183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98

Analysis

max time kernel
19s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98.exe
Size

2.1MB
MD5

da9816e9e16ed4bbcffd058f45404285
SHA1

08d4c3dfdb04575be2bc600164aa25153de79e54
SHA256

183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98
SHA512

4e6740d18890823b88c06b2cf103bab6bbfc28fd49b357000a616c5e677805664b3669030c788f4603c8dd8bbfb59a6eca3742e45483a8155aaacd1c00bff61e
SSDEEP

24576:h1OYdaO4jfen1Y6KIc8dPc3Mp6CzcJcB1TE1VyDGxQQYxMfyylmCHxxyJGb8tf:h1OsoZIdJc346K1TcAGb8tf

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
836	yhV3z0B5Ft95R2J.exe

Loads dropped DLL 4 IoCs

pid	Process
1480	183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98.exe
836	yhV3z0B5Ft95R2J.exe
1980	regsvr32.exe
1112	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jefboppgdpjfedkpfgbekcdhoddhckhb\3.0\manifest.json	yhV3z0B5Ft95R2J.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jefboppgdpjfedkpfgbekcdhoddhckhb\3.0\manifest.json	yhV3z0B5Ft95R2J.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jefboppgdpjfedkpfgbekcdhoddhckhb\3.0\manifest.json	yhV3z0B5Ft95R2J.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	yhV3z0B5Ft95R2J.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	yhV3z0B5Ft95R2J.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	yhV3z0B5Ft95R2J.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	yhV3z0B5Ft95R2J.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	yhV3z0B5Ft95R2J.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.dll	yhV3z0B5Ft95R2J.exe
File opened for modification	C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.dll	yhV3z0B5Ft95R2J.exe
File created	C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.tlb	yhV3z0B5Ft95R2J.exe
File opened for modification	C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.tlb	yhV3z0B5Ft95R2J.exe
File created	C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.dat	yhV3z0B5Ft95R2J.exe
File opened for modification	C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.dat	yhV3z0B5Ft95R2J.exe
File created	C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.x64.dll	yhV3z0B5Ft95R2J.exe
File opened for modification	C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.x64.dll	yhV3z0B5Ft95R2J.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 836	1480	183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98.exe	27
PID 1480 wrote to memory of 836	1480	183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98.exe	27
PID 1480 wrote to memory of 836	1480	183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98.exe	27
PID 1480 wrote to memory of 836	1480	183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98.exe	27
PID 836 wrote to memory of 1980	836	yhV3z0B5Ft95R2J.exe	28
PID 836 wrote to memory of 1980	836	yhV3z0B5Ft95R2J.exe	28
PID 836 wrote to memory of 1980	836	yhV3z0B5Ft95R2J.exe	28
PID 836 wrote to memory of 1980	836	yhV3z0B5Ft95R2J.exe	28
PID 836 wrote to memory of 1980	836	yhV3z0B5Ft95R2J.exe	28
PID 836 wrote to memory of 1980	836	yhV3z0B5Ft95R2J.exe	28
PID 836 wrote to memory of 1980	836	yhV3z0B5Ft95R2J.exe	28
PID 1980 wrote to memory of 1112	1980	regsvr32.exe	29
PID 1980 wrote to memory of 1112	1980	regsvr32.exe	29
PID 1980 wrote to memory of 1112	1980	regsvr32.exe	29
PID 1980 wrote to memory of 1112	1980	regsvr32.exe	29
PID 1980 wrote to memory of 1112	1980	regsvr32.exe	29
PID 1980 wrote to memory of 1112	1980	regsvr32.exe	29
PID 1980 wrote to memory of 1112	1980	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98.exe
"C:\Users\Admin\AppData\Local\Temp\183d704151e5c9ebd3dc3b041ce3ace8c3590f7f55960119c4b0930f91d7cb98.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\yhV3z0B5Ft95R2J.exe
  .\yhV3z0B5Ft95R2J.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.dat

Filesize
6KB

MD5
be4ef388975c80553d5f1dc55c7bbfc4

SHA1
ed2f7ae0351fae5c201b83fddfc0d9a4bbbf5ea3

SHA256
4e1317468bd77706b9cb715452eb581c39e98c8b48152db89788376069d0e0c3

SHA512
6b9d9d202547ca69f15cf3006822525b62715ffa03792e3aa71d14fcaa3ad1f81a81f5044c48bd24bfd52620a067d2e08e94dba9169a03e420cff745383bff73

Download Submit
C:\Program Files (x86)\GoSave\ftAYTdixRggA7d.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a5380cd7b03a85d547e53c09cc0c3367

SHA1
9e4d1844b22c236e3d2a3b3940e3d32ee83ba9a3

SHA256
06b969a97330b5a074de6bf1c1475fc88842e571702ba28bc899479a2b502f08

SHA512
71942d0a08e651e3fa55279ce1bb904834ed7a11c60fa4c923282e6aa5404468ee17a780ac677e106e8922f319b51f56568308cddf308fea770cac6abeba886b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
2777bb08fb4188ffce3ae0e993b75e40

