630521e21cacd70cfdc659a1e00112991053bd3606f7ef15f192a57a39d67ab9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 23:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

630521e21cacd70cfdc659a1e00112991053bd3606f7ef15f192a57a39d67ab9.exe
Size

2.0MB
MD5

22502637ca420e787622c4605c582757
SHA1

29ee7d9576f5dee11041dd145dbcd0156599a664
SHA256

630521e21cacd70cfdc659a1e00112991053bd3606f7ef15f192a57a39d67ab9
SHA512

e2cf13dd329db4f247ec5c4aaf5fcf5c3860a889c99e939b8c590501ffc67bfeee15ce69e41ad7e6d06554de3b900e5eb64590ec681b1e985ea6653a4fbea000
SSDEEP

49152:h1Os0Cn3b0sdq9tVkWMq0vdovSHhXXrur:h1OAnL0sitVkWX0vVlu

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1112	TOcj04S7tryWjx9.exe

Loads dropped DLL 3 IoCs

pid	Process
1112	TOcj04S7tryWjx9.exe
4228	regsvr32.exe
868	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agecklgjaiblemmdjjpcnhidlihpjcia\2.0\manifest.json	TOcj04S7tryWjx9.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\agecklgjaiblemmdjjpcnhidlihpjcia\2.0\manifest.json	TOcj04S7tryWjx9.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\agecklgjaiblemmdjjpcnhidlihpjcia\2.0\manifest.json	TOcj04S7tryWjx9.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\agecklgjaiblemmdjjpcnhidlihpjcia\2.0\manifest.json	TOcj04S7tryWjx9.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\agecklgjaiblemmdjjpcnhidlihpjcia\2.0\manifest.json	TOcj04S7tryWjx9.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	TOcj04S7tryWjx9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	TOcj04S7tryWjx9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	TOcj04S7tryWjx9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	TOcj04S7tryWjx9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.dat	TOcj04S7tryWjx9.exe
File created	C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.x64.dll	TOcj04S7tryWjx9.exe
File opened for modification	C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.x64.dll	TOcj04S7tryWjx9.exe
File created	C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.dll	TOcj04S7tryWjx9.exe
File opened for modification	C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.dll	TOcj04S7tryWjx9.exe
File created	C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.tlb	TOcj04S7tryWjx9.exe
File opened for modification	C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.tlb	TOcj04S7tryWjx9.exe
File created	C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.dat	TOcj04S7tryWjx9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 1112	4244	630521e21cacd70cfdc659a1e00112991053bd3606f7ef15f192a57a39d67ab9.exe	85
PID 4244 wrote to memory of 1112	4244	630521e21cacd70cfdc659a1e00112991053bd3606f7ef15f192a57a39d67ab9.exe	85
PID 4244 wrote to memory of 1112	4244	630521e21cacd70cfdc659a1e00112991053bd3606f7ef15f192a57a39d67ab9.exe	85
PID 1112 wrote to memory of 4228	1112	TOcj04S7tryWjx9.exe	86
PID 1112 wrote to memory of 4228	1112	TOcj04S7tryWjx9.exe	86
PID 1112 wrote to memory of 4228	1112	TOcj04S7tryWjx9.exe	86
PID 4228 wrote to memory of 868	4228	regsvr32.exe	87
PID 4228 wrote to memory of 868	4228	regsvr32.exe	87

C:\Users\Admin\AppData\Local\Temp\630521e21cacd70cfdc659a1e00112991053bd3606f7ef15f192a57a39d67ab9.exe
"C:\Users\Admin\AppData\Local\Temp\630521e21cacd70cfdc659a1e00112991053bd3606f7ef15f192a57a39d67ab9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\TOcj04S7tryWjx9.exe
  .\TOcj04S7tryWjx9.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.dat

Filesize
6KB

MD5
c3327f54516228da3c778ba6a8cf465e

SHA1
ed807d044d750f4d2d80c0d253000dd039f6dc24

SHA256
4cec007c7c036bce98153ccecec355dd095f85c35dc16b89a3f01b869460e887

SHA512
561576d57565865fe43887456ca29a41c2e21a2f4037671e3701834e401ce43dc2e9942c535628ebadd245798c08b51e90bb2d06c14fc33fbbfe4342fd572da9

Download Submit
C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.dll

Filesize
613KB

MD5
c547ac330285a0ea3ab373fbf632e095

SHA1
1c7a20d9bf6104c3c3343f0c4061107441348787

SHA256
8ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0

SHA512
b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2

Download Submit
C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Program Files (x86)\GoSSavve\lIJNrEHJjXVTJM.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
3139f6ff73fbf549d1dcd1ae1bb5bebb

SHA1
44834201007950c2dbf9eb1e0be1f18ecd7e49e2

SHA256
4a74a97c27d3e157a1a01d04c0891d78f58cb9385c5392d49de3953e08cca6df

SHA512
73e5b1ac87b276b87dddbcd3214bd5b15d0bb29b5c47c31088bdd02de9dfa42826ec039635864052d6693b8a56058b321ba1bce5ffc23e50c00100bc712f1d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
b80c50da196e9f707d04d4c601181bb6

SHA1
f332e15eeba0942da8426a1a0048842d503251d6

SHA256
f11a2794f00e1e4af2655ed91e2599a66715279afefc9142e260290671130b4f

SHA512
f3cd933305d54ceec09816c4e1709a5eb816d123b5112da73968491ec90d80097000b689548040dd946fb9e83b7c5a0745cfcc9a3002f4cdde120666da6b2b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\[email protected]\install.rdf

