dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939.exe
Size

2.0MB
MD5

58b365e4db9f1c9b8e0ffb1d60f0f31b
SHA1

ece52d4980e9b6efe8d05451625f7a075f115385
SHA256

dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939
SHA512

862c692d66b8daa9caa329a6bbdeceee473609dc49f5d5ab7e9f2417030da1b273b945ae547381b5c1291f9b8873b7f29a997ab3c3186d553d96501c901b5840
SSDEEP

49152:h1OsmCn3b0sdq9tVkWMq0vdovSHhXXruD:h1OSnL0sitVkWX0vVlO

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1756	N2elzkx0r5KOBBa.exe

Loads dropped DLL 4 IoCs

pid	Process
1980	dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939.exe
1756	N2elzkx0r5KOBBa.exe
840	regsvr32.exe
1076	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmemeobiddcngaknjcgfkniabdgeenha\2.0\manifest.json	N2elzkx0r5KOBBa.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmemeobiddcngaknjcgfkniabdgeenha\2.0\manifest.json	N2elzkx0r5KOBBa.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmemeobiddcngaknjcgfkniabdgeenha\2.0\manifest.json	N2elzkx0r5KOBBa.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	N2elzkx0r5KOBBa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	N2elzkx0r5KOBBa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	N2elzkx0r5KOBBa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	N2elzkx0r5KOBBa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	N2elzkx0r5KOBBa.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.dll	N2elzkx0r5KOBBa.exe
File opened for modification	C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.dll	N2elzkx0r5KOBBa.exe
File created	C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.tlb	N2elzkx0r5KOBBa.exe
File opened for modification	C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.tlb	N2elzkx0r5KOBBa.exe
File created	C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.dat	N2elzkx0r5KOBBa.exe
File opened for modification	C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.dat	N2elzkx0r5KOBBa.exe
File created	C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.x64.dll	N2elzkx0r5KOBBa.exe
File opened for modification	C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.x64.dll	N2elzkx0r5KOBBa.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1756	1980	dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939.exe	28
PID 1980 wrote to memory of 1756	1980	dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939.exe	28
PID 1980 wrote to memory of 1756	1980	dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939.exe	28
PID 1980 wrote to memory of 1756	1980	dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939.exe	28
PID 1756 wrote to memory of 840	1756	N2elzkx0r5KOBBa.exe	29
PID 1756 wrote to memory of 840	1756	N2elzkx0r5KOBBa.exe	29
PID 1756 wrote to memory of 840	1756	N2elzkx0r5KOBBa.exe	29
PID 1756 wrote to memory of 840	1756	N2elzkx0r5KOBBa.exe	29
PID 1756 wrote to memory of 840	1756	N2elzkx0r5KOBBa.exe	29
PID 1756 wrote to memory of 840	1756	N2elzkx0r5KOBBa.exe	29
PID 1756 wrote to memory of 840	1756	N2elzkx0r5KOBBa.exe	29
PID 840 wrote to memory of 1076	840	regsvr32.exe	30
PID 840 wrote to memory of 1076	840	regsvr32.exe	30
PID 840 wrote to memory of 1076	840	regsvr32.exe	30
PID 840 wrote to memory of 1076	840	regsvr32.exe	30
PID 840 wrote to memory of 1076	840	regsvr32.exe	30
PID 840 wrote to memory of 1076	840	regsvr32.exe	30
PID 840 wrote to memory of 1076	840	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939.exe
"C:\Users\Admin\AppData\Local\Temp\dc21c905322564676cabf4a66fae6b9eccce5c5d916abb58f699acea58c7b939.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\N2elzkx0r5KOBBa.exe
  .\N2elzkx0r5KOBBa.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.dat

Filesize
6KB

MD5
a19db75c6de21d8faeec16124fece2b4

SHA1
45777974e9ec2281cbe0ee4117448deaa017de64

SHA256
5b17fa95f6fea9457921129ab12f5c9620a46a28e7df2569ab4aad654aa44674

SHA512
23bcd24641281e2f1991aefa408e2b4c85fcac2d243d2cb96a842f6c94f03c00d3ec0cc901e31f868d8730f121b56962268255c9a329aea65d9b89a89a7a1179

Download Submit
C:\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\9MX2XA0NtktuxJ.dll

Filesize
613KB

MD5
c547ac330285a0ea3ab373fbf632e095

SHA1
1c7a20d9bf6104c3c3343f0c4061107441348787

SHA256
8ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0

SHA512
b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\9MX2XA0NtktuxJ.tlb

Filesize
3KB

MD5
b09701113a6fa6b7ce61cef1f5b3dc70

SHA1
752190cbbd25d899b48f6fc2caa9cedd3baff7df

SHA256
a8a8b11da1822ce3d93baa6d3711969425dd4ccbe05bf348899320659b07e9d1

SHA512
9436a606e8ced02094374e5d603bc4bfb63a079259fa10c1fd82b9a30c40fa64c54b4bc3f7d5c0634dc4584c18e3accadd5df536e37367a7b3ea9f6597eb547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\9MX2XA0NtktuxJ.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\N2elzkx0r5KOBBa.dat

