f1a70606f8e5dc80a76c6d15b31bd3e1b1c50c9ff3b0a829cbd0675aa9ff8868

Analysis

max time kernel
158s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1a70606f8e5dc80a76c6d15b31bd3e1b1c50c9ff3b0a829cbd0675aa9ff8868.exe
Size

2.0MB
MD5

d2767e28359032c0f18a9835bdd910a8
SHA1

8ef6dfc5c7bd68f285b2d1cccb90575113755455
SHA256

f1a70606f8e5dc80a76c6d15b31bd3e1b1c50c9ff3b0a829cbd0675aa9ff8868
SHA512

cef6b8ff8527b0ca65565c8d79ca3dff42a2b2b9e2aa78703016ea3824048f4fc432b185ddf1d29d4864c4ce87089a424b8b3d3dd90bdb04d4f5531ce54d1d2d
SSDEEP

49152:h1OskCn3b0sdq9tVkWMq0vdovSHhXXruG:h1OAnL0sitVkWX0vVlL

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2364	xZFN5PjoPdEGy0q.exe

Loads dropped DLL 3 IoCs

pid	Process
2364	xZFN5PjoPdEGy0q.exe
3004	regsvr32.exe
2864	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkcaafccohincendilfnmbmmbflilfkl\2.0\manifest.json	xZFN5PjoPdEGy0q.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkcaafccohincendilfnmbmmbflilfkl\2.0\manifest.json	xZFN5PjoPdEGy0q.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkcaafccohincendilfnmbmmbflilfkl\2.0\manifest.json	xZFN5PjoPdEGy0q.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkcaafccohincendilfnmbmmbflilfkl\2.0\manifest.json	xZFN5PjoPdEGy0q.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkcaafccohincendilfnmbmmbflilfkl\2.0\manifest.json	xZFN5PjoPdEGy0q.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	xZFN5PjoPdEGy0q.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	xZFN5PjoPdEGy0q.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	xZFN5PjoPdEGy0q.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	xZFN5PjoPdEGy0q.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.tlb	xZFN5PjoPdEGy0q.exe
File created	C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.dat	xZFN5PjoPdEGy0q.exe
File opened for modification	C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.dat	xZFN5PjoPdEGy0q.exe
File created	C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.x64.dll	xZFN5PjoPdEGy0q.exe
File opened for modification	C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.x64.dll	xZFN5PjoPdEGy0q.exe
File created	C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.dll	xZFN5PjoPdEGy0q.exe
File opened for modification	C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.dll	xZFN5PjoPdEGy0q.exe
File created	C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.tlb	xZFN5PjoPdEGy0q.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2364	2136	f1a70606f8e5dc80a76c6d15b31bd3e1b1c50c9ff3b0a829cbd0675aa9ff8868.exe	85
PID 2136 wrote to memory of 2364	2136	f1a70606f8e5dc80a76c6d15b31bd3e1b1c50c9ff3b0a829cbd0675aa9ff8868.exe	85
PID 2136 wrote to memory of 2364	2136	f1a70606f8e5dc80a76c6d15b31bd3e1b1c50c9ff3b0a829cbd0675aa9ff8868.exe	85
PID 2364 wrote to memory of 3004	2364	xZFN5PjoPdEGy0q.exe	86
PID 2364 wrote to memory of 3004	2364	xZFN5PjoPdEGy0q.exe	86
PID 2364 wrote to memory of 3004	2364	xZFN5PjoPdEGy0q.exe	86
PID 3004 wrote to memory of 2864	3004	regsvr32.exe	87
PID 3004 wrote to memory of 2864	3004	regsvr32.exe	87

C:\Users\Admin\AppData\Local\Temp\f1a70606f8e5dc80a76c6d15b31bd3e1b1c50c9ff3b0a829cbd0675aa9ff8868.exe
"C:\Users\Admin\AppData\Local\Temp\f1a70606f8e5dc80a76c6d15b31bd3e1b1c50c9ff3b0a829cbd0675aa9ff8868.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\xZFN5PjoPdEGy0q.exe
  .\xZFN5PjoPdEGy0q.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.dat

Filesize
6KB

MD5
4d899c607ab606f9fa0b85a38a4a25a0

SHA1
95ccd3630db8473092104f6e7784695479171467

SHA256
68fe898331aa483f872400a03b8f664ee2d0817a9f42ce212fec7a80cfdddf90

SHA512
5dd498bf45034e40192da53e42891ee6e7b1a6ca4edfe4a6ba6f0fb00e8c49885899143d7f387b1017847dd5dfc5d167a6b8a46fda76a00410e001a22a97ecf8

Download Submit
C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.dll

Filesize
613KB

MD5
c547ac330285a0ea3ab373fbf632e095

SHA1
1c7a20d9bf6104c3c3343f0c4061107441348787

SHA256
8ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0

SHA512
b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2

Download Submit
C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Program Files (x86)\GoSAvE\bxERWUUUYj2Vgm.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
677941846d81b215eeebb044e522bc20

