid	process
3912	GuJLy00M9hS2ARv.exe
4320	regsvr32.exe
3636	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

GuJLy00M9hS2ARv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonhdkjblefmgfiddjijfkffnjahgpjk\2.0\manifest.json	GuJLy00M9hS2ARv.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonhdkjblefmgfiddjijfkffnjahgpjk\2.0\manifest.json	GuJLy00M9hS2ARv.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonhdkjblefmgfiddjijfkffnjahgpjk\2.0\manifest.json	GuJLy00M9hS2ARv.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonhdkjblefmgfiddjijfkffnjahgpjk\2.0\manifest.json	GuJLy00M9hS2ARv.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonhdkjblefmgfiddjijfkffnjahgpjk\2.0\manifest.json	GuJLy00M9hS2ARv.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 8 IoCs

Processes:

GuJLy00M9hS2ARv.exe

description	ioc	process
File created	C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.dat	GuJLy00M9hS2ARv.exe
File opened for modification	C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.dat	GuJLy00M9hS2ARv.exe
File created	C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.x64.dll	GuJLy00M9hS2ARv.exe
File opened for modification	C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.x64.dll	GuJLy00M9hS2ARv.exe
File created	C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.dll	GuJLy00M9hS2ARv.exe
File opened for modification	C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.dll	GuJLy00M9hS2ARv.exe
File created	C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.tlb	GuJLy00M9hS2ARv.exe
File opened for modification	C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.tlb	GuJLy00M9hS2ARv.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

048205ff58f5da079e4ac98167d3d3ba8397a9f20ece36086b4f866489bafc8e.exeGuJLy00M9hS2ARv.exeregsvr32.exe

description	pid	process	target process
PID 4652 wrote to memory of 3912	4652	048205ff58f5da079e4ac98167d3d3ba8397a9f20ece36086b4f866489bafc8e.exe	GuJLy00M9hS2ARv.exe
PID 4652 wrote to memory of 3912	4652	048205ff58f5da079e4ac98167d3d3ba8397a9f20ece36086b4f866489bafc8e.exe	GuJLy00M9hS2ARv.exe
PID 4652 wrote to memory of 3912	4652	048205ff58f5da079e4ac98167d3d3ba8397a9f20ece36086b4f866489bafc8e.exe	GuJLy00M9hS2ARv.exe
PID 3912 wrote to memory of 4320	3912	GuJLy00M9hS2ARv.exe	regsvr32.exe
PID 3912 wrote to memory of 4320	3912	GuJLy00M9hS2ARv.exe	regsvr32.exe
PID 3912 wrote to memory of 4320	3912	GuJLy00M9hS2ARv.exe	regsvr32.exe
PID 4320 wrote to memory of 3636	4320	regsvr32.exe	regsvr32.exe
PID 4320 wrote to memory of 3636	4320	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\048205ff58f5da079e4ac98167d3d3ba8397a9f20ece36086b4f866489bafc8e.exe
"C:\Users\Admin\AppData\Local\Temp\048205ff58f5da079e4ac98167d3d3ba8397a9f20ece36086b4f866489bafc8e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\GuJLy00M9hS2ARv.exe
.\GuJLy00M9hS2ARv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.x64.dll"
4⤵
- Loads dropped DLL
PID:3636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.dat
Filesize
6KB

MD5
db95636ce13344adbf6000fb3bd035a4

SHA1
8955a7c1e7da3e437c02fbc3d70247df70e42350

SHA256
34ec8e9c4c856c2868eb90552ca76b3a04345db0ff70b783dc81170c2fb74187

SHA512
3e48cef58874f3e1927ade2ec2151704bd9b7011303410c1ab8a7f97299c3f8673a5a32b87b5ca07462101fec4902a02f77f4220218c1ce27c8837ed37a7affa

Download Submit
C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.dll
Filesize
618KB

