06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265

Analysis

max time kernel
115s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265.exe
Size

2.1MB
MD5

3181c2a2505748efc89bffcbc1f33417
SHA1

297277330ff74f347786009ad1f4ec05d4df4934
SHA256

06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265
SHA512

4e9d73a8ed395acbd0ba0b5913ced9bf43f251514172046ad503066e60c7d0d1320d7023473c8ea9dc6ecefc549fe9f0e133a6cf5d773ab8d9bf6c6dd7ec5a73
SSDEEP

24576:h1OYdaOJ+C5fz+YRUwXV3Lbu4DR6YV5cSIbmJM9AuigHa3rU+jsvHGv7K3vrOOV+:h1OsD+kjXVXDR6Yl/Erzw7PWMIlG

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	J6RDuTEzah4oemA.exe

Loads dropped DLL 4 IoCs

pid	Process
1456	06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265.exe
1712	J6RDuTEzah4oemA.exe
584	regsvr32.exe
1784	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhombfmoaalafaekdpjecbagnnckfpjd\2.0\manifest.json	J6RDuTEzah4oemA.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhombfmoaalafaekdpjecbagnnckfpjd\2.0\manifest.json	J6RDuTEzah4oemA.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhombfmoaalafaekdpjecbagnnckfpjd\2.0\manifest.json	J6RDuTEzah4oemA.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	J6RDuTEzah4oemA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	J6RDuTEzah4oemA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	J6RDuTEzah4oemA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	J6RDuTEzah4oemA.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	J6RDuTEzah4oemA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.x64.dll	J6RDuTEzah4oemA.exe
File opened for modification	C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.x64.dll	J6RDuTEzah4oemA.exe
File created	C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.dll	J6RDuTEzah4oemA.exe
File opened for modification	C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.dll	J6RDuTEzah4oemA.exe
File created	C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.tlb	J6RDuTEzah4oemA.exe
File opened for modification	C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.tlb	J6RDuTEzah4oemA.exe
File created	C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.dat	J6RDuTEzah4oemA.exe
File opened for modification	C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.dat	J6RDuTEzah4oemA.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1712	1456	06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265.exe	28
PID 1456 wrote to memory of 1712	1456	06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265.exe	28
PID 1456 wrote to memory of 1712	1456	06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265.exe	28
PID 1456 wrote to memory of 1712	1456	06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265.exe	28
PID 1712 wrote to memory of 584	1712	J6RDuTEzah4oemA.exe	29
PID 1712 wrote to memory of 584	1712	J6RDuTEzah4oemA.exe	29
PID 1712 wrote to memory of 584	1712	J6RDuTEzah4oemA.exe	29
PID 1712 wrote to memory of 584	1712	J6RDuTEzah4oemA.exe	29
PID 1712 wrote to memory of 584	1712	J6RDuTEzah4oemA.exe	29
PID 1712 wrote to memory of 584	1712	J6RDuTEzah4oemA.exe	29
PID 1712 wrote to memory of 584	1712	J6RDuTEzah4oemA.exe	29
PID 584 wrote to memory of 1784	584	regsvr32.exe	30
PID 584 wrote to memory of 1784	584	regsvr32.exe	30
PID 584 wrote to memory of 1784	584	regsvr32.exe	30
PID 584 wrote to memory of 1784	584	regsvr32.exe	30
PID 584 wrote to memory of 1784	584	regsvr32.exe	30
PID 584 wrote to memory of 1784	584	regsvr32.exe	30
PID 584 wrote to memory of 1784	584	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265.exe
"C:\Users\Admin\AppData\Local\Temp\06e35b48f10b5c1c7c50f748e54dae9f106d0c00ef44539e67b39411b5f8f265.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\J6RDuTEzah4oemA.exe
  .\J6RDuTEzah4oemA.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.dat

Filesize
6KB

MD5
b03a4cd408a075a4715907462cec4db8

SHA1
60469d806b25f5f5029bec2a6fc49c49794e7e0d

SHA256
fee1e6f9c193fdea4e8ba0373cb3ccf6333cfadf99d8a449f247c936694746f8

SHA512
7a03c8140529a06ab8c6bd80f5d49164042566a1c7911c4205af887df2ee1ed9ee8b5bdaa8b1dde3c3a87193d068e096d8cc911f4b56a863f5628e15cc9a15c0

Download Submit
C:\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.x64.dll

Filesize
700KB

MD5
5bdec27c100693ecb0b61cc2555e8505

SHA1
771242d417269c2f9150d649f06e6ec8e8bd8cb7

SHA256
ca873de4e82bcaefde87f524b1284723ee61e70767bcb9f45f78a2e52547b326

SHA512
1b4067351a9912bdd4ad0285470396273563336bad6029c2d05e48fb1fd9971c69115cca1ec46dc7ce37274c7c48a2364498cb180563f7871cd838aebbd8c6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\J6RDuTEzah4oemA.dat

