c45c0fe5319bddca5f59b397a618feb1dedad21d6199c0e915e7ec5f44001722

Analysis

max time kernel
193s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 04:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c45c0fe5319bddca5f59b397a618feb1dedad21d6199c0e915e7ec5f44001722.exe
Size

2.0MB
MD5

0cc14b85b435295e5a78afbf906114ac
SHA1

09a591e0c2936744381464181ce18d0b48f442a8
SHA256

c45c0fe5319bddca5f59b397a618feb1dedad21d6199c0e915e7ec5f44001722
SHA512

70b3c479bd01972d592005b0666684695bc395973cea737a4e8b8ae98a98cdd6b46e967b00a3d780ef69517e248a79c56a5c02733232f2eac93f4b0b247aa945
SSDEEP

24576:h1OYdaO/aacvu7gXAfwlUlZov8Hk7IelYNJbMBhTlmWCv9oU+pHi00CScsPzMZp1:h1Os0qZBJgvzCg50qNLaW

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2516	N4sqjf2vvHK8dcj.exe

Loads dropped DLL 3 IoCs

pid	Process
2516	N4sqjf2vvHK8dcj.exe
2848	regsvr32.exe
2520	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\npbefaijlakpgadkhafjnmolhikgbpfh\2.0\manifest.json	N4sqjf2vvHK8dcj.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\npbefaijlakpgadkhafjnmolhikgbpfh\2.0\manifest.json	N4sqjf2vvHK8dcj.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\npbefaijlakpgadkhafjnmolhikgbpfh\2.0\manifest.json	N4sqjf2vvHK8dcj.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\npbefaijlakpgadkhafjnmolhikgbpfh\2.0\manifest.json	N4sqjf2vvHK8dcj.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\npbefaijlakpgadkhafjnmolhikgbpfh\2.0\manifest.json	N4sqjf2vvHK8dcj.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	N4sqjf2vvHK8dcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	N4sqjf2vvHK8dcj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	N4sqjf2vvHK8dcj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	N4sqjf2vvHK8dcj.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.dll	N4sqjf2vvHK8dcj.exe
File opened for modification	C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.dll	N4sqjf2vvHK8dcj.exe
File created	C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.tlb	N4sqjf2vvHK8dcj.exe
File opened for modification	C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.tlb	N4sqjf2vvHK8dcj.exe
File created	C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.dat	N4sqjf2vvHK8dcj.exe
File opened for modification	C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.dat	N4sqjf2vvHK8dcj.exe
File created	C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.x64.dll	N4sqjf2vvHK8dcj.exe
File opened for modification	C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.x64.dll	N4sqjf2vvHK8dcj.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2516	2608	c45c0fe5319bddca5f59b397a618feb1dedad21d6199c0e915e7ec5f44001722.exe	82
PID 2608 wrote to memory of 2516	2608	c45c0fe5319bddca5f59b397a618feb1dedad21d6199c0e915e7ec5f44001722.exe	82
PID 2608 wrote to memory of 2516	2608	c45c0fe5319bddca5f59b397a618feb1dedad21d6199c0e915e7ec5f44001722.exe	82
PID 2516 wrote to memory of 2848	2516	N4sqjf2vvHK8dcj.exe	83
PID 2516 wrote to memory of 2848	2516	N4sqjf2vvHK8dcj.exe	83
PID 2516 wrote to memory of 2848	2516	N4sqjf2vvHK8dcj.exe	83
PID 2848 wrote to memory of 2520	2848	regsvr32.exe	84
PID 2848 wrote to memory of 2520	2848	regsvr32.exe	84

C:\Users\Admin\AppData\Local\Temp\c45c0fe5319bddca5f59b397a618feb1dedad21d6199c0e915e7ec5f44001722.exe
"C:\Users\Admin\AppData\Local\Temp\c45c0fe5319bddca5f59b397a618feb1dedad21d6199c0e915e7ec5f44001722.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\N4sqjf2vvHK8dcj.exe
  .\N4sqjf2vvHK8dcj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.dat

