f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf.exe
Size

2.1MB
MD5

1da2391c740702a94b5cf6bbe99a36c3
SHA1

4ddd687b581cd8e21d87a2fca3fd34b1378178e3
SHA256

f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf
SHA512

9d205be78f9dec843ffb71473e10d109561e16fbb2f6ebec1894ebdc172343cce17ccbe3b218a5dd8a685cd4f7e85a41fcc1551b2ab1b51e4bdc1168ebc02bfa
SSDEEP

49152:h1OsTPtqGqK2M8f3h4UO2sEYYQvLZwQE5m4o3:h1OIHoxLYYaL

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1080	7HnWYog5qWEYVyQ.exe

Loads dropped DLL 4 IoCs

pid	Process
1056	f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf.exe
1080	7HnWYog5qWEYVyQ.exe
1700	regsvr32.exe
684	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbfpahoekfifpceiielnmhmcphhpjmok\2.0\manifest.json	7HnWYog5qWEYVyQ.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbfpahoekfifpceiielnmhmcphhpjmok\2.0\manifest.json	7HnWYog5qWEYVyQ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbfpahoekfifpceiielnmhmcphhpjmok\2.0\manifest.json	7HnWYog5qWEYVyQ.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	7HnWYog5qWEYVyQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	7HnWYog5qWEYVyQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	7HnWYog5qWEYVyQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	7HnWYog5qWEYVyQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	7HnWYog5qWEYVyQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.x64.dll	7HnWYog5qWEYVyQ.exe
File opened for modification	C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.x64.dll	7HnWYog5qWEYVyQ.exe
File created	C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.dll	7HnWYog5qWEYVyQ.exe
File opened for modification	C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.dll	7HnWYog5qWEYVyQ.exe
File created	C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.tlb	7HnWYog5qWEYVyQ.exe
File opened for modification	C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.tlb	7HnWYog5qWEYVyQ.exe
File created	C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.dat	7HnWYog5qWEYVyQ.exe
File opened for modification	C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.dat	7HnWYog5qWEYVyQ.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1080	1056	f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf.exe	26
PID 1056 wrote to memory of 1080	1056	f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf.exe	26
PID 1056 wrote to memory of 1080	1056	f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf.exe	26
PID 1056 wrote to memory of 1080	1056	f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf.exe	26
PID 1080 wrote to memory of 1700	1080	7HnWYog5qWEYVyQ.exe	27
PID 1080 wrote to memory of 1700	1080	7HnWYog5qWEYVyQ.exe	27
PID 1080 wrote to memory of 1700	1080	7HnWYog5qWEYVyQ.exe	27
PID 1080 wrote to memory of 1700	1080	7HnWYog5qWEYVyQ.exe	27
PID 1080 wrote to memory of 1700	1080	7HnWYog5qWEYVyQ.exe	27
PID 1080 wrote to memory of 1700	1080	7HnWYog5qWEYVyQ.exe	27
PID 1080 wrote to memory of 1700	1080	7HnWYog5qWEYVyQ.exe	27
PID 1700 wrote to memory of 684	1700	regsvr32.exe	28
PID 1700 wrote to memory of 684	1700	regsvr32.exe	28
PID 1700 wrote to memory of 684	1700	regsvr32.exe	28
PID 1700 wrote to memory of 684	1700	regsvr32.exe	28
PID 1700 wrote to memory of 684	1700	regsvr32.exe	28
PID 1700 wrote to memory of 684	1700	regsvr32.exe	28
PID 1700 wrote to memory of 684	1700	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf.exe
"C:\Users\Admin\AppData\Local\Temp\f7c70ca9b1e410e92a3b8bdfbdbe495899fe5db26e7aa6e524a58106ebfc65cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\7HnWYog5qWEYVyQ.exe
  .\7HnWYog5qWEYVyQ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.dat

Filesize
6KB

MD5
d8504c139b6f06d4a304446288c45d0f

SHA1
6bd976751d91f58c1d90aced46cf14aaf2bc2f30

SHA256
ac4ea3f3b849947e08dbb16da1c615763bc9d204a58311738dbd961b7eb0a6ed

SHA512
709f6c1507f885adf991b8a322d02e4ff44b224e0d79a83a872be542d13c3d0374488db0ab69a21a486005ea67e1e71e122a1b8e3c72e00fd57f9633b29a4652

Download Submit
C:\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\7HnWYog5qWEYVyQ.dat