MD5
f180a95d8673cd01ce4af0ff678fa099

SHA1
8592fe958436e14ef9ace437ac4445ecca22e35e

SHA256
d40aa49822621713e0f79f6c9a187468251fc22559cb1bbd6b5f71a94819eeb7

SHA512
3dda5f3133df4c00c03d8b3fb539b37e2e6b26d0384d3674cefa9595136f9eaa4b9d21c0e806a9ec3cfadfb782a30e344145abbf87bca813de056f84c6fb13c9

Download Submit
C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.x64.dll
Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.x64.dll
Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Program Files (x86)\GeOSSaveu\cMBo7agPSYRQOJ.x64.dll
Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\GuJLy00M9hS2ARv.dat
Filesize
6KB

MD5
db95636ce13344adbf6000fb3bd035a4

SHA1
8955a7c1e7da3e437c02fbc3d70247df70e42350

SHA256
34ec8e9c4c856c2868eb90552ca76b3a04345db0ff70b783dc81170c2fb74187

SHA512
3e48cef58874f3e1927ade2ec2151704bd9b7011303410c1ab8a7f97299c3f8673a5a32b87b5ca07462101fec4902a02f77f4220218c1ce27c8837ed37a7affa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\GuJLy00M9hS2ARv.exe
Filesize
634KB

MD5
bd1503d4eaae5e7f2a8cdbd9a88ec02a

SHA1
730280a7839bb46bdeeaa47797d926f8d57e1da1

SHA256
724380928512fc5261d5f42e64f7705fcdeae1410f24a8ec6b0a2ba783675cb4

SHA512
0dc06ce8e78f6b0ebbe65723791ea4ffde8a9d55534dda1b02e81f1a109fce77f26e4bdfb9fd18b5ca9f4d9ff2454e6b05eca325539148512f762b5d2f225c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\GuJLy00M9hS2ARv.exe
Filesize
634KB

MD5
bd1503d4eaae5e7f2a8cdbd9a88ec02a

SHA1
730280a7839bb46bdeeaa47797d926f8d57e1da1

SHA256
724380928512fc5261d5f42e64f7705fcdeae1410f24a8ec6b0a2ba783675cb4

SHA512
0dc06ce8e78f6b0ebbe65723791ea4ffde8a9d55534dda1b02e81f1a109fce77f26e4bdfb9fd18b5ca9f4d9ff2454e6b05eca325539148512f762b5d2f225c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
d1c530a76f94d6b7728c5e5f08b10ea5

SHA1
8ece310a49020976593827c668da6b86ff7175db

SHA256
e488e1c02b0f6f83a2aaec1af7464ef856f351ea4e6dc3435a3e22e9fe86438d

SHA512
4ff0fe2f6e52730c06685766dd90f8a4f4bae36b1e2f3148317bbb12cc323ae52fdc98b004d156a72f4789af6ad74f16c9c7bb599e9373fec128523f632f5d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\[email protected]\content\bg.js
Filesize
7KB

MD5
bf07e5473fb339778ffc809b8194392d

SHA1
8df159d64ca587b80d7be18036cc2a22fc01ecf3

SHA256
51b0068c2df5c53ba7f06ad0e772537c736c51cf53cf2073294749e1d9a7f35a

SHA512
ea764e4a31878a789ab217c6fa0fd2ae10c4f68d323b90d26378986edc72dcb7b29eb35b46b8fa285082e38b421cb43df9b76db0c482079d81a29a5b8e7d50d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\[email protected]\install.rdf
Filesize
598B

MD5
1c054c5fcb5bacfcf7250ad0b13ad589

SHA1
d7693c8188ef6147e7b6d7640b2596cfad1c0a99

SHA256
9bf8b50b9891e9adc321f09405224c4a008a8a80aa50c93fc6e0d0eb9801b891

SHA512
155a941135b01e5d619d330dfd5e6384759ba5dc8bb7124ba5a1dd62d7d7f40edf7eeff02440579f241b9dae576199c1f9ca667ec569904e8893de7e17554a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\cMBo7agPSYRQOJ.dll
Filesize
618KB

