ca5dc82bbb7b6173ae36224eb3e083dd5b06afbefd99e5ca65945462ce0d96e2

Analysis

max time kernel
125s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca5dc82bbb7b6173ae36224eb3e083dd5b06afbefd99e5ca65945462ce0d96e2.exe
Size

2.1MB
MD5

c047b68159e1f29e494a7f5baf7b0dca
SHA1

08506b0c1a7e1c7043b8d45275027b5cb86796cc
SHA256

ca5dc82bbb7b6173ae36224eb3e083dd5b06afbefd99e5ca65945462ce0d96e2
SHA512

65f4299c5de27184c312b94e7305593de019a2e7b07aee26c0a78f7a78bc6203fc73971429301b85adf82afdda95cf705dcd0e1d537c3277303696e9384c206f
SSDEEP

49152:h1OsO86V+vVy495Sb1F1z7odZ9T+BwStr:h1OFxU81F1zsVcr

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2F7JxpvISf9HxRX.exe

pid process

2236 2F7JxpvISf9HxRX.exe
Loads dropped DLL 3 IoCs

Processes:

2F7JxpvISf9HxRX.exeregsvr32.exeregsvr32.exe

pid process

2236 2F7JxpvISf9HxRX.exe
2636 regsvr32.exe
2684 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2236	2F7JxpvISf9HxRX.exe

pid	process
2236	2F7JxpvISf9HxRX.exe
2636	regsvr32.exe
2684	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

2F7JxpvISf9HxRX.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\adlpghmnemihaeddfhojdfbabnmfmpbb\2.0\manifest.json	2F7JxpvISf9HxRX.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\adlpghmnemihaeddfhojdfbabnmfmpbb\2.0\manifest.json	2F7JxpvISf9HxRX.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\adlpghmnemihaeddfhojdfbabnmfmpbb\2.0\manifest.json	2F7JxpvISf9HxRX.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\adlpghmnemihaeddfhojdfbabnmfmpbb\2.0\manifest.json	2F7JxpvISf9HxRX.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\adlpghmnemihaeddfhojdfbabnmfmpbb\2.0\manifest.json	2F7JxpvISf9HxRX.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe2F7JxpvISf9HxRX.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	2F7JxpvISf9HxRX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2F7JxpvISf9HxRX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	2F7JxpvISf9HxRX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	2F7JxpvISf9HxRX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

2F7JxpvISf9HxRX.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	2F7JxpvISf9HxRX.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	2F7JxpvISf9HxRX.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	2F7JxpvISf9HxRX.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	2F7JxpvISf9HxRX.exe

Drops file in Program Files directory 8 IoCs

Processes:

2F7JxpvISf9HxRX.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.x64.dll	2F7JxpvISf9HxRX.exe
File opened for modification	C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.x64.dll	2F7JxpvISf9HxRX.exe
File created	C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.dll	2F7JxpvISf9HxRX.exe
File opened for modification	C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.dll	2F7JxpvISf9HxRX.exe
File created	C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.tlb	2F7JxpvISf9HxRX.exe
File opened for modification	C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.tlb	2F7JxpvISf9HxRX.exe
File created	C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.dat	2F7JxpvISf9HxRX.exe
File opened for modification	C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.dat	2F7JxpvISf9HxRX.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2F7JxpvISf9HxRX.exe

pid process

2236 2F7JxpvISf9HxRX.exe
2236 2F7JxpvISf9HxRX.exe
2236 2F7JxpvISf9HxRX.exe
2236 2F7JxpvISf9HxRX.exe

pid	process
2236	2F7JxpvISf9HxRX.exe
2236	2F7JxpvISf9HxRX.exe
2236	2F7JxpvISf9HxRX.exe
2236	2F7JxpvISf9HxRX.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ca5dc82bbb7b6173ae36224eb3e083dd5b06afbefd99e5ca65945462ce0d96e2.exe2F7JxpvISf9HxRX.exeregsvr32.exe

description	pid	process	target process
PID 4972 wrote to memory of 2236	4972	ca5dc82bbb7b6173ae36224eb3e083dd5b06afbefd99e5ca65945462ce0d96e2.exe	2F7JxpvISf9HxRX.exe
PID 4972 wrote to memory of 2236	4972	ca5dc82bbb7b6173ae36224eb3e083dd5b06afbefd99e5ca65945462ce0d96e2.exe	2F7JxpvISf9HxRX.exe
PID 4972 wrote to memory of 2236	4972	ca5dc82bbb7b6173ae36224eb3e083dd5b06afbefd99e5ca65945462ce0d96e2.exe	2F7JxpvISf9HxRX.exe
PID 2236 wrote to memory of 2636	2236	2F7JxpvISf9HxRX.exe	regsvr32.exe
PID 2236 wrote to memory of 2636	2236	2F7JxpvISf9HxRX.exe	regsvr32.exe
PID 2236 wrote to memory of 2636	2236	2F7JxpvISf9HxRX.exe	regsvr32.exe
PID 2636 wrote to memory of 2684	2636	regsvr32.exe	regsvr32.exe
PID 2636 wrote to memory of 2684	2636	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\ca5dc82bbb7b6173ae36224eb3e083dd5b06afbefd99e5ca65945462ce0d96e2.exe
"C:\Users\Admin\AppData\Local\Temp\ca5dc82bbb7b6173ae36224eb3e083dd5b06afbefd99e5ca65945462ce0d96e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\2F7JxpvISf9HxRX.exe
.\2F7JxpvISf9HxRX.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.dat
Filesize
7KB

