f1605e8c606ee1add8cb24974c017089f5db9dd85a9e46664768ea802828ef9e

Analysis

max time kernel
91s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1605e8c606ee1add8cb24974c017089f5db9dd85a9e46664768ea802828ef9e.exe
Size

2.0MB
MD5

c9f92b44644b745f6e3491aeec6cba0a
SHA1

c0b3f8c70e8010d2deec209a86f5245b79519bd2
SHA256

f1605e8c606ee1add8cb24974c017089f5db9dd85a9e46664768ea802828ef9e
SHA512

06f922d2af701a24478167f1d40dfc3530a9a12c2c3c14305c3786eb22cbdae552a31e276d330da9dd40bbe172204c8b3475a5290cb4d820bc6d65e4e6668f2a
SSDEEP

49152:h1OslUpag+Qk/+ouXBVm/KLp0f5fR6Tu3PHYwxzILQJsa7P:h1OOUpAWouXBVm/KLp0+Tu3jP

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4964	8tXIGbOUcI7V7CP.exe

Loads dropped DLL 3 IoCs

pid	Process
4964	8tXIGbOUcI7V7CP.exe
4852	regsvr32.exe
4480	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pobbggnihgkgfhhogldlmcmonbbbdpea\2.0\manifest.json	8tXIGbOUcI7V7CP.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pobbggnihgkgfhhogldlmcmonbbbdpea\2.0\manifest.json	8tXIGbOUcI7V7CP.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pobbggnihgkgfhhogldlmcmonbbbdpea\2.0\manifest.json	8tXIGbOUcI7V7CP.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pobbggnihgkgfhhogldlmcmonbbbdpea\2.0\manifest.json	8tXIGbOUcI7V7CP.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pobbggnihgkgfhhogldlmcmonbbbdpea\2.0\manifest.json	8tXIGbOUcI7V7CP.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	8tXIGbOUcI7V7CP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	8tXIGbOUcI7V7CP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	8tXIGbOUcI7V7CP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	8tXIGbOUcI7V7CP.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.x64.dll	8tXIGbOUcI7V7CP.exe
File created	C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.dll	8tXIGbOUcI7V7CP.exe
File opened for modification	C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.dll	8tXIGbOUcI7V7CP.exe
File created	C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.tlb	8tXIGbOUcI7V7CP.exe
File opened for modification	C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.tlb	8tXIGbOUcI7V7CP.exe
File created	C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.dat	8tXIGbOUcI7V7CP.exe
File opened for modification	C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.dat	8tXIGbOUcI7V7CP.exe
File created	C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.x64.dll	8tXIGbOUcI7V7CP.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4964	5060	f1605e8c606ee1add8cb24974c017089f5db9dd85a9e46664768ea802828ef9e.exe	81
PID 5060 wrote to memory of 4964	5060	f1605e8c606ee1add8cb24974c017089f5db9dd85a9e46664768ea802828ef9e.exe	81
PID 5060 wrote to memory of 4964	5060	f1605e8c606ee1add8cb24974c017089f5db9dd85a9e46664768ea802828ef9e.exe	81
PID 4964 wrote to memory of 4852	4964	8tXIGbOUcI7V7CP.exe	82
PID 4964 wrote to memory of 4852	4964	8tXIGbOUcI7V7CP.exe	82
PID 4964 wrote to memory of 4852	4964	8tXIGbOUcI7V7CP.exe	82
PID 4852 wrote to memory of 4480	4852	regsvr32.exe	83
PID 4852 wrote to memory of 4480	4852	regsvr32.exe	83

C:\Users\Admin\AppData\Local\Temp\f1605e8c606ee1add8cb24974c017089f5db9dd85a9e46664768ea802828ef9e.exe
"C:\Users\Admin\AppData\Local\Temp\f1605e8c606ee1add8cb24974c017089f5db9dd85a9e46664768ea802828ef9e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\8tXIGbOUcI7V7CP.exe
  .\8tXIGbOUcI7V7CP.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.dat

Filesize
6KB

MD5
48d446859ce1ec63b849a48a10b560c5

SHA1
724e03e29ce346617eb770af59295b61904ea537

SHA256
476b70aba6dcc0b29ab4936810b1634bc2744aa444c45063f8cd226c44cc3593

SHA512
456d475a053bcf78ab8311a9afc0812131e15b3b83685c447fcc8d1abaefc773dae9479d1fa13a2fccb1922d964b0c194252b845f35e8b879bd060f96f276d25

Download Submit
C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Program Files (x86)\GoSaeve\puPjKQOZuhRLyM.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\8tXIGbOUcI7V7CP.dat

