0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 23:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1.exe
Size

2.1MB
MD5

aa225e11000bdb7eea787385e8dd910e
SHA1

33fca97dd1956de40051205c22961f9aa6d324a4
SHA256

0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1
SHA512

6f4b0c7ac33c44cce4ac04909c8ca59854fc9e8af3b828cc000ac52e8c8486c032a425f0be9123c7383f5ce81f06230ad6402aafc42c0baa95a7cc3d5c7f2e4e
SSDEEP

49152:h1OspyuyoY0IKAVWQrQSM5eeHY1h2PlSUQ8Pcib:h1OwgoP9oM5LFz

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	ALWNKqWi6sSHAMq.exe

Loads dropped DLL 4 IoCs

pid	Process
1088	0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1.exe
2032	ALWNKqWi6sSHAMq.exe
1632	regsvr32.exe
1464	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jogjnehemojjfemgmjgjfgdgglicpidh\2.0\manifest.json	ALWNKqWi6sSHAMq.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jogjnehemojjfemgmjgjfgdgglicpidh\2.0\manifest.json	ALWNKqWi6sSHAMq.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jogjnehemojjfemgmjgjfgdgglicpidh\2.0\manifest.json	ALWNKqWi6sSHAMq.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	ALWNKqWi6sSHAMq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	ALWNKqWi6sSHAMq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	ALWNKqWi6sSHAMq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	ALWNKqWi6sSHAMq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	ALWNKqWi6sSHAMq.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.dat	ALWNKqWi6sSHAMq.exe
File opened for modification	C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.dat	ALWNKqWi6sSHAMq.exe
File created	C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.x64.dll	ALWNKqWi6sSHAMq.exe
File opened for modification	C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.x64.dll	ALWNKqWi6sSHAMq.exe
File created	C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.dll	ALWNKqWi6sSHAMq.exe
File opened for modification	C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.dll	ALWNKqWi6sSHAMq.exe
File created	C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.tlb	ALWNKqWi6sSHAMq.exe
File opened for modification	C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.tlb	ALWNKqWi6sSHAMq.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2032	1088	0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1.exe	26
PID 1088 wrote to memory of 2032	1088	0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1.exe	26
PID 1088 wrote to memory of 2032	1088	0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1.exe	26
PID 1088 wrote to memory of 2032	1088	0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1.exe	26
PID 2032 wrote to memory of 1632	2032	ALWNKqWi6sSHAMq.exe	27
PID 2032 wrote to memory of 1632	2032	ALWNKqWi6sSHAMq.exe	27
PID 2032 wrote to memory of 1632	2032	ALWNKqWi6sSHAMq.exe	27
PID 2032 wrote to memory of 1632	2032	ALWNKqWi6sSHAMq.exe	27
PID 2032 wrote to memory of 1632	2032	ALWNKqWi6sSHAMq.exe	27
PID 2032 wrote to memory of 1632	2032	ALWNKqWi6sSHAMq.exe	27
PID 2032 wrote to memory of 1632	2032	ALWNKqWi6sSHAMq.exe	27
PID 1632 wrote to memory of 1464	1632	regsvr32.exe	28
PID 1632 wrote to memory of 1464	1632	regsvr32.exe	28
PID 1632 wrote to memory of 1464	1632	regsvr32.exe	28
PID 1632 wrote to memory of 1464	1632	regsvr32.exe	28
PID 1632 wrote to memory of 1464	1632	regsvr32.exe	28
PID 1632 wrote to memory of 1464	1632	regsvr32.exe	28
PID 1632 wrote to memory of 1464	1632	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1.exe
"C:\Users\Admin\AppData\Local\Temp\0b550368b7fd8121d1c6829ece3096b0a8226b9a79c8fc6bbf5fd7708df27eb1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\ALWNKqWi6sSHAMq.exe
  .\ALWNKqWi6sSHAMq.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.dat

Filesize
6KB

MD5
796e9adbde4df5981d85e73e62ab41ad

SHA1
498f9144bb57e4c9977b3bad762c26a7c53b2d58

SHA256
44bcb14ef4be8058908b3d6bca00a8868acee593988dd37a567d8f595e290266

SHA512
b15de15cc9fe55dad56ca6278fb2c61276da6e8ec098f2c1038c3e4a5aa8250f30084f6dc774e5ceece48cc43b2f3ecc8816fbd283e223777d23780c28e0d283

Download Submit
C:\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\ALWNKqWi6sSHAMq.dat