Filesize
597B

MD5
b04e0f3abc95f2a1c471893416edc9b6

SHA1
7b116f3e56084000e17dcda3c910c50c7940d5f1

SHA256
a82a750112d8ef4582bb141b6b1066f23fc7c69d10db7a735f3fe3350047e1dd

SHA512
7b23469d4875f39a86103afd8f9aa1bb872eb9f4a53d2b927e396d0bbfd64066a2761ca2c3d6d4a5c8b23056e0ba599d5bdad64001133ce09923e0b2307cfeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\TOcj04S7tryWjx9.dat

Filesize
6KB

MD5
c3327f54516228da3c778ba6a8cf465e

SHA1
ed807d044d750f4d2d80c0d253000dd039f6dc24

SHA256
4cec007c7c036bce98153ccecec355dd095f85c35dc16b89a3f01b869460e887

SHA512
561576d57565865fe43887456ca29a41c2e21a2f4037671e3701834e401ce43dc2e9942c535628ebadd245798c08b51e90bb2d06c14fc33fbbfe4342fd572da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\TOcj04S7tryWjx9.exe

Filesize
622KB

MD5
e6bafde32b2c77cdffaf64e854b36411

SHA1
7483c84b4014ddc44738a94af326b0c36fc7ee20

SHA256
5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

SHA512
260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\TOcj04S7tryWjx9.exe

Filesize
622KB

MD5
e6bafde32b2c77cdffaf64e854b36411

SHA1
7483c84b4014ddc44738a94af326b0c36fc7ee20

SHA256
5390cc4000f0d1d6fa105e4e18b6571913360f521cd013dd8e91cc8d93b2f0d0

SHA512
260a8d4dba37846a73d7fba791d93f9abc4f441b2c828d691dc20db1d246e8aaeb99209b1a83294d44d6802aef3a1263c4fcf98fb0c92b0c70282b711930d87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\agecklgjaiblemmdjjpcnhidlihpjcia\JXvSBnM.js

Filesize
5KB

MD5
d59ce97683dee2cfd5ce5fd6c1276cf5

SHA1
0babc63533ebd9f9b09185ec90b71b8c3787eb6d

SHA256
2cfb45c6704ce833754c4bd92336532c249192a5e0c2cbe9d6c496332b6c8f7e

SHA512
693f13de3a36a9c95f1f6626a889d5239bc20e148ebceee09da0e990e1cd8b2a0055947c523a4b88163ff92c7789daf2232bd1b3f149d1f3024f312289e15ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\agecklgjaiblemmdjjpcnhidlihpjcia\background.html

Filesize
144B

MD5
ef40979ae571c75cc0b15b8a86b21d17

SHA1
5f7b13e398dea49ea616b77135aa6627f670ea76

SHA256
0b49b352d2b0794d45ba1e59351ecc0e581bbbd352164676287d627eac27d0ae

SHA512
9275000045c8f5b51229e18ec3eae8ec41c877652621aded4f6be9b2e4bbe393e77c4cd89863c64967d2e494767a89f9604286bda4031954aec1b276769d5d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\agecklgjaiblemmdjjpcnhidlihpjcia\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\agecklgjaiblemmdjjpcnhidlihpjcia\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\agecklgjaiblemmdjjpcnhidlihpjcia\manifest.json

Filesize
500B

MD5
64de75e84d31c7312be2f1acf3ced51d

SHA1
474bf1545cc4b688ed7b9d97d17e9c8f46d00b03

SHA256
7747bef74465109535e0f366cbfd9c022bd907299952f3b7cb6b781bb97f38aa

SHA512
de0ea612ea0ffcfa5cca2b42bee630377eafaf752ce1ca6ec46d29d66077ba14c149c127788afdabf5a055cbb3f96049942a120eda0d2b6610a42c50cfcb1f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\lIJNrEHJjXVTJM.dll

Filesize
613KB

MD5
c547ac330285a0ea3ab373fbf632e095

SHA1
1c7a20d9bf6104c3c3343f0c4061107441348787

SHA256
8ad6a8d9db588353ff1cb777ac8b7f62b6a8976d2ed396e8816051ffc69c8db0

SHA512
b695eddc8d688d61b55a87d6153084836bb8c699a0e9b2834c77fed923e1ffa6da8871df569310668eff2161eb219eec8193bfcf812d9932f1ae064953d1b9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\lIJNrEHJjXVTJM.tlb

Filesize
3KB

MD5
b09701113a6fa6b7ce61cef1f5b3dc70

SHA1
752190cbbd25d899b48f6fc2caa9cedd3baff7df

SHA256
a8a8b11da1822ce3d93baa6d3711969425dd4ccbe05bf348899320659b07e9d1

SHA512
9436a606e8ced02094374e5d603bc4bfb63a079259fa10c1fd82b9a30c40fa64c54b4bc3f7d5c0634dc4584c18e3accadd5df536e37367a7b3ea9f6597eb547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6854.tmp\lIJNrEHJjXVTJM.x64.dll

Filesize
693KB

MD5
2be2d271d3ab4d63bb6642af32722936

SHA1
c3eb0dd1d280018ab15a44c65c6b1b23dcef1552

SHA256
ad58666ae0f8f9d875e47a885ac5d89fca0ac1ae65c063fd8e01f1f88acca0e9

SHA512
08106cfa29b4a5f0616451e402c7cc246d7a4c3f333e18da7c73b0c7d94e06845f3c34cea570ab2afd7b3054da0a7c665b2c14a7a02d99a744cefd9c017cac9f

Download Submit