956fe2d8118b3f4148df492ad48b61e5c4cf8c2be8c5a3548065bee7cc7f8135

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

956fe2d8118b3f4148df492ad48b61e5c4cf8c2be8c5a3548065bee7cc7f8135.exe
Size

2.1MB
MD5

e128422798cf01a1e67a263f71f35e42
SHA1

37753a995adb39ca9ee2975bb4b74fcf1315bed9
SHA256

956fe2d8118b3f4148df492ad48b61e5c4cf8c2be8c5a3548065bee7cc7f8135
SHA512

938aab1ea5629c23c8e6a6d1f0ea54787df6d0231a27418b54dc69d6e4e0844893e16b94f90069224f6b84ac47420e9eef227d50ad187b131bcecac7a1c5a7a3
SSDEEP

49152:h1OsQYSwNMswVQjXY5MrbjcG1qV8OXaDoblqv4:h1O1swVWzbje

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4840	XDZKJm5uR1qpYQJ.exe

Loads dropped DLL 3 IoCs

pid	Process
4840	XDZKJm5uR1qpYQJ.exe
4952	regsvr32.exe
1196	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\akimloofboklodfnhicdfnllpkgkkcnd\2.0\manifest.json	XDZKJm5uR1qpYQJ.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\akimloofboklodfnhicdfnllpkgkkcnd\2.0\manifest.json	XDZKJm5uR1qpYQJ.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\akimloofboklodfnhicdfnllpkgkkcnd\2.0\manifest.json	XDZKJm5uR1qpYQJ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\akimloofboklodfnhicdfnllpkgkkcnd\2.0\manifest.json	XDZKJm5uR1qpYQJ.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\akimloofboklodfnhicdfnllpkgkkcnd\2.0\manifest.json	XDZKJm5uR1qpYQJ.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	XDZKJm5uR1qpYQJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	XDZKJm5uR1qpYQJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	XDZKJm5uR1qpYQJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	XDZKJm5uR1qpYQJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.tlb	XDZKJm5uR1qpYQJ.exe
File opened for modification	C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.tlb	XDZKJm5uR1qpYQJ.exe
File created	C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.dat	XDZKJm5uR1qpYQJ.exe
File opened for modification	C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.dat	XDZKJm5uR1qpYQJ.exe
File created	C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.x64.dll	XDZKJm5uR1qpYQJ.exe
File opened for modification	C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.x64.dll	XDZKJm5uR1qpYQJ.exe
File created	C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.dll	XDZKJm5uR1qpYQJ.exe
File opened for modification	C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.dll	XDZKJm5uR1qpYQJ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4840	4984	956fe2d8118b3f4148df492ad48b61e5c4cf8c2be8c5a3548065bee7cc7f8135.exe	80
PID 4984 wrote to memory of 4840	4984	956fe2d8118b3f4148df492ad48b61e5c4cf8c2be8c5a3548065bee7cc7f8135.exe	80
PID 4984 wrote to memory of 4840	4984	956fe2d8118b3f4148df492ad48b61e5c4cf8c2be8c5a3548065bee7cc7f8135.exe	80
PID 4840 wrote to memory of 4952	4840	XDZKJm5uR1qpYQJ.exe	81
PID 4840 wrote to memory of 4952	4840	XDZKJm5uR1qpYQJ.exe	81
PID 4840 wrote to memory of 4952	4840	XDZKJm5uR1qpYQJ.exe	81
PID 4952 wrote to memory of 1196	4952	regsvr32.exe	82
PID 4952 wrote to memory of 1196	4952	regsvr32.exe	82

C:\Users\Admin\AppData\Local\Temp\956fe2d8118b3f4148df492ad48b61e5c4cf8c2be8c5a3548065bee7cc7f8135.exe
"C:\Users\Admin\AppData\Local\Temp\956fe2d8118b3f4148df492ad48b61e5c4cf8c2be8c5a3548065bee7cc7f8135.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\XDZKJm5uR1qpYQJ.exe
  .\XDZKJm5uR1qpYQJ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.dat

Filesize
6KB

MD5
5306e6d8443a4624200c947bf142caeb

SHA1
18634620ea0165f48efb7b00e2f671d2dce62e49

SHA256
f9b19fb75b8bf2c1961e809360e001523b45079947d575b366f1159d48e2ab4d

SHA512
3b0b496d979f9a5da8cb4d5d30fb07912d9bdd5d827d24ec10824fabf1a5c89820bd055129d6bdb7710ab6dbd23789ff7a541cfba488ce868443b3774eed2908