MD5
02082452c422e5f372173160995829ec

SHA1
b808ba17c4a737d575d914fa5f83a2ef91485e73

SHA256
7e6497ef033b2cbf30bbfa8b35b1101f693d856398f66ebdf2503f79382f07df

SHA512
e3919605f6d78fd051f1cb5874fabe622219bd72852fd3dd8d43354e48605b9e034da2d89d2c4e5138a54e7bf5de1b7d83363f227b6b8dad9166c26039807491

Download Submit
C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.dll
Filesize
615KB

MD5
8aa164929f9ee667618bc3654b62c2e2

SHA1
d916f23bb705c4b11a8ba321afde8f95336022f1

SHA256
a7b1a1ed551f9f6589eb37b1b6eb478e58f59caad9763eb01d8884347fed177e

SHA512
7c0c32ceb50e649629dcdc4077982b9c7a10898b693c240c5e92941e206e745561d60b9df12670376837ac762e04b7653ec5dfe7df3118acd38a99729a014c8c

Download Submit
C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.x64.dll
Filesize
697KB

MD5
f104f402e22003705f93d77807b46ee2

SHA1
7ddf2aa31fa817c0138f3f4689752bf81d4e456d

SHA256
f853bf3140935d241a3e07791af9520a7cef2e8a4f5c51a1737923759539d2fb

SHA512
d968285b7566e97ff6a9d837040345e614c92c329de4334fb011e92d4d6ba5c207c09ce7267084f3de27fa3a7757416d0a1c96707f083be538ec29f2d82b423c

Download Submit
C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.x64.dll
Filesize
697KB

MD5
f104f402e22003705f93d77807b46ee2

SHA1
7ddf2aa31fa817c0138f3f4689752bf81d4e456d

SHA256
f853bf3140935d241a3e07791af9520a7cef2e8a4f5c51a1737923759539d2fb

SHA512
d968285b7566e97ff6a9d837040345e614c92c329de4334fb011e92d4d6ba5c207c09ce7267084f3de27fa3a7757416d0a1c96707f083be538ec29f2d82b423c

Download Submit
C:\Program Files (x86)\GoSSavee\fy1HtvdsVlkrCy.x64.dll
Filesize
697KB

MD5
f104f402e22003705f93d77807b46ee2

SHA1
7ddf2aa31fa817c0138f3f4689752bf81d4e456d

SHA256
f853bf3140935d241a3e07791af9520a7cef2e8a4f5c51a1737923759539d2fb

SHA512
d968285b7566e97ff6a9d837040345e614c92c329de4334fb011e92d4d6ba5c207c09ce7267084f3de27fa3a7757416d0a1c96707f083be538ec29f2d82b423c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\2F7JxpvISf9HxRX.dat
Filesize
7KB

MD5
02082452c422e5f372173160995829ec

SHA1
b808ba17c4a737d575d914fa5f83a2ef91485e73

SHA256
7e6497ef033b2cbf30bbfa8b35b1101f693d856398f66ebdf2503f79382f07df

SHA512
e3919605f6d78fd051f1cb5874fabe622219bd72852fd3dd8d43354e48605b9e034da2d89d2c4e5138a54e7bf5de1b7d83363f227b6b8dad9166c26039807491

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\2F7JxpvISf9HxRX.exe
Filesize
634KB

MD5
ea32e4aaace7cab38f05082028749e06

SHA1
a1fdb11ec3aba5ae792b1546a1045dbc5506695f

SHA256
61dd5bef6d96911c59420fea9a4324926309a208fb5632e44991930e41c223d0

SHA512
5e3612abd5da9da165bcd293f40d68aae5414e8f1f31580826d387bec3bbf736029430e2211bc4d6e7302fea2703a909edcc49421c45fee76f5261bcb055d870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\2F7JxpvISf9HxRX.exe
Filesize
634KB

MD5
ea32e4aaace7cab38f05082028749e06

SHA1
a1fdb11ec3aba5ae792b1546a1045dbc5506695f

SHA256
61dd5bef6d96911c59420fea9a4324926309a208fb5632e44991930e41c223d0

SHA512
5e3612abd5da9da165bcd293f40d68aae5414e8f1f31580826d387bec3bbf736029430e2211bc4d6e7302fea2703a909edcc49421c45fee76f5261bcb055d870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
06b40ad7777bdf7e80596f7cee38d575

SHA1
b5181d39c163d78cf99a72ef9a221880a84f69ad

SHA256
f4cf4ff266d269d31ca7a8b48f5a924a94f0a54029ab45167c8368408ea64513

SHA512
05fd4bc4af899e1ebcab4cf4a447b9d8543e27e8c8551447bd83f28de6da52e38f7f993d5e2564fe77b5c2b37a0af0afed0ec055320c3ff335a25bc6a6d4e04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\[email protected]\content\bg.js
Filesize
9KB