Filesize
6KB

MD5
b03a4cd408a075a4715907462cec4db8

SHA1
60469d806b25f5f5029bec2a6fc49c49794e7e0d

SHA256
fee1e6f9c193fdea4e8ba0373cb3ccf6333cfadf99d8a449f247c936694746f8

SHA512
7a03c8140529a06ab8c6bd80f5d49164042566a1c7911c4205af887df2ee1ed9ee8b5bdaa8b1dde3c3a87193d068e096d8cc911f4b56a863f5628e15cc9a15c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\J6RDuTEzah4oemA.exe

Filesize
623KB

MD5
3b3e9f85b1e1d1defb4813cb1676b553

SHA1
17a064e28b670d6d4e579ac078a81e7334704b58

SHA256
26fc2e717907241142895bb38734755ebb1ca82f1d23f48e09ec0d75cd4ad381

SHA512
0f7d3df630b73820490a0d767707c69f5cbb94265b67a202c6f652e601ba970d1257583cf6082aa9fea97b10e7c0a40d0ac3947599602964b14a492c7452da36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\J6RDuTEzah4oemA.exe

Filesize
623KB

MD5
3b3e9f85b1e1d1defb4813cb1676b553

SHA1
17a064e28b670d6d4e579ac078a81e7334704b58

SHA256
26fc2e717907241142895bb38734755ebb1ca82f1d23f48e09ec0d75cd4ad381

SHA512
0f7d3df630b73820490a0d767707c69f5cbb94265b67a202c6f652e601ba970d1257583cf6082aa9fea97b10e7c0a40d0ac3947599602964b14a492c7452da36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\bhombfmoaalafaekdpjecbagnnckfpjd\E6aZqc.js

Filesize
5KB

MD5
5abad3944102638c91d1c815de4af7d7

SHA1
010bced00e24b8462672910f240b97fbdc93c754

SHA256
e0c81f801b074e4dbf2f89a7737ef3853ecdf0cc8f7ccf49068f71297196b9e2

SHA512
47e03a2119312ea046b0ea9a8e4df79e6f91cc461408470b3dd055e3bd6a7437247635c1ec01dfb9a7e6709b5f654e9af0e141027272149f5ca4878be43a173a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\bhombfmoaalafaekdpjecbagnnckfpjd\background.html

Filesize
143B

MD5
076647ae8b7dcbb61904b7cbe33451f6

SHA1
393c43da87ccb546ff24b6af1ace9d2dd8895185

SHA256
07cd6537357c709da0ecb38d89ba9439d51409caf0dd765fb9dc965db13fec86

SHA512
61658cfbc6aadced91d15e5fa7bb14d5ef8fe22786d84e38d5a1d3c27d8eff3776be0a4d86e4e69f92833ac4794dd3f5d97efdd190b4c37068f10c58035a96cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\bhombfmoaalafaekdpjecbagnnckfpjd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\bhombfmoaalafaekdpjecbagnnckfpjd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\bhombfmoaalafaekdpjecbagnnckfpjd\manifest.json

Filesize
499B

MD5
81732fcf03982b85ad4fa116944568a7

SHA1
0f43d8f9a86504a0bd26f90f6e8f632ecbca61e1

SHA256
7a433a9a0826d4235f2707241374d1688ea2378e92133579bb8b3e5f8b201a86

SHA512
4974432aad0ed8bfd3512b80307bbfe85239bfbafef80815be19f38cfe155060ed9013dc10a5c5ed7eee590a09f426cd335264f964ceed8c35ae2674188a922a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
f5d862a267572296cb95de16b8c33121

SHA1
f6b673e5af4db9701f1e1a37749d55b93c5643a5

SHA256
e9b5a6259ef245b48e79863f64988618591ec4b4eb27caf2c9f5d3b13dca4e0b

SHA512
496652720423bf397e031150ad72fc6795b3994d8cce828ddd1c45cc1f29f59179ef7360c172fcb64ac705eab1ed9bf0bb7ff4f533fc07343c2d95c125e1a706

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
6c21ebda88b797ad08cb7b6a6cb06a02

SHA1
b3c703c39fa2dbc89ecd65378af528ff9a92cf34

SHA256
0297b2bfc17d96f230b19af26c5a17d0cddffc2e84ba9bcbadc5917a469ef0d0

SHA512
bb609d8cd2f6e309bd7238012aa3d17a244e615593fdfbb069b4bf22f45d400374354a6c864a247e5d0eeb92d70139e43189945f22086379ed5eebeca0739a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\[email protected]\install.rdf