Filesize
6KB

MD5
0d97c75e75102b37f749619936752578

SHA1
754fbca71b8c68e7c7137a1d36bdde5fcdd78bad

SHA256
b545f73e70f7bb97ef292679acd95679758348479b29ed4d9189a6141b7153df

SHA512
7a5e5548a33362f9c53ac74cf0515e7962ab735ba03d055d210f04eca74a3b5266918a7e2b3fc0d4ccb5349869509271d0aef5e4c5dd9c8633dc3ec7767df46a

Download Submit
C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.dll

Filesize
611KB

MD5
b372e1c602e797f0db6018a7864f8f4f

SHA1
f0389347cb8a9d03d27187015b7ad4e463bd59fa

SHA256
1d8078aea6d3e3b6a42365a5c14143013f910b678534e2ab5c3ce1b1b9fad094

SHA512
8e0f5243e15e9a997d969b875795fe80c662676f951e56e48135805fb236f01f198203e94a22a8173e34f944cd9ff0ae2406f2a5689aba4999fc6eae595ad49b

Download Submit
C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
C:\Program Files (x86)\GouSave\xzfXc5Cr0MX5Qm.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
079dda227695aa9594c7cd0c04de93d1

SHA1
8f3b3da2017aefb24cec096b9808d93d816e667d

SHA256
0f9bb14a50b447610059b55969925199d39135902f1bde848444ed08f439c30c

SHA512
1da7dd4985e38f7e1ae9f6ecbf772381757d63067efb573a574aa51f67db8a738f40239bc66ec5dff393281a8f7ddf0ab75a4470b8c20f573ad7a4dba86a5971

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
14dfacce2dec9b4864fc159624c0e759

SHA1
ca34d36ada0c338b607cef5a71fae2f4f82dcc97

SHA256
8f09b7d4bc48dde7d4c9232dbcb52917dff04851371fc941d26c2c746c2e3c38

SHA512
6ab6a9e4d59684196cf48ba2f105c12fac8e0cc7805e3ca3393f0492115287e68125c9c14c32ce0472bc4ee4cc39f5534a84530cfd8a69ea868dc7f015d48af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\[email protected]\install.rdf

Filesize
594B

MD5
1a7cb6baac384687ea872bfb6ff53e74

SHA1
9fd4ab44e8c32d3b89c0a60b59555cc97fda4579

SHA256
7cbf8e6f81788de1871112367a74341fd5db320438e98dc3bd832b2415113e45

SHA512
9ded7473dbcb092cbb3de339354ff42ffbeba60152cddcad5acec6ae1ac62bba7d485d6ebc6eadcba4234a25791569fee2c920811c6fb4dbfaee388786212ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\N4sqjf2vvHK8dcj.dat

Filesize
6KB

MD5
0d97c75e75102b37f749619936752578

SHA1
754fbca71b8c68e7c7137a1d36bdde5fcdd78bad

SHA256
b545f73e70f7bb97ef292679acd95679758348479b29ed4d9189a6141b7153df

SHA512
7a5e5548a33362f9c53ac74cf0515e7962ab735ba03d055d210f04eca74a3b5266918a7e2b3fc0d4ccb5349869509271d0aef5e4c5dd9c8633dc3ec7767df46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\N4sqjf2vvHK8dcj.exe

Filesize
622KB

MD5
4ecbc35005b5366fbc0ac6b28fc6ad0f

SHA1
d42ed8b1f39305dab856334a47428d1b52577c7c

SHA256
38ea513da8ddb1b65edd505eb24716802e4d33e59ad6050ceaed01b82e506563

SHA512
f45d7ccd8aae26623850a30f7ff52ad71771635745c72c0a929e4ecf5bf748f7badd424dd7f6955c0314a7fb04a6c0ef665664c4920b6476da8321f1dd167d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\N4sqjf2vvHK8dcj.exe