MD5
e6f00864d45f78d95309efc81565744f

SHA1
265b4f6673045368aeeaf4a5e55370f4c934bee7

SHA256
245d1dece4cc273864440d8c48cda9cf63c03012fb42ec9724402e54a75e50a6

SHA512
7f039271675cf349a8b61e81d725f4c75c9eed3bc4cd2b4ef2dbb1ab110dea07fcfac6c7079f8721e66d695cfafe666a59748148c8a1fb01090cd7ad077a9802

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\[email protected]\install.rdf
Filesize
596B

MD5
7fdc11f42f72022fa7d3b3d4b6cf053c

SHA1
39b8ec0e85b6366b029f17157f19b68a9efcff77

SHA256
e6f41c53a3d45d804dad16fdf5d58a1336ae0acac544ed72cf636a579e340a36

SHA512
d7ac49e077b29c34cafbe23672293ff389fae1d33712d786c1c51ac4ed0d648daa5990220749c6ea32e22e347313d41bef51dbe70af2e45e46eda365353379ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\adlpghmnemihaeddfhojdfbabnmfmpbb\APexDD.js
Filesize
7KB

MD5
a77a622a15fee42f778ae384077cb08f

SHA1
9b97a0d36b2dc5012beaa920af70290e42f796d1

SHA256
0db58e1b99f8644dc0919ccb6e041c3ec2d3acf212fee9d5bd8f48670c56b364

SHA512
3b5ecc75ab4c65c6c846a97187789d5886bdbc5d074322fa2ed50c840790b14ed0709ad81477cee749073d07c61babe92b214237d8c7ac3db6e6557f7a036963

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\adlpghmnemihaeddfhojdfbabnmfmpbb\background.html
Filesize
143B

MD5
e8a68a29282a1908474bdb99e8d23048

SHA1
39c8800612687960f7f34c48d85e145e575aacf2

SHA256
e5e1dcc65c34fa7d060d199458a2d03c6a45ecf1260f09c107ecc045a8cf09ca

SHA512
93de8454c1105e47f0c9d386e78de88cc02f0566f6f6dd738472e19c3acb8dfafc67c420f4327bb86c729fcccbabba56abe14f2fe433bac9b094a1dba2168bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\adlpghmnemihaeddfhojdfbabnmfmpbb\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\adlpghmnemihaeddfhojdfbabnmfmpbb\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\adlpghmnemihaeddfhojdfbabnmfmpbb\manifest.json
Filesize
500B

MD5
3b28436f4741a047c8d9b243ec11a121

SHA1
86d9f4b57fdef6457688b254e3b45f1634cd40b0

SHA256
ba2a048c3039ffef1faa8f7e2229f79cd7d6eceb7a6bcc3341433b0b9e835925

SHA512
47a6c6fdc99d72edcc491b48aad0d8e5151379b6c6a151c36ac29551ed21e7f9de49191bb46f470591d88272e6891b3efefddc74a6393b82485b8ccd4140adaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\fy1HtvdsVlkrCy.dll
Filesize
615KB

MD5
8aa164929f9ee667618bc3654b62c2e2

SHA1
d916f23bb705c4b11a8ba321afde8f95336022f1

SHA256
a7b1a1ed551f9f6589eb37b1b6eb478e58f59caad9763eb01d8884347fed177e

SHA512
7c0c32ceb50e649629dcdc4077982b9c7a10898b693c240c5e92941e206e745561d60b9df12670376837ac762e04b7653ec5dfe7df3118acd38a99729a014c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\fy1HtvdsVlkrCy.tlb
Filesize
3KB

MD5
49ba76d28269851f640db7943effdc70

SHA1
8237f32c61d14b20faaedc108b9d41cf4bc29a7d

SHA256
5a92036f4cd7aebad562c64393891568c96ee3d7fe6f978aa73768146c0257f5

SHA512
750f1635dc81ba0a855d492a217d73fe4bc110dd885363c020ed7591c95a477f47a4c51db6645c8dd0d0418d46c387eda2508cdd65c9bc6c1194a3e2492b99fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC289.tmp\fy1HtvdsVlkrCy.x64.dll
Filesize
697KB

MD5
f104f402e22003705f93d77807b46ee2

SHA1
7ddf2aa31fa817c0138f3f4689752bf81d4e456d

SHA256
f853bf3140935d241a3e07791af9520a7cef2e8a4f5c51a1737923759539d2fb

SHA512
d968285b7566e97ff6a9d837040345e614c92c329de4334fb011e92d4d6ba5c207c09ce7267084f3de27fa3a7757416d0a1c96707f083be538ec29f2d82b423c

Download Submit
memory/2236-132-0x0000000000000000-mapping.dmp

Download
memory/2636-149-0x0000000000000000-mapping.dmp

Download
memory/2684-152-0x0000000000000000-mapping.dmp

Download