3aab96cadde22866611dc0d0db8efa1ad908dce7818568a9478768fccf0f33ed

Analysis

max time kernel
111s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aab96cadde22866611dc0d0db8efa1ad908dce7818568a9478768fccf0f33ed.exe
Size

2.1MB
MD5

56b9e8a05db654464d2d5d7cc4af4b6f
SHA1

700f682f62215223a4af896580302bff7eda0b46
SHA256

3aab96cadde22866611dc0d0db8efa1ad908dce7818568a9478768fccf0f33ed
SHA512

1177daa5753be21f31a05dbe0a832df2e853e7c044b1076334590076cbd0d39e0c2d89b0da62368706bd0e207d5f90735b68dcf0d82ae6ca0f4f99f83a55f499
SSDEEP

49152:h1OsKPtqGqK2M8f3h4UO2sEYYQvLZwQE5m4oc:h1OFHoxLYYaI

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2128	hCsrjf0R6P9i8OK.exe

Loads dropped DLL 3 IoCs

pid	Process
2128	hCsrjf0R6P9i8OK.exe
3552	regsvr32.exe
4828	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmhfmhjpcpojifnnhjbigefbnddoejf\2.0\manifest.json	hCsrjf0R6P9i8OK.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmhfmhjpcpojifnnhjbigefbnddoejf\2.0\manifest.json	hCsrjf0R6P9i8OK.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmhfmhjpcpojifnnhjbigefbnddoejf\2.0\manifest.json	hCsrjf0R6P9i8OK.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmhfmhjpcpojifnnhjbigefbnddoejf\2.0\manifest.json	hCsrjf0R6P9i8OK.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfmhfmhjpcpojifnnhjbigefbnddoejf\2.0\manifest.json	hCsrjf0R6P9i8OK.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	hCsrjf0R6P9i8OK.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	hCsrjf0R6P9i8OK.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	hCsrjf0R6P9i8OK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	hCsrjf0R6P9i8OK.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.tlb	hCsrjf0R6P9i8OK.exe
File opened for modification	C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.tlb	hCsrjf0R6P9i8OK.exe
File created	C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.dat	hCsrjf0R6P9i8OK.exe
File opened for modification	C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.dat	hCsrjf0R6P9i8OK.exe
File created	C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.x64.dll	hCsrjf0R6P9i8OK.exe
File opened for modification	C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.x64.dll	hCsrjf0R6P9i8OK.exe
File created	C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.dll	hCsrjf0R6P9i8OK.exe
File opened for modification	C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.dll	hCsrjf0R6P9i8OK.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2128	4736	3aab96cadde22866611dc0d0db8efa1ad908dce7818568a9478768fccf0f33ed.exe	79
PID 4736 wrote to memory of 2128	4736	3aab96cadde22866611dc0d0db8efa1ad908dce7818568a9478768fccf0f33ed.exe	79
PID 4736 wrote to memory of 2128	4736	3aab96cadde22866611dc0d0db8efa1ad908dce7818568a9478768fccf0f33ed.exe	79
PID 2128 wrote to memory of 3552	2128	hCsrjf0R6P9i8OK.exe	80
PID 2128 wrote to memory of 3552	2128	hCsrjf0R6P9i8OK.exe	80
PID 2128 wrote to memory of 3552	2128	hCsrjf0R6P9i8OK.exe	80
PID 3552 wrote to memory of 4828	3552	regsvr32.exe	81
PID 3552 wrote to memory of 4828	3552	regsvr32.exe	81

C:\Users\Admin\AppData\Local\Temp\3aab96cadde22866611dc0d0db8efa1ad908dce7818568a9478768fccf0f33ed.exe
"C:\Users\Admin\AppData\Local\Temp\3aab96cadde22866611dc0d0db8efa1ad908dce7818568a9478768fccf0f33ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\hCsrjf0R6P9i8OK.exe
  .\hCsrjf0R6P9i8OK.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:4828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.dat

Filesize
6KB

MD5
033979f1a9b5bba1a8c23f3188f25f9f

SHA1
3a8ecb33c961a32e584654081c8712ab0fad7ba0

SHA256
66a7133d87b814a3994903b880ed87515d9ea49b3ab139bbd2d1a033be349e9e

SHA512
c101fbe9394a4c1a87f9debbcf09803e307b1590e8a2fbfdef009322546084bc695d484db9942cbabc046c7205e734095bbf0d391b0f28e9609ffe21663c6c74

Download Submit
C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Program Files (x86)\GoSAove\NyzlPaijB9JqqZ.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
bf0d8e3c27c50a90d7ca907da7a860d2