Filesize
6KB

MD5
d8504c139b6f06d4a304446288c45d0f

SHA1
6bd976751d91f58c1d90aced46cf14aaf2bc2f30

SHA256
ac4ea3f3b849947e08dbb16da1c615763bc9d204a58311738dbd961b7eb0a6ed

SHA512
709f6c1507f885adf991b8a322d02e4ff44b224e0d79a83a872be542d13c3d0374488db0ab69a21a486005ea67e1e71e122a1b8e3c72e00fd57f9633b29a4652

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\7HnWYog5qWEYVyQ.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\7HnWYog5qWEYVyQ.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\GQBwzANQqVuvJb.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\GQBwzANQqVuvJb.tlb

Filesize
3KB

MD5
713ab144897857b45ce9515c2a1e2d52

SHA1
607a46adbfe1892276898fb6b00e7c62dbf82772

SHA256
3ec756ec9b8c4b03cc723127bc372b67c406a4915fa0a82597b0fb29685096e6

SHA512
b54c6eaf989d9e51ba66278a0991daa14bde0f56e86c8c2fce67f2118e9557307b409fbc9ae48921c37c1869634b2801028d728f4cf3b871ad8971965e3004b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\GQBwzANQqVuvJb.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\gbfpahoekfifpceiielnmhmcphhpjmok\RrScJMS.js

Filesize
5KB

MD5
e3cb5663f0da38d7c8df98a553fd98a6

SHA1
3ed207d1b7efc40a45b205488fd9860f0a832be4

SHA256
6a741b6b9810f479a80e6d80997e5b7c927c42072d8230ce7124383265c365b9

SHA512
3c456f3d0d10f66b964e5e75bb1bb727eaa735f7b12605beca3648ef098ee4916538e70dbabf89a38d270e53d52c903b9f8a76b99ec50fa30d499a3ede46ae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\gbfpahoekfifpceiielnmhmcphhpjmok\background.html

Filesize
144B

MD5
3209d0a133f501f319d04f2642464fa7

SHA1
3b0ad98380c2006e6748fa77e21103ef7763e9c1

SHA256
28a40ddde8bd644a83ea89b24fa105993578643128582d1db78196885fa81bde

SHA512
ddf9384d2c617f5d8f1f9047172f70f88dce24b05e438fd55170a9088eed27132434848537e46e086c4cc098400563cb0258178b2b12f7470177bf76b149e6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\gbfpahoekfifpceiielnmhmcphhpjmok\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\gbfpahoekfifpceiielnmhmcphhpjmok\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\gbfpahoekfifpceiielnmhmcphhpjmok\manifest.json

Filesize
500B

MD5
7921de44a05a7d5a421b1ddea44305de

SHA1
6ed568529cbb813888d5ac30b99e75d2d0d90122

SHA256
167478e0d6557cc6613dfa80d934de84910cdbf0379638c173acee91512bb33d

SHA512
3a002cd46f7f36491c0555b534546cbb8713328a387150b2b16a6edb54a7b50a828cd749c0dad6e5c7e01c00ef19514995dfc501245bc9a9d70d93237bf60710

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
fe0b36a8051708b23fa756444954985b

SHA1
873825823df69fbb119acd5628eaa1842fab76e1

SHA256
97b482d13cf4aed28ed8a85a7a2042a712bc4b794efd484f8852f8613139a654

SHA512
0a5cb83dc2a79e149a24f13836348b9fbfd3f9ad373eb8a86324bd9b6f63e37f7739dad09662536bad4013beaed8f739a75ce0484e0fa4d0ab2a349a999cd2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
24ad1c76e68519a5fc6499542ac787e6

SHA1
c77a82f949129b6d95b58a91d1d16cc2c518b600

SHA256
d71a3f4ed727632161aed9e58b2713a2bde020bcad9d6e813e8d25811628e41c

SHA512
f9e9542c1dc628520a79b52eb84864ac09477041102d3ff612c95f1b2c08a372ca5bce7b820fcea9d419bd575b17dff229f65ad6f63bb2fe3175740c17812546

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3055.tmp\[email protected]\install.rdf

Filesize
600B

MD5
414eb43e14056f74847461337f553f75

SHA1
fcd7ccfbba419927dc9a75a3897440899fba9d9d

SHA256
ecd5df1e878403053c9f3fcff516626abe3242069e0d50b5a5b01920449c4c16

SHA512
cd6cfe309bf7445f4664e57b8acf0acd784499174ffafd96caf700ab3061b0ff5a05d17989fee355c78a347e9dea4ac4669376ec943231d75ae8c841be99fd5a

Download Submit
\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
\Program Files (x86)\GoSaovve\GQBwzANQqVuvJb.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3055.tmp\7HnWYog5qWEYVyQ.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
memory/684-78-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1056-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download