cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22

Analysis

max time kernel
54s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22.exe
Size

2.1MB
MD5

2cf56f02efd4cda7557ecd53bc037b63
SHA1

acbc01788b05b1d18f2d84e982b45fc2394eb459
SHA256

cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22
SHA512

368bcf1df373d4ad474a29a97fbe8857ef839bb166cda39c46cf5459d496585604bcd05780a3fac115c7fbd0140f2613248620afdbca627ad0a06f967596d3c3
SSDEEP

49152:h1OswkMyJo5w3LMa3PYN7i8Y0qKTsab07:h1Ojk/vnYdiR

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1396	NXjTn2PQGDkAhg2.exe

Loads dropped DLL 4 IoCs

pid	Process
1536	cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22.exe
1396	NXjTn2PQGDkAhg2.exe
524	regsvr32.exe
900	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlghnmdagdfjmokjljmgkhkcaecjjjng\2.0\manifest.json	NXjTn2PQGDkAhg2.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlghnmdagdfjmokjljmgkhkcaecjjjng\2.0\manifest.json	NXjTn2PQGDkAhg2.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hlghnmdagdfjmokjljmgkhkcaecjjjng\2.0\manifest.json	NXjTn2PQGDkAhg2.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	NXjTn2PQGDkAhg2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	NXjTn2PQGDkAhg2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	NXjTn2PQGDkAhg2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	NXjTn2PQGDkAhg2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	NXjTn2PQGDkAhg2.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.x64.dll	NXjTn2PQGDkAhg2.exe
File opened for modification	C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.x64.dll	NXjTn2PQGDkAhg2.exe
File created	C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.dll	NXjTn2PQGDkAhg2.exe
File opened for modification	C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.dll	NXjTn2PQGDkAhg2.exe
File created	C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.tlb	NXjTn2PQGDkAhg2.exe
File opened for modification	C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.tlb	NXjTn2PQGDkAhg2.exe
File created	C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.dat	NXjTn2PQGDkAhg2.exe
File opened for modification	C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.dat	NXjTn2PQGDkAhg2.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1396	1536	cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22.exe	28
PID 1536 wrote to memory of 1396	1536	cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22.exe	28
PID 1536 wrote to memory of 1396	1536	cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22.exe	28
PID 1536 wrote to memory of 1396	1536	cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22.exe	28
PID 1396 wrote to memory of 524	1396	NXjTn2PQGDkAhg2.exe	29
PID 1396 wrote to memory of 524	1396	NXjTn2PQGDkAhg2.exe	29
PID 1396 wrote to memory of 524	1396	NXjTn2PQGDkAhg2.exe	29
PID 1396 wrote to memory of 524	1396	NXjTn2PQGDkAhg2.exe	29
PID 1396 wrote to memory of 524	1396	NXjTn2PQGDkAhg2.exe	29
PID 1396 wrote to memory of 524	1396	NXjTn2PQGDkAhg2.exe	29
PID 1396 wrote to memory of 524	1396	NXjTn2PQGDkAhg2.exe	29
PID 524 wrote to memory of 900	524	regsvr32.exe	30
PID 524 wrote to memory of 900	524	regsvr32.exe	30
PID 524 wrote to memory of 900	524	regsvr32.exe	30
PID 524 wrote to memory of 900	524	regsvr32.exe	30
PID 524 wrote to memory of 900	524	regsvr32.exe	30
PID 524 wrote to memory of 900	524	regsvr32.exe	30
PID 524 wrote to memory of 900	524	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22.exe
"C:\Users\Admin\AppData\Local\Temp\cce4b983be599432a2be9bb800e8f16be82023cd9144fb89991bc3349e6ccc22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\NXjTn2PQGDkAhg2.exe
  .\NXjTn2PQGDkAhg2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.dat

Filesize
6KB

MD5
006492388666f52e8ad358ba8b730f96

SHA1
0d1eae36d15058922606ff2aae3ce62ad1261642

SHA256
26f20b2ca51edaf71d4fe15411ae6ac99a2597a31d2dc6e361904d11ac44c0d5

SHA512
4ee8ea88bba241b985213e71a00973c97dace40c5c0c246d1f56c8d1c4c98e0ee64453997bea55db4ba7a6f639c2211a8f250b0d87b2aacb6078ff02e029ffe3

Download Submit
C:\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.x64.dll

Filesize
699KB

MD5
e9d65b59189466bb82c4bdc0c013182a

SHA1
0cf2ea965ee62ce8e7913b1c7b92bc45abc17272

SHA256
5108837e4c1a0b3f489642c4a99cc16dfd0ebea773f4eccd047fcb182fe55978

SHA512
7e41258d5b8e71599369f517017ddce504a066d000abc74a7d526f089b6340aeebdd6152d42bb5730b8dfe3911d0b54ddb3e47dfdf08a1983e13592c84c18932