Filesize
593B

MD5
d1ae2d8bb42a55a5bc6c11d9dc8b53c6

SHA1
277a46fb110ef67db209333fb505e84ea0e08d59

SHA256
1384d235dddc8c364eaae4d7f41cb2901ae890881658a6723dbe2c473f14b0d8

SHA512
14c3d2484019d1977ea12550c0943c1401c7cce15bee14bdf8fcf443166792cbfdbe40915a083b9a98e7d6fd129478e947142bd5085797963e1da421309690f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\jQi77nCaGH6Xrl.dll

Filesize
617KB

MD5
5b02fe261c5832aba1e2b35228934c17

SHA1
b30aef32bfc7fb93add291dd7699d209fc3a60c1

SHA256
af2632d8ad1a0b0e706f260de79b687cf94855d911bf5fc9d4b7007e256e7a6c

SHA512
936b81acb1219be1c18b958f4fc3bd7c5c1ab617fa20e76db165f6ffdb2f674c602c18522980527d84cad7a93dcc79cb222e5e4a8b301298ec141a8b6eb26e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\jQi77nCaGH6Xrl.tlb

Filesize
3KB

MD5
934268ece04f6de7c76bfed3478cf1d4

SHA1
a4e0ca22b9db6bfcf061d76e8101ef7559813954

SHA256
ab54518451a446e00679b2dbecd9285d8a96841ad27df558a2e0b6ce55252b8c

SHA512
043fa5fd301b7bbdb6f9ee7766c46dfe5da897b7f7dd164372326416fdb1b7cb3c3809f1293b987077ded2664daf123f9bb217cb12c7d9bf923b1df6a2afccea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\jQi77nCaGH6Xrl.x64.dll

Filesize
700KB

MD5
5bdec27c100693ecb0b61cc2555e8505

SHA1
771242d417269c2f9150d649f06e6ec8e8bd8cb7

SHA256
ca873de4e82bcaefde87f524b1284723ee61e70767bcb9f45f78a2e52547b326

SHA512
1b4067351a9912bdd4ad0285470396273563336bad6029c2d05e48fb1fd9971c69115cca1ec46dc7ce37274c7c48a2364498cb180563f7871cd838aebbd8c6b4

Download Submit
\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.dll

Filesize
617KB

MD5
5b02fe261c5832aba1e2b35228934c17

SHA1
b30aef32bfc7fb93add291dd7699d209fc3a60c1

SHA256
af2632d8ad1a0b0e706f260de79b687cf94855d911bf5fc9d4b7007e256e7a6c

SHA512
936b81acb1219be1c18b958f4fc3bd7c5c1ab617fa20e76db165f6ffdb2f674c602c18522980527d84cad7a93dcc79cb222e5e4a8b301298ec141a8b6eb26e72

Download Submit
\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.x64.dll

Filesize
700KB

MD5
5bdec27c100693ecb0b61cc2555e8505

SHA1
771242d417269c2f9150d649f06e6ec8e8bd8cb7

SHA256
ca873de4e82bcaefde87f524b1284723ee61e70767bcb9f45f78a2e52547b326

SHA512
1b4067351a9912bdd4ad0285470396273563336bad6029c2d05e48fb1fd9971c69115cca1ec46dc7ce37274c7c48a2364498cb180563f7871cd838aebbd8c6b4

Download Submit
\Program Files (x86)\GoSavei\jQi77nCaGH6Xrl.x64.dll

Filesize
700KB

MD5
5bdec27c100693ecb0b61cc2555e8505

SHA1
771242d417269c2f9150d649f06e6ec8e8bd8cb7

SHA256
ca873de4e82bcaefde87f524b1284723ee61e70767bcb9f45f78a2e52547b326

SHA512
1b4067351a9912bdd4ad0285470396273563336bad6029c2d05e48fb1fd9971c69115cca1ec46dc7ce37274c7c48a2364498cb180563f7871cd838aebbd8c6b4

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF2C8.tmp\J6RDuTEzah4oemA.exe

Filesize
623KB

MD5
3b3e9f85b1e1d1defb4813cb1676b553

SHA1
17a064e28b670d6d4e579ac078a81e7334704b58

SHA256
26fc2e717907241142895bb38734755ebb1ca82f1d23f48e09ec0d75cd4ad381

SHA512
0f7d3df630b73820490a0d767707c69f5cbb94265b67a202c6f652e601ba970d1257583cf6082aa9fea97b10e7c0a40d0ac3947599602964b14a492c7452da36

Download Submit
memory/1456-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1784-79-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download