082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a

Analysis

max time kernel
45s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a.exe
Size

2.0MB
MD5

6953ee95967a44e906926877f205bf6a
SHA1

8d1905b37c58e9015e15eea0db491c8c99fe6a86
SHA256

082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a
SHA512

27146a228df0d2ff0400cf1dd40f8c23fe464f0bc72ae35511e9b280e0b8787da45dc57903fcbd064ccc5c0ca71a591895b5864f213f997c9575e6d389ddb7d9
SSDEEP

49152:h1OstarVSg041fkjuYbgXToVxA4fxDKzUoNO:h1O6aUtRjuxToszI

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1100	CjN6frDE5u2aTM8.exe

Loads dropped DLL 4 IoCs

pid	Process
1200	082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a.exe
1100	CjN6frDE5u2aTM8.exe
1020	regsvr32.exe
1212	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhknbpfaahnmbldafnlappcjiielhccd\2.0\manifest.json	CjN6frDE5u2aTM8.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhknbpfaahnmbldafnlappcjiielhccd\2.0\manifest.json	CjN6frDE5u2aTM8.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhknbpfaahnmbldafnlappcjiielhccd\2.0\manifest.json	CjN6frDE5u2aTM8.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	CjN6frDE5u2aTM8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	CjN6frDE5u2aTM8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	CjN6frDE5u2aTM8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	CjN6frDE5u2aTM8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	CjN6frDE5u2aTM8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.dat	CjN6frDE5u2aTM8.exe
File created	C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.x64.dll	CjN6frDE5u2aTM8.exe
File opened for modification	C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.x64.dll	CjN6frDE5u2aTM8.exe
File created	C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.dll	CjN6frDE5u2aTM8.exe
File opened for modification	C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.dll	CjN6frDE5u2aTM8.exe
File created	C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.tlb	CjN6frDE5u2aTM8.exe
File opened for modification	C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.tlb	CjN6frDE5u2aTM8.exe
File created	C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.dat	CjN6frDE5u2aTM8.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1100	1200	082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a.exe	27
PID 1200 wrote to memory of 1100	1200	082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a.exe	27
PID 1200 wrote to memory of 1100	1200	082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a.exe	27
PID 1200 wrote to memory of 1100	1200	082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a.exe	27
PID 1100 wrote to memory of 1020	1100	CjN6frDE5u2aTM8.exe	28
PID 1100 wrote to memory of 1020	1100	CjN6frDE5u2aTM8.exe	28
PID 1100 wrote to memory of 1020	1100	CjN6frDE5u2aTM8.exe	28
PID 1100 wrote to memory of 1020	1100	CjN6frDE5u2aTM8.exe	28
PID 1100 wrote to memory of 1020	1100	CjN6frDE5u2aTM8.exe	28
PID 1100 wrote to memory of 1020	1100	CjN6frDE5u2aTM8.exe	28
PID 1100 wrote to memory of 1020	1100	CjN6frDE5u2aTM8.exe	28
PID 1020 wrote to memory of 1212	1020	regsvr32.exe	29
PID 1020 wrote to memory of 1212	1020	regsvr32.exe	29
PID 1020 wrote to memory of 1212	1020	regsvr32.exe	29
PID 1020 wrote to memory of 1212	1020	regsvr32.exe	29
PID 1020 wrote to memory of 1212	1020	regsvr32.exe	29
PID 1020 wrote to memory of 1212	1020	regsvr32.exe	29
PID 1020 wrote to memory of 1212	1020	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a.exe
"C:\Users\Admin\AppData\Local\Temp\082ad31e1b1ea21da55efece8ef4c2d35b2bf80b46a8437dca4c67f0a588a93a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\CjN6frDE5u2aTM8.exe
  .\CjN6frDE5u2aTM8.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.dat

Filesize
6KB

MD5
761f2f1735b069112d43978a3b671fcc

SHA1
6004a9c772106e96f6c16873003618570e47b283

SHA256
736bb75a54f54e824c70c6d741a4dfbc69959e84ad1b7f16b431d279fa0ff93c

SHA512
d15e27b39ec8d9b68233515bda6d29b0d6f2971c60d51d7fa111a944ecc5aae20533b50f5b70587da8fe39308090b83f1d944ef27b727c90e047bba0c3361eb2