MD5
f180a95d8673cd01ce4af0ff678fa099

SHA1
8592fe958436e14ef9ace437ac4445ecca22e35e

SHA256
d40aa49822621713e0f79f6c9a187468251fc22559cb1bbd6b5f71a94819eeb7

SHA512
3dda5f3133df4c00c03d8b3fb539b37e2e6b26d0384d3674cefa9595136f9eaa4b9d21c0e806a9ec3cfadfb782a30e344145abbf87bca813de056f84c6fb13c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\cMBo7agPSYRQOJ.tlb
Filesize
3KB

MD5
8af6f42a5b16ced04702514d47052053

SHA1
f06e43c9710e27b38063652217874f6fc8515ea0

SHA256
0fc752f18e2f21a6d0b45fb9769deefe70d4690e72225037a37d1dc0553ae8ed

SHA512
2d1fedf6693f0347d9265436fbc17515fa9a904db54170181ca7a6d5c64a4928494a20a1eb489d646602ed2769e570bfb5835bffd241a53a8fe64d5767b9234b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\cMBo7agPSYRQOJ.x64.dll
Filesize
695KB

MD5
2af06e7424e4f53fa8ee2b8daf4cdaa3

SHA1
0a09aa095e38211b8fc512d2e9f8f7cf12159a19

SHA256
81f98c4034227951bd4ad5e6d6a823bd112602f3550fd7066a01f16b8c8aca69

SHA512
6bcaa8998bd7971f41bebc8433be949cf48d98c0eb70c643b7b7a1b50d2b4cf66412efb170684f36f1987c1992ba88350f815ea18a3cf50caf8ce97bbb961b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\nonhdkjblefmgfiddjijfkffnjahgpjk\JZX.js
Filesize
5KB

MD5
08b5f6f4b6536fa314ff9ba25a78d48e

SHA1
8bc5187c78f7ac0b5c52a7265fae031a918426c4

SHA256
52c3fcaec2c15c2872ba0ce44d56463af26cb38c520b82e2fa0358fe5b0c8847

SHA512
785ef2707bdccc3e4d4443a10fdd9d6dd72cf9c2855b11144dc0c0f28f6467959ee00d2cc6d958cb5fa2dae42ee521d2ccc7cb1081911c1983e0aa3ce70926bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\nonhdkjblefmgfiddjijfkffnjahgpjk\background.html
Filesize
140B

MD5
b0025ea1aeda64986d50e03dd240ba0d

SHA1
8402849cd2ba86d255ac03a352760331345346eb

SHA256
58b2b8f6830c03759f8953e73dd75f458b5ccf1b6599fbd022cd518a569920e1

SHA512
5468ad34dbdd0e16a84725e65f051ba91cd8faf64f888767fc911b395f67790e997d64d5fc0b0feea8f4eb3720fa0ddd90ce0ebecdc0f6d46bff91a994f4951b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\nonhdkjblefmgfiddjijfkffnjahgpjk\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\nonhdkjblefmgfiddjijfkffnjahgpjk\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE29.tmp\nonhdkjblefmgfiddjijfkffnjahgpjk\manifest.json
Filesize
501B

MD5
848ddd8f9177e3c208b6be619b937d1b

SHA1
cd490a23877ce30ca1d66cf423cacc02c4d93145

SHA256
1130c84ac3cee6cf2161f1ba1b02580b09f8b4d7c14b4d877205ab74e9f51f74

SHA512
327eaecf09c6e77b6547a4985b5e5994892a9569f4a2769c02ed7a8f50262fa51e4331e7e02cf19f0f7f53f67764a68d1aebf797e7f4e74565a06fb798dcd404

Download Submit
memory/3636-150-0x0000000000000000-mapping.dmp

Download
memory/3912-130-0x0000000000000000-mapping.dmp

Download
memory/4320-147-0x0000000000000000-mapping.dmp

Download