Filesize
6KB

MD5
a19db75c6de21d8faeec16124fece2b4

SHA1
45777974e9ec2281cbe0ee4117448deaa017de64

SHA256
5b17fa95f6fea9457921129ab12f5c9620a46a28e7df2569ab4aad654aa44674

SHA512
23bcd24641281e2f1991aefa408e2b4c85fcac2d243d2cb96a842f6c94f03c00d3ec0cc901e31f868d8730f121b56962268255c9a329aea65d9b89a89a7a1179

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\N2elzkx0r5KOBBa.exe

Filesize
622KB

MD5
e6bafde32b2c77cdffaf64e854b36411

SHA1
7483c84b4014ddc44738a94af326b0c36fc7ee20

SHA256
5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

SHA512
260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\N2elzkx0r5KOBBa.exe

Filesize
622KB

MD5
e6bafde32b2c77cdffaf64e854b36411

SHA1
7483c84b4014ddc44738a94af326b0c36fc7ee20

SHA256
5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

SHA512
260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
19721862641c58cc5239350bd59cc50c

SHA1
e6b1f06d8b94f6765bc7b06c03ac118596748063

SHA256
602c5d528482eeaf363ade9dbf654fd84953e6686b1e3aa7ea8177bb43bd6996

SHA512
cd4e59e083849c8905e996c3c11d6374a33f10350017e7f7153023fdec5c6bc51823ae3030800ac5b2e1a7d2fe5982204c69318d39988569558f00c44eea7883

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
8e0852f58872794fb20decc8029e3e84

SHA1
6743bf8f7445d6f7b89aecbc427cb5c1dcd4caaa

SHA256
923dad0a4e20d42883eabff54d98272c4b702f8700f06cdcbeafdf5818b18b21

SHA512
75c2b717b982b01b700781f4be0ab2b5b89678e35cc8bac25bc62cae641ae58bb296dbfb08b3efcc6934c753071c545aa64d71fa2c891a4917f12918c587af1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\[email protected]\install.rdf

Filesize
594B

MD5
d34d17c25419ac293157d0e4ac307c7b

SHA1
49a86eb7fcf287dec756dd62e0e0843a4b065b4f

SHA256
1621393d6b017a47ae7a12abd944c11567f99a17a49e39a8baee3854d790cd96

SHA512
0c18fd68375ce88f81c1068435794da69111526b76cccbb69f8615947358ff750ef6890380a8f20fbd318c9aa0a2ea4d4f1094a6701d6f926a16ba8ef8f56ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\hmemeobiddcngaknjcgfkniabdgeenha\background.html

Filesize
146B

MD5
d35db44f3a63caf0d6454e2e327dec0c

SHA1
3cd79181eb34eab87d27eb8c34a070f4bf2a318c

SHA256
5ef2db814a61c36eb5e0b2580e0795bf44de2609481faf31d11994355a062fa0

SHA512
f63a5dc57483bd66e12faefaffc8f1d1deb6d6f596a5c55730c1f08ec1cea27bba7b477f0ca33434047c4d414e14e5a48e9395774ba03f85d8f004eb7e26aabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\hmemeobiddcngaknjcgfkniabdgeenha\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\hmemeobiddcngaknjcgfkniabdgeenha\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\hmemeobiddcngaknjcgfkniabdgeenha\manifest.json

Filesize
499B

MD5
6a202292117bff0db27e2625d96390c9

SHA1
7d213eabaddf560653a2f35d25447b3110c3f708

SHA256
8dfe143fa2822a6e8370c1b41e5c77a3d1b0d230bdce07b37ebee0ee7cdccd1a

SHA512
ebd3fb1225a0e98095f90840d005a2b8af704d3a1145ae8b36c67ad51af3b6bc01ec1f3d673c43379d80d15670aba1ffc4733345b13bf78d66cb34af52e91268

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\hmemeobiddcngaknjcgfkniabdgeenha\r46an2hpx.js

Filesize
5KB

MD5
ae550ceb25a6967a536052b560f66c2c

SHA1
2e914d12c7384fa113de33093d9d72ba4bfe3ec4

SHA256
a0f548c3729e76a67303449a0f0bc83b6236b5ed221b6af48b89d8a4c3a6b357

SHA512
18b7161d8e448c40d9aba5a6b074881d2abae8f8615e2709923185b3cfdbe4f4d7de1cdf6486c0e44072afa6781ed8fb96f2a0ff9c8c1fa651835c51accf090c

Download Submit
\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.dll

Filesize
613KB

MD5
c547ac330285a0ea3ab373fbf632e095

SHA1
1c7a20d9bf6104c3c3343f0c4061107441348787

SHA256
8ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0

SHA512
b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2

Download Submit
\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
\Program Files (x86)\GoSaveu\9MX2XA0NtktuxJ.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE0DE.tmp\N2elzkx0r5KOBBa.exe

Filesize
622KB

MD5
e6bafde32b2c77cdffaf64e854b36411

SHA1
7483c84b4014ddc44738a94af326b0c36fc7ee20

SHA256
5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

SHA512
260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

Download Submit
memory/840-73-0x0000000000000000-mapping.dmp

Download
memory/1076-77-0x0000000000000000-mapping.dmp

Download
memory/1076-78-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1756-56-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download