Download Submit
C:\Program Files (x86)\GoSave\fHnLPex3oDeXoh.x64.dll

Filesize
690KB

MD5
ab91ec5e21166a3ddae814ef1e3ceb3d

SHA1
16fd5cbd57915622a00d2097cde5892cf9a9aafc

SHA256
572e6027916f88025379a27c58d1148c06a2afd132ce8d859a3a9fc6bf980e5d

SHA512
3e457b795f9fab1b756f0552b4f5a57d9a1075ff332cecd0f268e9e35eda8575bb8d03910e3182896d29e26c35181b2ab41867193e216ce80440e032307fbc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\CjN6frDE5u2aTM8.dat

Filesize
6KB

MD5
761f2f1735b069112d43978a3b671fcc

SHA1
6004a9c772106e96f6c16873003618570e47b283

SHA256
736bb75a54f54e824c70c6d741a4dfbc69959e84ad1b7f16b431d279fa0ff93c

SHA512
d15e27b39ec8d9b68233515bda6d29b0d6f2971c60d51d7fa111a944ecc5aae20533b50f5b70587da8fe39308090b83f1d944ef27b727c90e047bba0c3361eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\CjN6frDE5u2aTM8.exe

Filesize
615KB

MD5
4b31c5b7c82ea1054f636e227d7c287f

SHA1
571275d5dc1d9014b0eaf309922c7c9b3db9aaa4

SHA256
77486b6a22124d6851c016187a7bdf7100d358c42a855065d54e9e9c1cfb2a77

SHA512
a341718979646a3c1567b463d2b33014c7f3e5f2aa13f68e449e32dc2616328c7e7c4c7703140994be4489e2873c63ac5d02d63bade3b32471ff77108485b92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\CjN6frDE5u2aTM8.exe

Filesize
615KB

MD5
4b31c5b7c82ea1054f636e227d7c287f

SHA1
571275d5dc1d9014b0eaf309922c7c9b3db9aaa4

SHA256
77486b6a22124d6851c016187a7bdf7100d358c42a855065d54e9e9c1cfb2a77

SHA512
a341718979646a3c1567b463d2b33014c7f3e5f2aa13f68e449e32dc2616328c7e7c4c7703140994be4489e2873c63ac5d02d63bade3b32471ff77108485b92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\fHnLPex3oDeXoh.dll

Filesize
612KB

MD5
1a08953d578fde31c69aad70ffc8843b

SHA1
def14be28cdfdbc14e860a19a69b3bb304357a17

SHA256
8d93c8f0bd4e85cd960321d03b52c1832f3131424c13df0c42a033d55d5abeb9

SHA512
34275ca2feee29e7b3447a47e1edbb2fe18d921d10322efe94f84986f041701e76f6fbb85c9f7582bfbeadbc92993d4dcdcfc3c35c421f340fcce835b8ad720e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\fHnLPex3oDeXoh.tlb

Filesize
3KB

MD5
e54f4f2fa4156050e1b34115a3fad7b1

SHA1
fcea121f093562e611f3b2632610a709817f293f

SHA256
05c718a1e3a7360311b6bcd2fcc1ec5ec3afd43063d3d937e18e8d318f609898

SHA512
0efa8a7f85ca4111456b26a8a9bfeda0cef15dc9b84535db65195a760a9f8afc7908e2a1beb37af038a708b6f6c5360398879082fd34d4a1abccfe6e7fe65ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\fHnLPex3oDeXoh.x64.dll

Filesize
690KB

MD5
ab91ec5e21166a3ddae814ef1e3ceb3d

SHA1
16fd5cbd57915622a00d2097cde5892cf9a9aafc

SHA256
572e6027916f88025379a27c58d1148c06a2afd132ce8d859a3a9fc6bf980e5d

SHA512
3e457b795f9fab1b756f0552b4f5a57d9a1075ff332cecd0f268e9e35eda8575bb8d03910e3182896d29e26c35181b2ab41867193e216ce80440e032307fbc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\hhknbpfaahnmbldafnlappcjiielhccd\RsM5.js

Filesize
5KB

MD5
c94051a10e068afc25c8e5ba3e2b64ab

SHA1
a8df0a0ea62a5e942c478bfde368c246ce62a938

SHA256
1b843b87a4672a0dba4476ba322b080036e252eba869ed2fd43f521c364c6e8c

SHA512
39b82746ed1e180c8888881e1d08be8f1ed0469b2619ede8c6f4540e36bb721726c518ef7ff7d8a0722c1cdcefe759cf9d13e37d76e17a5acf8fb94eaa2ed229

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\hhknbpfaahnmbldafnlappcjiielhccd\background.html