SHA1
9b09d9e31a53d7fe00519579809237f94a7df029

SHA256
3a7b16997aa780f1ad0a6600d5e2f789dc8369bb1d163f7caf8840eec81218c0

SHA512
5c8cdd7a97e173d153c7ba35d9270df917abf4431a369571339676f811519ca5687ab861fd63627eaa51ddbcda4701b80e353990b567310dc2b9d1a1a3af4fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
62ee1e4965d2f17404e37016a541c3f9

SHA1
52d288a7490cbe85b65f366f93bd76e730693304

SHA256
f1dc53b8a51aec1fbbcd4380b17d91a6722c5abc5da7fcc36fda1d99e1831a2a

SHA512
244c58ec2a8f6fca27a97575f4a7c6fa0f7852e186ce0b29b4f00f3352c42689c2962dba4363fb35014524875cfdf34201e8d31e199cabc9c21277fa5945dbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\[email protected]\install.rdf

Filesize
591B

MD5
012f9f1996986b7dd2d70f1bd7d476c9

SHA1
58cab76cacadf4a43c1ab3009648b39edf965750

SHA256
b58976b9a5139c52ce4ce702f2806836750658b506eb8a7d48a7dff009b12496

SHA512
635db5740d69691c66151b6542a77c3c6840f4c6cd59b27e72d60aab42fdc6c9e254b2dece6da535281717cc5cc45bfdb4249832be44bd7b96cd4d025e722488

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\bxERWUUUYj2Vgm.dll

Filesize
613KB

MD5
c547ac330285a0ea3ab373fbf632e095

SHA1
1c7a20d9bf6104c3c3343f0c4061107441348787

SHA256
8ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0

SHA512
b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\bxERWUUUYj2Vgm.tlb

Filesize
3KB

MD5
b09701113a6fa6b7ce61cef1f5b3dc70

SHA1
752190cbbd25d899b48f6fc2caa9cedd3baff7df

SHA256
a8a8b11da1822ce3d93baa6d3711969425dd4ccbe05bf348899320659b07e9d1

SHA512
9436a606e8ced02094374e5d603bc4bfb63a079259fa10c1fd82b9a30c40fa64c54b4bc3f7d5c0634dc4584c18e3accadd5df536e37367a7b3ea9f6597eb547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\bxERWUUUYj2Vgm.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\fkcaafccohincendilfnmbmmbflilfkl\background.html

Filesize
146B

MD5
11825d06b9576855d5c0e89219d27ffd

SHA1
851376cc5d48a3d3d62a70a4b749c80ac2e38535

SHA256
12803d6965d58329a1129fc5b2739178643e2b24811f10d8131517bc4a9b1eca

SHA512
290e7fb16474a352ce6f0284f3a101344aa8ca24161dac333a4784df782129e86bdfc20a578247ccdfef4caac36e6664533f1f360e20ee871d1b7faea4aa4194

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\fkcaafccohincendilfnmbmmbflilfkl\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\fkcaafccohincendilfnmbmmbflilfkl\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\fkcaafccohincendilfnmbmmbflilfkl\manifest.json

Filesize
498B

MD5
987a0e3879a3b82dd1484d6965756722

SHA1
b0f88e7f7da866dc41c0c48a9b1727f31ca406da

SHA256
efa558d1de448eeeed90e575cc62846c4bdd2c641a370374f0eda493460e3850

SHA512
b64fa8618cd1fb9624258d85c72ee764b3a446317a7d3d68f46345ceee852ca221a1cb23a942616b94e64c5df7deb48e0c77ff0504f9d9f2a269ebb0854155aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\fkcaafccohincendilfnmbmmbflilfkl\pf3LIkdt4.js

Filesize
5KB

MD5
b701d9f192ef82989296c95218e68fc6

SHA1
73f4f915611e668aea6facec292bbb37ee27b334

SHA256
f87e2848e2c088a67365a0ac2e1a8a3825951a9205dfc8f9af218c11f25840c6

SHA512
1a983ff1959b1083495b18b847c03e90efdf30a166282488b7bdfb1c933ca5aa8c54b8223081baba3ed3b354aefef87e232f0aa61865639567c810b59e633f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\xZFN5PjoPdEGy0q.dat

Filesize
6KB

MD5
4d899c607ab606f9fa0b85a38a4a25a0

SHA1
95ccd3630db8473092104f6e7784695479171467

SHA256
68fe898331aa483f872400a03b8f664ee2d0817a9f42ce212fec7a80cfdddf90

SHA512
5dd498bf45034e40192da53e42891ee6e7b1a6ca4edfe4a6ba6f0fb00e8c49885899143d7f387b1017847dd5dfc5d167a6b8a46fda76a00410e001a22a97ecf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\xZFN5PjoPdEGy0q.exe

Filesize
622KB

MD5
e6bafde32b2c77cdffaf64e854b36411

SHA1
7483c84b4014ddc44738a94af326b0c36fc7ee20

SHA256
5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

SHA512
260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8E7.tmp\xZFN5PjoPdEGy0q.exe

Filesize
622KB

MD5
e6bafde32b2c77cdffaf64e854b36411

SHA1
7483c84b4014ddc44738a94af326b0c36fc7ee20

SHA256
5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

SHA512
260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

Download Submit