Download Submit
C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.dll

Filesize
625KB

MD5
ab367f215107cbb61b8f1648b5b6f7ed

SHA1
86f770a443f7a271f31b3c630e4eb0f738f666e7

SHA256
54788dc2fd9d66bfe8f875b357871087f7e771fd53653b451a4ca26294ead451

SHA512
1f17e942fd7be2e143a6c2247af1c73dd555203d5fe4adbd3cd17216313476ecf498ff55c345c9d09ae551d321b3f52b1f802bafe71e1b76d3aff539a38f7a31

Download Submit
C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.x64.dll

Filesize
703KB

MD5
0d6061b4f5aa8ee53f87ca691107c0fd

SHA1
e587fe688c093ce19232fc778cfb1bd52a648025

SHA256
cc427f459e87d67fcc8a57a30e98864567bf000118e88a4365731d3b529df083

SHA512
4730cc581ef45b0f551483b7b78b4f08b45001acad275c4e7bb847a4e0e7b670e812c99f19a451daf52c76a84d693a2beedffcfccd0896e76d36f7ed6ea250aa

Download Submit
C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.x64.dll

Filesize
703KB

MD5
0d6061b4f5aa8ee53f87ca691107c0fd

SHA1
e587fe688c093ce19232fc778cfb1bd52a648025

SHA256
cc427f459e87d67fcc8a57a30e98864567bf000118e88a4365731d3b529df083

SHA512
4730cc581ef45b0f551483b7b78b4f08b45001acad275c4e7bb847a4e0e7b670e812c99f19a451daf52c76a84d693a2beedffcfccd0896e76d36f7ed6ea250aa

Download Submit
C:\Program Files (x86)\GGoSave\zZjoxY46tLpZ9g.x64.dll

Filesize
703KB

MD5
0d6061b4f5aa8ee53f87ca691107c0fd

SHA1
e587fe688c093ce19232fc778cfb1bd52a648025

SHA256
cc427f459e87d67fcc8a57a30e98864567bf000118e88a4365731d3b529df083

SHA512
4730cc581ef45b0f551483b7b78b4f08b45001acad275c4e7bb847a4e0e7b670e812c99f19a451daf52c76a84d693a2beedffcfccd0896e76d36f7ed6ea250aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a11324ecbd5792553721577666fbe230

SHA1
24610add2c04205a74bc38ce97f6eb48b687d5bc

SHA256
94b95411d1b5d04bcc6b26716c1db1c3accd47300e26774b56c7ab475a4fd269

SHA512
25951f70ce5f19503b16f404dfe8aed3486b9c16f32f8925bc14a4a0068eac63812fe0dd17eed1e9f5cfde401c0292cea2a9e35027226fc65e897f6b2cfb2037

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
1a004b0ede035c10174cc87534b15703

SHA1
ad0671572dd857dbe296319b26d3562480acb4df

SHA256
cdac9e95fde42ac012583a579ae3b7699f659629d20e7367effdc371f2741940

SHA512
0e0a87d45a0fb92d46ab9032a5e33163f23a4546f256d31fca261c9fabe267693be63b81f7f6422c7bb80952d4f9bd55fe25a293b97048b960231cfb37c7eb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\[email protected]\install.rdf

Filesize
592B

MD5
8bb8e81dbf5302a1f846cb9505f7d23c

SHA1
57c96fb6cee9fb475ed367ffb71bd36c56e9b668

SHA256
93351b4efaafe1bc1e145df957c308721719ed226a0668fd9ad7be6b236c420e

SHA512
2b9f57047206a14045cb176e498540a9dc7aa1e2c4463f7897a1579f921e8c4ab32492b5ae1fe42b849982c943d51020134be3cb7cf84896b7670f85d9f3a7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\XDZKJm5uR1qpYQJ.dat

Filesize
6KB

MD5
5306e6d8443a4624200c947bf142caeb

SHA1
18634620ea0165f48efb7b00e2f671d2dce62e49

SHA256
f9b19fb75b8bf2c1961e809360e001523b45079947d575b366f1159d48e2ab4d

SHA512
3b0b496d979f9a5da8cb4d5d30fb07912d9bdd5d827d24ec10824fabf1a5c89820bd055129d6bdb7710ab6dbd23789ff7a541cfba488ce868443b3774eed2908