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\NXjTn2PQGDkAhg2.dat

Filesize
6KB

MD5
006492388666f52e8ad358ba8b730f96

SHA1
0d1eae36d15058922606ff2aae3ce62ad1261642

SHA256
26f20b2ca51edaf71d4fe15411ae6ac99a2597a31d2dc6e361904d11ac44c0d5

SHA512
4ee8ea88bba241b985213e71a00973c97dace40c5c0c246d1f56c8d1c4c98e0ee64453997bea55db4ba7a6f639c2211a8f250b0d87b2aacb6078ff02e029ffe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\NXjTn2PQGDkAhg2.exe

Filesize
628KB

MD5
b59c3001e4489fc70fda8e5d5b31b0fa

SHA1
1a1658f6c3dd993bd3ec08ca7d599327b9be6a58

SHA256
4dee536bea4b65ffa91046262fe8ae0a48088ae21c055063c608f23e670ba0b0

SHA512
40bb40dbea96ab17f1b7d34ff635af97fdf10409a6d85a943f9aa2395a461a134a8ce52d70b76878f6c36d8b3fbf592b627c1b77ed7692c165819541e36fa230

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\NXjTn2PQGDkAhg2.exe

Filesize
628KB

MD5
b59c3001e4489fc70fda8e5d5b31b0fa

SHA1
1a1658f6c3dd993bd3ec08ca7d599327b9be6a58

SHA256
4dee536bea4b65ffa91046262fe8ae0a48088ae21c055063c608f23e670ba0b0

SHA512
40bb40dbea96ab17f1b7d34ff635af97fdf10409a6d85a943f9aa2395a461a134a8ce52d70b76878f6c36d8b3fbf592b627c1b77ed7692c165819541e36fa230

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\WGfiwYEqDf1JCU.dll

Filesize
618KB

MD5
fa22e2b9ff3086baceedeafbadec9f28

SHA1
0bb8d621faff9fcfcd8377079b9a47110e8c5c5e

SHA256
57e84f2e0c131c0579c6895ff74cc028885addf1ff80631de2a06b870b808bc3

SHA512
f80f7e0cc59a592c2cc8502a267dbd7811be6d4769ae0a422b4b63bae77e7a817594da98a9c27a75bf70117e6c8f1ed84fe99adc20b0d9c281e8ee9ecf2839a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\WGfiwYEqDf1JCU.tlb

Filesize
3KB

MD5
446bf1779f1f4c99e90d34218088897a

SHA1
8fbbfe0f6260a33e5e242746f45bab89bc71b1cb

SHA256
fbb113fcbf66becc1465cd0b5238f395a164298d57cb8ae6e860c385fb8c1cd7

SHA512
4977809238dc5c3e4786b777e60c58d2651b3dd46ef4c0ce2ab7bdc206eb9cd836dd803c57c2a3ed4e2e9f0e070eb508b9eb647fe3e8b3b1ecc674f57538717e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\WGfiwYEqDf1JCU.x64.dll

Filesize
699KB

MD5
e9d65b59189466bb82c4bdc0c013182a

SHA1
0cf2ea965ee62ce8e7913b1c7b92bc45abc17272

SHA256
5108837e4c1a0b3f489642c4a99cc16dfd0ebea773f4eccd047fcb182fe55978

SHA512
7e41258d5b8e71599369f517017ddce504a066d000abc74a7d526f089b6340aeebdd6152d42bb5730b8dfe3911d0b54ddb3e47dfdf08a1983e13592c84c18932

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\hlghnmdagdfjmokjljmgkhkcaecjjjng\UPzWRcPh2.js

Filesize
5KB

MD5
2251a99017d81588ba4cc0af38deb03b

SHA1
0dface4c33f3739aed293685abeb12eca6e4b8e1

SHA256
9703a0f61747cbdae01f39a416c5a9a796715ebc5e1c26d908014354477a342b

SHA512
2c92c8dfcb39e0d68e083b7ce7e65bdba0a64cb05751ed75a405412f2c56f76da02f8d13a67129a5c5fa947178ee71fd16791ec83596801135312d8d23534a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\hlghnmdagdfjmokjljmgkhkcaecjjjng\background.html

Filesize
146B

MD5
14e82d0bd964702dc8a92e0b05a68fec

SHA1
a025ef8ba8e3293e473fd11cc722561537afb91c

SHA256
0b3ccfe886e6e333fb5757ee01bac43241adc1ed69c23f6e276619ee1b60bed7

SHA512
c3d960dfc3b1e5cd64b72fa7ff11074d83f61d6c18e7fcef55dd6e7251479531fa0aca6f51e9082efe40952050f62a4a0e373825bd4ee8ba31ae4b1331572ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\hlghnmdagdfjmokjljmgkhkcaecjjjng\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\hlghnmdagdfjmokjljmgkhkcaecjjjng\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\hlghnmdagdfjmokjljmgkhkcaecjjjng\manifest.json