Filesize
6KB

MD5
796e9adbde4df5981d85e73e62ab41ad

SHA1
498f9144bb57e4c9977b3bad762c26a7c53b2d58

SHA256
44bcb14ef4be8058908b3d6bca00a8868acee593988dd37a567d8f595e290266

SHA512
b15de15cc9fe55dad56ca6278fb2c61276da6e8ec098f2c1038c3e4a5aa8250f30084f6dc774e5ceece48cc43b2f3ecc8816fbd283e223777d23780c28e0d283

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\ALWNKqWi6sSHAMq.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\ALWNKqWi6sSHAMq.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
413cf1138e2ef51f230f217dbda4f5bc

SHA1
2b9a37c6196b2b8b0e228e79661e0f8cedbe2028

SHA256
63c197d0e220f186c431cfdc749cf471b8388a5365547927881b37af92d99570

SHA512
2d426366f746d27d1770b0ba79c8135aa11e7ae32d806cce981a35bb60764e5b04b2161ad9555ab07f8e64d474e776f336788f19056f42fee3c463c5572c966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
6322dd09fe0d9bbbf7656c3d8a44edda

SHA1
2721db47db2b637e9e335d99c2b4a134af700aa1

SHA256
aae88a9970f34abdff0921a3eb1485af5cc883ec11ec1512009fa0305d103d81

SHA512
da0cf5d156b70660d7ac7ebf34a7a743a2a1aed6259cc7a0b29bad92885d0766cfe396768b247db422508a91698d4785acd660b7c71187c76ae28ff39c401dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\[email protected]\install.rdf

Filesize
592B

MD5
58f689fa3f585a406ef0e777683ea7a8

SHA1
fee0562cb6900758220c051c1135adfb07644e2d

SHA256
d982b8c36ab7960968e0734767dcab964ba359084aeb2c2120abce92391472ff

SHA512
294910ba81777de29eec2c69d435d069bace46fd64c55388c85a9ba01fbead276c82c7007e667f45b76410d8d7c1c4d5cf8489bb508c030d5240fe270cc83747

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\gQM4VVcgVUhSgK.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\gQM4VVcgVUhSgK.tlb

Filesize
3KB

MD5
52acf269931e562ad7445f7a803bd5e3

SHA1
ef86bb5f96b2bba4c85a73efef5df4a08ab99031

SHA256
bc29a9426767cb54f6f11ea9d457613f858aa0d0e33137ab8ad1f53ff601d8f2

SHA512
545cc433a340e0b6ef70c92ab7854058222bb76385fb4027f1cc174a0baececb48c8e04ea83e9387d2c664505d4dd3799d41512e06c3ec5b4e32d0bf4a84668b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\gQM4VVcgVUhSgK.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\jogjnehemojjfemgmjgjfgdgglicpidh\X.js

Filesize
5KB

MD5
eff9533e02f3d7e0df68e964ff005a5f

SHA1
9fae7b25c6ae4e412ff464ac6ded90c57e141c4c

SHA256
3e55f251bf9ba74402cc1554d319fdd9428ea965d4db0c09769593d39792c5d3

SHA512
d84432b7738af5d502c59c34fbd3f168c90fb08076716ad65d6e8e7349043c791eb7b87ddae34368fb5e2e672adcb587cf2b32a0dc0b874a40507c1fc8fb2c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\jogjnehemojjfemgmjgjfgdgglicpidh\background.html

Filesize
138B

MD5
08c8ecc93ba403be4e220af0cc151954

SHA1
d3bc8b9e622a570a7dc61b7f1ee8d4fee13043bc

SHA256
bcc4f98bd20be32bab22d5e40f43e5ff2395a1e60646bbbdbff85ebd23dbe101

SHA512
84cd597329f507a5018464f4b85a49166345415b0cc1264d17c7fc113bf72cdc3c85bedba3f0c8dd5c57051208bc534ab722404931c740db7600ae44c91faa0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\jogjnehemojjfemgmjgjfgdgglicpidh\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\jogjnehemojjfemgmjgjfgdgglicpidh\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\jogjnehemojjfemgmjgjfgdgglicpidh\manifest.json

Filesize
500B

MD5
cc7d326ef95ded5417e0f0e05a53f04a

SHA1
5111679ea9e4d22fa21d95c17de5e49c32eeff00

SHA256
bcaf25d1e6ad025fc9e8d21a740b4500abe02780c9fe9175ae5a0cfe2167461d

SHA512
cea589993cf6bf6a2ba02024ed94e5f244e0362c356df151c47767ac2e257d9de7cef14da3a76b44fc85b3ed2e142505e44bf73848f881baa5e3f9e9b79e5cd8

Download Submit
\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Program Files (x86)\GuoSavuE\gQM4VVcgVUhSgK.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS48D4.tmp\ALWNKqWi6sSHAMq.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
memory/1088-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1464-78-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

Filesize
8KB

Download