Filesize
622KB

MD5
4ecbc35005b5366fbc0ac6b28fc6ad0f

SHA1
d42ed8b1f39305dab856334a47428d1b52577c7c

SHA256
38ea513da8ddb1b65edd505eb24716802e4d33e59ad6050ceaed01b82e506563

SHA512
f45d7ccd8aae26623850a30f7ff52ad71771635745c72c0a929e4ecf5bf748f7badd424dd7f6955c0314a7fb04a6c0ef665664c4920b6476da8321f1dd167d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\npbefaijlakpgadkhafjnmolhikgbpfh\JrazBfjKi.js

Filesize
5KB

MD5
694a2ba0531a8fb41088777f4e68afe2

SHA1
113cc99367bd3c54371a999ef7bfa5f5e8517606

SHA256
ea775a1d53ced8fbfbdbf2d94f68c21b765434d28d318355683e1057378e3ca9

SHA512
ae6b2959476b4728af84765c2320b476078c2564f8f55e40dbc4156c183787ab679c6b34f30108345fd5d2f938e415718bc0dc583b008603fa4d50ff61949fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\npbefaijlakpgadkhafjnmolhikgbpfh\background.html

Filesize
146B

MD5
35adbe1825cd15449ea50bd395d9e963

SHA1
1970cae4ef0b24ba00c5f301b9c2e5a2ddc4b38c

SHA256
037af8e8a208f805362d7b1f7d26353015f06556ce67ee33ebac345dbd1ddc58

SHA512
095d35c35e81ad7d622c90b437d2925836809e6f50604af4d2fa0e97404a136cb840beb8b57910b1e7a5c54213a29c78033da91228bcbdf9f0e67d158ac86766

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\npbefaijlakpgadkhafjnmolhikgbpfh\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\npbefaijlakpgadkhafjnmolhikgbpfh\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\npbefaijlakpgadkhafjnmolhikgbpfh\manifest.json

Filesize
499B

MD5
8ff710e66ae41f8f188573d1f23fea43

SHA1
42a7d81a845ac640fb2737ef61310fb979009e4c

SHA256
ce71910ff2324d8823d6d04a40083f0114e3fd207731aa8e684b84576f4ea296

SHA512
543f856ef34d3086417c64da82b5560767144cd6e4db7bbaa26709713e7f8f1275ba0b048649cbb043e5dc885254ead23e85f3fe83a6d5d1dc57eecb7ba64713

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\xzfXc5Cr0MX5Qm.dll

Filesize
611KB

MD5
b372e1c602e797f0db6018a7864f8f4f

SHA1
f0389347cb8a9d03d27187015b7ad4e463bd59fa

SHA256
1d8078aea6d3e3b6a42365a5c14143013f910b678534e2ab5c3ce1b1b9fad094

SHA512
8e0f5243e15e9a997d969b875795fe80c662676f951e56e48135805fb236f01f198203e94a22a8173e34f944cd9ff0ae2406f2a5689aba4999fc6eae595ad49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\xzfXc5Cr0MX5Qm.tlb

Filesize
3KB

MD5
671b9e077657df17db9f3ed2da6bae37

SHA1
bfed6f97de94dc0b4377543c395a5a5453e3f699

SHA256
6ce2d1fb8f5d7bf1a4d4dfa06525484c538e18f5cff12c6b1cf68208313cb68c

SHA512
39973c90739c4c0dcdc70e70673a8dcfb7e9795daf8ad37a8264eb1206bd437aacbbf5c2ed8b3645fac317a6cc98be5413b738c5fe02f3f18272a4349c41676b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AF1.tmp\xzfXc5Cr0MX5Qm.x64.dll

Filesize
692KB

MD5
d1f95d8a9efdcd155c0af18e8e9a74ee

SHA1
89e37f04c70821d02152b1bc2243402cecb9471d

SHA256
d7017f74fd0b878c28d1f4c341d49bfdeae3436c3447cdf5057430180e86f558

SHA512
07488041eda04daa27f1e5204de6d4df535b63d97de82aaf4dbb4c8eee3e19405038edb5df39acc5aa890120b1225bd95d054e5d8a06fc2d5c723f5ca0563c41

Download Submit