SHA1
9ac21f8f266a6bbd69d55edb23afd4cfca20e3db

SHA256
484d66dcac35bc2c414f2f3574251022944af80487f29edd6063ce4c2a08a071

SHA512
2addb142bf17c690a92d69805a3e0869d680c59b97e7ef81412b84b27ea7531e55139838cc328c56dc2c895560fdcbd64ba922f050336a9590d467d7399aa221

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\[email protected]\install.rdf

Filesize
597B

MD5
76d78eab06d3cf6ffa71a6d3f060d905

SHA1
b4a288ad9125ebc99c0ee7fe0c8a09911ff6dcfe

SHA256
8514b4e5e3f445bdd6e6ac4de4d0ce9d82096ab7584d42795bc8e2de14b8acdd

SHA512
3df4186104a200f6ab3b19b59af50c675b94571f09c8e072c7512cb8371154cb413748a7a9a386c2cd57019f0069c40ec8bf5325f3af115de82fc2ae4403cb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\ftAYTdixRggA7d.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\ftAYTdixRggA7d.tlb

Filesize
3KB

MD5
ab50bfd160f5251c1c06947ba8523db0

SHA1
7940cc61ab4e0bb82afc03dd141eaf8bd963c091

SHA256
a23c9c376478404d8f90d1d984935f7b5e5f2e5674fd8a7642dc89f2b1b2c4a8

SHA512
506baa3f8ca880eeb4d26e9744babef326d2b5b1fb0971c712072c4aeeaaaff702847c045fe0270d45cc71a0b7fb53ba0af60aeaa34f5154f9617c85a06c3334

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\ftAYTdixRggA7d.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\jefboppgdpjfedkpfgbekcdhoddhckhb\RK6.js

Filesize
5KB

MD5
06fec961067724598248a9d8dd1620a1

SHA1
1d819b6f429032f5293fc9a8f1496be543f3478c

SHA256
68695705265f9f0fe1b08149b56204a956a4b9dafe591dd75341da4647229e77

SHA512
702a5d6fc40e245e000db265a0bcfefe7848cf1ed41eddb0a2615f94ea012782b53bb3c04d21ff98efd66cd7863c60ecae8c44b069d2e370149d22f40307c4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\jefboppgdpjfedkpfgbekcdhoddhckhb\background.html

Filesize
140B

MD5
1aed8bd85bac9ff24cc2ccef7df7b14e

SHA1
0a5596f18a3086eb7af33fe62008313f9ba3dec0

SHA256
f932867aefc254345781fad7be8d4bf06906d359a978bc8088f772eea35e9e5e

SHA512
9b5faeaa86f76a9f2861c7c45a97bfe669818f628ca79ecf72f972c1b1b4ce892879293af4e3e4b9bf958cbcf448026460c630044fb291bfd8c88a23a4de830a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\jefboppgdpjfedkpfgbekcdhoddhckhb\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\jefboppgdpjfedkpfgbekcdhoddhckhb\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\jefboppgdpjfedkpfgbekcdhoddhckhb\manifest.json

Filesize
498B

MD5
aa80281ecb114f92d35d0d456e6e9343

SHA1
e03eca389fdfec414d4e05ff35002efe4f59bcdc

SHA256
e612909db2b2b2b3fafca7d957cbeb063ec86d535c7bb2cf87b41bc03f622f93

SHA512
e5063963a344c7fa680e793be774b1a352ca57f784bebfc1d4c028e87a6b54b0551853977d3c091a5f584f13bc7991ca9229fc6438dd56568aec7cc45d16a6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\yhV3z0B5Ft95R2J.dat

Filesize
6KB

MD5
be4ef388975c80553d5f1dc55c7bbfc4

SHA1
ed2f7ae0351fae5c201b83fddfc0d9a4bbbf5ea3

SHA256
4e1317468bd77706b9cb715452eb581c39e98c8b48152db89788376069d0e0c3

SHA512
6b9d9d202547ca69f15cf3006822525b62715ffa03792e3aa71d14fcaa3ad1f81a81f5044c48bd24bfd52620a067d2e08e94dba9169a03e420cff745383bff73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\yhV3z0B5Ft95R2J.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS562C.tmp\yhV3z0B5Ft95R2J.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
\Program Files (x86)\GoSave\ftAYTdixRggA7d.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
\Program Files (x86)\GoSave\ftAYTdixRggA7d.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Program Files (x86)\GoSave\ftAYTdixRggA7d.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Users\Admin\AppData\Local\Temp\7zS562C.tmp\yhV3z0B5Ft95R2J.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
memory/1112-78-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1480-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download