Filesize
500B

MD5
eb888a20d2eb2efe74abe18df58d0172

SHA1
9be6abd96c60161c9e5b85e431e162acc4a2fc06

SHA256
f5a19172f4809cef7d3df5e0e8923e4ae88bafebce4088b11cce27467638b821

SHA512
ff338112cd7c1f827816dfe91c1c977f16697d83a4843be318fd54b4c14f2db060977ed0363acd40c8fb9186796eebff3e48c6d5586049d46ce086f6c605c842

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
4fa93e182ee3d67892dc1bcc55a35ad9

SHA1
6c3258f38962678e465ec4f9bcebd28c99943f48

SHA256
1ea569052d65d39351fc36dc9f246eb5039f8a350643cd648e9542d7c0344976

SHA512
1cfe16487e533ba4d186aa4813b55b71d5ef5a6f3a30a01ec01183eb2e42320d8129d6ef504cd0febf8600ed0119a0e9542172963b914444c63b8281868e65c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
f43fc17e789bb9a181229441ac3bd402

SHA1
00e29277cf4d87f4aeaf5a3af473dd5327bbc13e

SHA256
b4a5176fa17ce2e52f961442754312254d14c9fffbb43ccd3a6a929ae0c079e1

SHA512
c45e7a6e0d79773bea76ccf775a17104fa08ab2b06b8a8dc60a023b3711d986ffdb78b5188789f636f84be01f83079932f6a5c308b8f09f9452a09807bdfc7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\[email protected]\install.rdf

Filesize
592B

MD5
8bfe1ae62b7227c94c852f3747995fe2

SHA1
16f0b860bafccb2a385f043182f2e29041fcc5e9

SHA256
7726a5386ea7c0ed30381c7194aad3ecfe7f00a016792c0060e45bf7246febd4

SHA512
26c139a0c33822bec7fb243f8dbb31910f96b4e213235fe782ad3f6368802238623474a93bf9c448b8c65a6939c864461cbed37d7e34139833f67d93c9d1b7bd

Download Submit
\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.dll

Filesize
618KB

MD5
fa22e2b9ff3086baceedeafbadec9f28

SHA1
0bb8d621faff9fcfcd8377079b9a47110e8c5c5e

SHA256
57e84f2e0c131c0579c6895ff74cc028885addf1ff80631de2a06b870b808bc3

SHA512
f80f7e0cc59a592c2cc8502a267dbd7811be6d4769ae0a422b4b63bae77e7a817594da98a9c27a75bf70117e6c8f1ed84fe99adc20b0d9c281e8ee9ecf2839a5

Download Submit
\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.x64.dll

Filesize
699KB

MD5
e9d65b59189466bb82c4bdc0c013182a

SHA1
0cf2ea965ee62ce8e7913b1c7b92bc45abc17272

SHA256
5108837e4c1a0b3f489642c4a99cc16dfd0ebea773f4eccd047fcb182fe55978

SHA512
7e41258d5b8e71599369f517017ddce504a066d000abc74a7d526f089b6340aeebdd6152d42bb5730b8dfe3911d0b54ddb3e47dfdf08a1983e13592c84c18932

Download Submit
\Program Files (x86)\GaoSavee\WGfiwYEqDf1JCU.x64.dll

Filesize
699KB

MD5
e9d65b59189466bb82c4bdc0c013182a

SHA1
0cf2ea965ee62ce8e7913b1c7b92bc45abc17272

SHA256
5108837e4c1a0b3f489642c4a99cc16dfd0ebea773f4eccd047fcb182fe55978

SHA512
7e41258d5b8e71599369f517017ddce504a066d000abc74a7d526f089b6340aeebdd6152d42bb5730b8dfe3911d0b54ddb3e47dfdf08a1983e13592c84c18932

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBE80.tmp\NXjTn2PQGDkAhg2.exe

Filesize
628KB

MD5
b59c3001e4489fc70fda8e5d5b31b0fa

SHA1
1a1658f6c3dd993bd3ec08ca7d599327b9be6a58

SHA256
4dee536bea4b65ffa91046262fe8ae0a48088ae21c055063c608f23e670ba0b0

SHA512
40bb40dbea96ab17f1b7d34ff635af97fdf10409a6d85a943f9aa2395a461a134a8ce52d70b76878f6c36d8b3fbf592b627c1b77ed7692c165819541e36fa230

Download Submit
memory/900-78-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1536-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download