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\XDZKJm5uR1qpYQJ.exe

Filesize
629KB

MD5
bf0455cd4372f05ee076b8c19c6ec36a

SHA1
30e4c2b995667b5818d52fe956b8bd4d604ae03d

SHA256
18421382c4e7f7277915731880a9006e447b75f1559c046eb1d4deb6eb8e1bdd

SHA512
552c915571fda32a00389fd1e77812b7c7e0418d81bfe97c422784320dd250875f31c5c9d5332382773c2528136ab6b4fccceb1af952098cd32aed66dbae034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\XDZKJm5uR1qpYQJ.exe

Filesize
629KB

MD5
bf0455cd4372f05ee076b8c19c6ec36a

SHA1
30e4c2b995667b5818d52fe956b8bd4d604ae03d

SHA256
18421382c4e7f7277915731880a9006e447b75f1559c046eb1d4deb6eb8e1bdd

SHA512
552c915571fda32a00389fd1e77812b7c7e0418d81bfe97c422784320dd250875f31c5c9d5332382773c2528136ab6b4fccceb1af952098cd32aed66dbae034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\akimloofboklodfnhicdfnllpkgkkcnd\background.html

Filesize
143B

MD5
74e6ac163d30d570b49f6fa1f8d42460

SHA1
a616d572ced143cbc46a4e13c13bc3e96e977a36

SHA256
cf302fd1aee41a9b355c1927e2df3756a1e5e98219bc2205c02fda4e14c5ffbd

SHA512
1d5c70c8013f4ad151ed0bdffe47df8dcb298d081811d13832404e2c882a8672464c4cd04e6b757e4f7f94536c15a9c783e6e89b4b4f5715e2ba0fb85da42c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\akimloofboklodfnhicdfnllpkgkkcnd\cX60bn.js

Filesize
5KB

MD5
d41d25bd4dfde8d1403c6310a782383a

SHA1
3963d1537cc9ac0c51f2f0700a1412d9037666bb

SHA256
47cf77c0f8f137ab7dc63a34ecbb75830781060066cc17e28913f276fbb11057

SHA512
96d37cbbcf7e1238af4e4c7ef6de54a3f6562d82015f62e4f134e701c9696df04025adee1bc9f54e1361e9fad57fbff5057dbf14130286b228f118180d627858

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\akimloofboklodfnhicdfnllpkgkkcnd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\akimloofboklodfnhicdfnllpkgkkcnd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\akimloofboklodfnhicdfnllpkgkkcnd\manifest.json

Filesize
499B

MD5
f280c5b0e5962c3cc88886d712df31b0

SHA1
23a6e758c55cc173c0c01fe86b6f6f3998be4d79

SHA256
42181dce58104d2dfb1dae4dbbee0bcb8f996d34e051189e412077b46ba84c23

SHA512
bcb4bcb9b3aad8a5561b8572a7701eb9017cbb9911066d0088baf08715d70efca806c489c7f8083bddf9749c70e501004ddb60e3236735a136077da881a41bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\zZjoxY46tLpZ9g.dll

Filesize
625KB

MD5
ab367f215107cbb61b8f1648b5b6f7ed

SHA1
86f770a443f7a271f31b3c630e4eb0f738f666e7

SHA256
54788dc2fd9d66bfe8f875b357871087f7e771fd53653b451a4ca26294ead451

SHA512
1f17e942fd7be2e143a6c2247af1c73dd555203d5fe4adbd3cd17216313476ecf498ff55c345c9d09ae551d321b3f52b1f802bafe71e1b76d3aff539a38f7a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\zZjoxY46tLpZ9g.tlb

Filesize
3KB

MD5
a536a00d723aaa8ac36e128c0d280fbc

SHA1
c1613d21e2c3618db804bf768893d518136611f0

SHA256
21112e01fc5d21b7b4de5a0fa8ed5a1132c82461ec13cc716930ad9cd444c792

SHA512
5a68401bcaaf5b6c668ad567621f6373cc1261b93733fc6943ee7a85c86cd9ea4d1abef79816e7afd77701a76c3958ef21910409a8fdc1693c772983d4f4f9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE786.tmp\zZjoxY46tLpZ9g.x64.dll

Filesize
703KB

MD5
0d6061b4f5aa8ee53f87ca691107c0fd

SHA1
e587fe688c093ce19232fc778cfb1bd52a648025

SHA256
cc427f459e87d67fcc8a57a30e98864567bf000118e88a4365731d3b529df083

SHA512
4730cc581ef45b0f551483b7b78b4f08b45001acad275c4e7bb847a4e0e7b670e812c99f19a451daf52c76a84d693a2beedffcfccd0896e76d36f7ed6ea250aa

Download Submit