Filesize
141B

MD5
df47c99691c69fb4e8b46e72a97f5628

SHA1
7ad306f4a194aaf235bce432aeb0a61d5d6d741e

SHA256
050ae789f0d9b98186522779918a4a9d2a49f64f1ad66793972e1da5e77492fc

SHA512
5637398a4d3ad95394f5f558f1b13f80b9bc8152da3369612a3981d60208c1d462083b8de97bd1952f726d5d1d1c29fdd3bc3c6deb5af1df54ae6da762e84fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\hhknbpfaahnmbldafnlappcjiielhccd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\hhknbpfaahnmbldafnlappcjiielhccd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\hhknbpfaahnmbldafnlappcjiielhccd\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
88748d83b536a748e489d87bc3d1a86b

SHA1
11bd2b2a14e354dffc33a67136fdc60cf2bdb0ad

SHA256
7c52467aec77043cdb1a98b75c05251d834a01a3ccd071a8d1ae48d3a64bf01e

SHA512
cb2e643ebb9c2602441c179aef9a2916379a06e485853ce350455aa3e5916751c7e42c8af6a89e42030f2f9b0e8122b1d0fccc966d508489409552cb820beb14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
f2d4a44cd88a3087e5e5523ee2ab4e44

SHA1
2d78c3bef1394896cc162b8a92d2340db41b23f3

SHA256
ca179d2730552a4d24855963e5e835a3c59edcd0e5758ad5b263eebcf613c7a9

SHA512
48603d5890dc8e4a471c8ce443529387f943c75c69813f98a9295e7c566643fe409e97de43872b93f5792f4bf4945df452cd2c6290a20acf99beb9bcb701df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS251E.tmp\[email protected]\install.rdf

Filesize
598B

MD5
321c25e6ba79ba5c05e4cf49d4c84821

SHA1
d64507c32f097f4412821ad8cf45cace659c0c8f

SHA256
5ca5a7113cde905ea177828292a307edb91f8553debbf11164aaeb1871fdc936

SHA512
03311c240fa7a25505ce2483d753733e6bd698a3859efbcc6558094ed8b1ed05c55b1c5a1403d0a40e93ddeecc89aa612b3247ccdb39efee227372d53ff78a77

Download Submit
\Program Files (x86)\GoSave\fHnLPex3oDeXoh.dll

Filesize
612KB

MD5
1a08953d578fde31c69aad70ffc8843b

SHA1
def14be28cdfdbc14e860a19a69b3bb304357a17

SHA256
8d93c8f0bd4e85cd960321d03b52c1832f3131424c13df0c42a033d55d5abeb9

SHA512
34275ca2feee29e7b3447a47e1edbb2fe18d921d10322efe94f84986f041701e76f6fbb85c9f7582bfbeadbc92993d4dcdcfc3c35c421f340fcce835b8ad720e

Download Submit
\Program Files (x86)\GoSave\fHnLPex3oDeXoh.x64.dll

Filesize
690KB

MD5
ab91ec5e21166a3ddae814ef1e3ceb3d

SHA1
16fd5cbd57915622a00d2097cde5892cf9a9aafc

SHA256
572e6027916f88025379a27c58d1148c06a2afd132ce8d859a3a9fc6bf980e5d

SHA512
3e457b795f9fab1b756f0552b4f5a57d9a1075ff332cecd0f268e9e35eda8575bb8d03910e3182896d29e26c35181b2ab41867193e216ce80440e032307fbc52

Download Submit
\Program Files (x86)\GoSave\fHnLPex3oDeXoh.x64.dll

Filesize
690KB

MD5
ab91ec5e21166a3ddae814ef1e3ceb3d

SHA1
16fd5cbd57915622a00d2097cde5892cf9a9aafc

SHA256
572e6027916f88025379a27c58d1148c06a2afd132ce8d859a3a9fc6bf980e5d

SHA512
3e457b795f9fab1b756f0552b4f5a57d9a1075ff332cecd0f268e9e35eda8575bb8d03910e3182896d29e26c35181b2ab41867193e216ce80440e032307fbc52

Download Submit
\Users\Admin\AppData\Local\Temp\7zS251E.tmp\CjN6frDE5u2aTM8.exe

Filesize
615KB

MD5
4b31c5b7c82ea1054f636e227d7c287f

SHA1
571275d5dc1d9014b0eaf309922c7c9b3db9aaa4

SHA256
77486b6a22124d6851c016187a7bdf7100d358c42a855065d54e9e9c1cfb2a77

SHA512
a341718979646a3c1567b463d2b33014c7f3e5f2aa13f68e449e32dc2616328c7e7c4c7703140994be4489e2873c63ac5d02d63bade3b32471ff77108485b92f

Download Submit
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1212-78-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download