Filesize
6KB

MD5
48d446859ce1ec63b849a48a10b560c5

SHA1
724e03e29ce346617eb770af59295b61904ea537

SHA256
476b70aba6dcc0b29ab4936810b1634bc2744aa444c45063f8cd226c44cc3593

SHA512
456d475a053bcf78ab8311a9afc0812131e15b3b83685c447fcc8d1abaefc773dae9479d1fa13a2fccb1922d964b0c194252b845f35e8b879bd060f96f276d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\8tXIGbOUcI7V7CP.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\8tXIGbOUcI7V7CP.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\pobbggnihgkgfhhogldlmcmonbbbdpea\ErbHJv9g.js

Filesize
5KB

MD5
3d25b3b3aab3c93503d4a10faaa33dba

SHA1
5854b3079838b3dfb25f64f0f78ad6fcb202e0bd

SHA256
ec70b09e94286e8238b4bb45d9b99ce3db0843ad2a98121703a29760fd528df5

SHA512
482f1f6a3caeaf975be9332cae5316cfaf9ad2ca8488bea769639230b4213b0e0fbd32ee91745ec58fdf161902e6ac7bcf14656e43ca06831530a1b14374df92

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\pobbggnihgkgfhhogldlmcmonbbbdpea\background.html

Filesize
145B

MD5
deb5510f681f6e572a3fd9825d27251b

SHA1
cb551125149baab8a0fae196c13658b1b0719127

SHA256
e5f04584fa1e3c31df051f015ad13b0c9a5b6c213599784e9307b47d051c82dc

SHA512
2afc5e2c091a6c704c579bc57a2fda0a5e2bbd01a3b8117b8645cdcf2a13f83cb5eb3f8564258bcad788bb737d64347f8aa96e2dde45d27399253c75b1356858

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\pobbggnihgkgfhhogldlmcmonbbbdpea\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\pobbggnihgkgfhhogldlmcmonbbbdpea\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\pobbggnihgkgfhhogldlmcmonbbbdpea\manifest.json

Filesize
499B

MD5
e2f60f27c8e77e5333144ee8f1c2391f

SHA1
8842255ea8fef0482f3d96ff8f74ca0cd5703faf

SHA256
c97e2855932cd5175fbba70e891d4d34bc9664aaf2d1d215119f48bc532f4ded

SHA512
4fd78c2395ed234f0530bb236cf194891d0bd974efeaea2171c6ef04640d7c819302d9d2a738855472adc5bb9e15f8195e723ff2a2ef048bc354fe1433756d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\puPjKQOZuhRLyM.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\puPjKQOZuhRLyM.tlb

Filesize
3KB

MD5
08b4ac9069400749555355a5f1e6b8ad

SHA1
ec078fae45087bb2ab63497cd2b4b844c178ec3c

SHA256
f996571eef02335d08b6c073024cef3ea616bb39f9d9742ffa6783f4e22c3997

SHA512
5001f7ca20cca5e85f9c6c1d90ffc2f9a25606d877ee4e6d33a727b6f689989b0486dbea62c66d2d1097194a353566de9d8b6b2bff33613a7ab763c98ca1e1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\puPjKQOZuhRLyM.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
ab9057fd7da9cc5b448c773f151453c3

SHA1
dcad156e36ec1877466a7646b47a69afaf986579

SHA256
66c5c0b7af78e013b3bcac0c3bc533bbe3ed83643da7453e10f435498deca132

SHA512
d59e5fd221745c0ef477dfb2aa324f82cf31cd5d2e3195257bb868c7ce4c7993dc6d5e496cdbc3d00fdcc29349fd72759ee7f87d89730c3d561c6b920bdb0056

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
342f3439612fe735a91cb91695a8746c

SHA1
989e45b41e1f1e0d1265bfe509de3aced1a9b1d5

SHA256
20381af5fc56a857bbf444b49b92ff207530cf5799fd64e2487f400af015eb98

SHA512
cdd32f3cebff56e91186c30f7223e9748fcb3a8edd4b93a7da4b2265489e5c5e1102edc210e66c7a0d44765fe78fd61572352857e1d3a4a8200639136a7624c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE0DF.tmp\[email protected]\install.rdf

Filesize
594B

MD5
f20b8d4537b3b2904efab96556aea86d

SHA1
a0900b73ce4fe8b7cbeef6b29ff088bbd45aabd7

SHA256
21dfea02095381500792f468841bfadffde70c621e28e4623f5836ee1f2bb8f3

SHA512
95ab7793122a49c05fceed281b7b8b876acbbe1cd5be89726a85f951c040e3a36513c18c6507751677df452ae39366d50c55cb7c61330b82c6b566754c0987e5

Download Submit