SHA1
e5af84d5ec50debb33968674a5e5c89a2daddda0

SHA256
d6bc09989b1a95f47c125de29843cbf542a791cc628feec918e240cfadc476c1

SHA512
302775e929a9bf8bd3a1848818fcb54f537056a09deea21b1ba166e1f0f2ea510cc189a83ce28f8b5f8843744a7b35e5400a11e295cccf6570a61009557ac4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
3c0d5218d5531c738e5ab26c00c70a14

SHA1
4887ff2397ba6b0ffe596c09defaafc0e5a48644

SHA256
45b273ca6c6fe25b91e0f12968bb17c12bca93f90af54ddc038148da1b236068

SHA512
0bf3a57a4f7f76c7b107da6cba10f5265b8ba6e511950a361b547f40b08f42f71111686c4eaa7f7f595a4cfb9931adaf6d93b8bae26615f77b49b039385d1277

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\[email protected]\install.rdf

Filesize
592B

MD5
58f343267e3297f407ffc28b70cc211a

SHA1
2b908c3bd9b8db12602d39757da55a030c513bde

SHA256
bb85ffeb0abf05748ce129c6710f0f835e173de9428d518307508c93b7a896d4

SHA512
977aba3d65b5872a156e44b2992b4df6838d68ace03c145428b834216f701bd972977354c97c525a2a885edae9e45fb5eab32e368da4dbf45860151b64161b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\NyzlPaijB9JqqZ.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\NyzlPaijB9JqqZ.tlb

Filesize
3KB

MD5
713ab144897857b45ce9515c2a1e2d52

SHA1
607a46adbfe1892276898fb6b00e7c62dbf82772

SHA256
3ec756ec9b8c4b03cc723127bc372b67c406a4915fa0a82597b0fb29685096e6

SHA512
b54c6eaf989d9e51ba66278a0991daa14bde0f56e86c8c2fce67f2118e9557307b409fbc9ae48921c37c1869634b2801028d728f4cf3b871ad8971965e3004b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\NyzlPaijB9JqqZ.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\cfmhfmhjpcpojifnnhjbigefbnddoejf\background.html

Filesize
146B

MD5
4fc0a591be00bef5345a949aa928f4b0

SHA1
0890a2b557550c0e6cbde58dfb0e868056515799

SHA256
f62a2ea60905b919d671d787f678435c6a244e9ec79eb2be1aba109972ae13a3

SHA512
40b8fb742ec69e2aa4d16f3a5014fa99abf038867392c7de989b87571651ff3eb230b897e500d5b812f20d63e1bfed82c4b8b0e58fe1a9b4e7af8de92e1f21a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\cfmhfmhjpcpojifnnhjbigefbnddoejf\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\cfmhfmhjpcpojifnnhjbigefbnddoejf\idxPSXnm1.js

Filesize
5KB

MD5
b2600fef03ed644fa8310ba51fbee2ac

SHA1
f0e4ef71efd8419ef7af5f2edf03470308251e08

SHA256
46322e08a5193f3f4944a7af23a652085887209d55a991a103abd44c677cab56

SHA512
5070121173f15cca78e4b0cbf7faf0854a58938c2b5f234ceed8c21c2d7ec5616c2d2c096ef36750a0923a52e8f994a075905447d39dacc919a322b0a11166d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\cfmhfmhjpcpojifnnhjbigefbnddoejf\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\cfmhfmhjpcpojifnnhjbigefbnddoejf\manifest.json

Filesize
499B

MD5
5cdaa5b8862e90fa7a173ea664343b4e

SHA1
5c7c1d70b2ded0731dc267af4f77aca513dc46dc

SHA256
46cd2d05d02b7c52a85331a2be63ed0538bc1a2370d80522ccc666a19f0c2098

SHA512
9d20b8ff84b95c0c801c1db069f77941831b36305a72a2f777069728e599566755abe28b906baf36e1326d820c9071ee3ea8577c71b81ba34aaa77bacaa578f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\hCsrjf0R6P9i8OK.dat

Filesize
6KB

MD5
033979f1a9b5bba1a8c23f3188f25f9f

SHA1
3a8ecb33c961a32e584654081c8712ab0fad7ba0

SHA256
66a7133d87b814a3994903b880ed87515d9ea49b3ab139bbd2d1a033be349e9e

SHA512
c101fbe9394a4c1a87f9debbcf09803e307b1590e8a2fbfdef009322546084bc695d484db9942cbabc046c7205e734095bbf0d391b0f28e9609ffe21663c6c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\hCsrjf0R6P9i8OK.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE93C.tmp\hCsrjf0R6P9i8OK.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit