c03d12ff33e5ba08b42e0d13c1c003375e5596d9f96ec81a94d322c5f959f88d

Analysis

max time kernel
201s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c03d12ff33e5ba08b42e0d13c1c003375e5596d9f96ec81a94d322c5f959f88d.exe
Size

2.0MB
MD5

5ffa78370b712c90baf99a472a5dc6e9
SHA1

8e00bd75b556d81a1e4391b47a21e2000a14f116
SHA256

c03d12ff33e5ba08b42e0d13c1c003375e5596d9f96ec81a94d322c5f959f88d
SHA512

69025a4146016c17d02717129e427300478b776b1636c02d35b5052f651b575b240e8f666f8f59de9c25bab6fad40b297252bd86b2a790536490e5799a95d5f1
SSDEEP

24576:h1OYdaOYjfen1Y6KIc8dPc3Mp6CzcJcB1TE1VyDGxQQYxMfyylmCHxxyJGb8tR:h1OsUZIdJc346K1TcAGb8tR

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1996	zVn6mfZxnhlduRe.exe

Loads dropped DLL 3 IoCs

pid	Process
1996	zVn6mfZxnhlduRe.exe
3640	regsvr32.exe
1472	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhllnbhdhcdkajohnfkinnekkkokijoi\2.0\manifest.json	zVn6mfZxnhlduRe.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhllnbhdhcdkajohnfkinnekkkokijoi\2.0\manifest.json	zVn6mfZxnhlduRe.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhllnbhdhcdkajohnfkinnekkkokijoi\2.0\manifest.json	zVn6mfZxnhlduRe.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhllnbhdhcdkajohnfkinnekkkokijoi\2.0\manifest.json	zVn6mfZxnhlduRe.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhllnbhdhcdkajohnfkinnekkkokijoi\2.0\manifest.json	zVn6mfZxnhlduRe.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	zVn6mfZxnhlduRe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	zVn6mfZxnhlduRe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	zVn6mfZxnhlduRe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	zVn6mfZxnhlduRe.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.x64.dll	zVn6mfZxnhlduRe.exe
File opened for modification	C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.x64.dll	zVn6mfZxnhlduRe.exe
File created	C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.dll	zVn6mfZxnhlduRe.exe
File opened for modification	C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.dll	zVn6mfZxnhlduRe.exe
File created	C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.tlb	zVn6mfZxnhlduRe.exe
File opened for modification	C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.tlb	zVn6mfZxnhlduRe.exe
File created	C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.dat	zVn6mfZxnhlduRe.exe
File opened for modification	C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.dat	zVn6mfZxnhlduRe.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1996	448	c03d12ff33e5ba08b42e0d13c1c003375e5596d9f96ec81a94d322c5f959f88d.exe	82
PID 448 wrote to memory of 1996	448	c03d12ff33e5ba08b42e0d13c1c003375e5596d9f96ec81a94d322c5f959f88d.exe	82
PID 448 wrote to memory of 1996	448	c03d12ff33e5ba08b42e0d13c1c003375e5596d9f96ec81a94d322c5f959f88d.exe	82
PID 1996 wrote to memory of 3640	1996	zVn6mfZxnhlduRe.exe	83
PID 1996 wrote to memory of 3640	1996	zVn6mfZxnhlduRe.exe	83
PID 1996 wrote to memory of 3640	1996	zVn6mfZxnhlduRe.exe	83
PID 3640 wrote to memory of 1472	3640	regsvr32.exe	84
PID 3640 wrote to memory of 1472	3640	regsvr32.exe	84

C:\Users\Admin\AppData\Local\Temp\c03d12ff33e5ba08b42e0d13c1c003375e5596d9f96ec81a94d322c5f959f88d.exe
"C:\Users\Admin\AppData\Local\Temp\c03d12ff33e5ba08b42e0d13c1c003375e5596d9f96ec81a94d322c5f959f88d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\zVn6mfZxnhlduRe.exe
  .\zVn6mfZxnhlduRe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.dat

Filesize
6KB

MD5
b2d4b045882a75bd171df214751704db

SHA1
30ef4e09d51812366268bb476c16f65f8909c838

SHA256
a60624c6e56d9f6140c41dfd49fb5d8fe674ef5532c3fe13a120af550e89dd02

SHA512
ac7442aab88bfe70a30274cb65f0b690117886808dbc86184259cb4f249968f0faa8f57631edff134be96354a829073c6695c6b0887e9e51b24eb31f5b87a34e

Download Submit
C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Program Files (x86)\GoSave\jOFEKg9JZDvBKN.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
bea596ed82cfac1be5d1eaf9514dc669

SHA1
b8f6c4c8c9a0af5f7c786f5e3e96afde4ed3e931

SHA256
383de93c5a15a2ac9c4a307796b6284d56caab8ebc2e67f3941e86172a06686e

SHA512
92905893de3e455a38e459ee49859b26874e110e603762bb06fc817165aa1ef68dc8de845ea2b8d6aa510c1d7ff27754aa1c48766d6ef3a21e9f71f89318948a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
58d38666646f24443c3ab378375797c7

SHA1
d54fccaa51adef02c7f787fa7f6042766ef0617f

SHA256
5475a6bac68a480a2106b22a91310894350507d8b57cc55072c1b96dd53808fe

SHA512
04124d454cca01e4d447f19582e0025f58bb640155255f0b64498132fd1a1aae733acdbc2131f73783caa82806ac43fc623d1866ea3bebfbcbabc3958949aee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\[email protected]\install.rdf

Filesize
596B

MD5
8546588df2eb8f2c3c06eb7c9573c609

SHA1
30524a0d5cec8567765d3f87701860746efbefef

SHA256
afa6662fec7566ffe1c4ad1bea2db8dee77867ddf532a072ed6c6e4eb8619aa4

SHA512
1052dac8d50c0aea2b4fead1e4d07727a98eed100d0dfe2df0e6ee86b46a7c9b49d6372ba5978aed740217bb8ba7a18e710258d215d3412b28e6bb71d34be25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\hhllnbhdhcdkajohnfkinnekkkokijoi\background.html

Filesize
138B

MD5
04a22d6ac919517585027559c9ffdd00

SHA1
bc2031bccc41be72b6b199280c0a830941a38b4a

SHA256
9dc4abcb1bf0ddc23111382ffef0e3d022f1654eb357961342496471ab7c8030

SHA512
8bf8b2ce7c951168d48c902ead6889ab8f1eac9c63d1c5e6d729b6b9b4b5040d8c1eb2a319bd1b68a7b5b9bea3631925b79b3459f80b4db7a9890448f8dc0109

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\hhllnbhdhcdkajohnfkinnekkkokijoi\c.js

Filesize
5KB

MD5
1e0359882911db1e5586ce1881af8b20

SHA1
a97f3b4e99f22074470b41bf73a79863c5073de5

SHA256
6c82e1f0320a0101a927bd8abcd7af36fe81ceaa0977640d7ac6c9b6fb34a355

SHA512
c20cc5a405ccb6d7c7eeee404db9a16e91439db0de1158d48a1afd2f6882cb14fea314cf628d01f7ac1f51197e982c2c1c36b1da7199d1c874decda773405c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\hhllnbhdhcdkajohnfkinnekkkokijoi\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\hhllnbhdhcdkajohnfkinnekkkokijoi\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\hhllnbhdhcdkajohnfkinnekkkokijoi\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\jOFEKg9JZDvBKN.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\jOFEKg9JZDvBKN.tlb

Filesize
3KB

MD5
ab50bfd160f5251c1c06947ba8523db0

SHA1
7940cc61ab4e0bb82afc03dd141eaf8bd963c091

SHA256
a23c9c376478404d8f90d1d984935f7b5e5f2e5674fd8a7642dc89f2b1b2c4a8

SHA512
506baa3f8ca880eeb4d26e9744babef326d2b5b1fb0971c712072c4aeeaaaff702847c045fe0270d45cc71a0b7fb53ba0af60aeaa34f5154f9617c85a06c3334

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\jOFEKg9JZDvBKN.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\zVn6mfZxnhlduRe.dat

Filesize
6KB

MD5
b2d4b045882a75bd171df214751704db

SHA1
30ef4e09d51812366268bb476c16f65f8909c838

SHA256
a60624c6e56d9f6140c41dfd49fb5d8fe674ef5532c3fe13a120af550e89dd02

SHA512
ac7442aab88bfe70a30274cb65f0b690117886808dbc86184259cb4f249968f0faa8f57631edff134be96354a829073c6695c6b0887e9e51b24eb31f5b87a34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\zVn6mfZxnhlduRe.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B01.tmp\zVn6mfZxnhlduRe.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
memory/1472-152-0x0000000000000000-mapping.dmp

Download
memory/1996-132-0x0000000000000000-mapping.dmp

Download
memory/3640-149-0x0000000000000000-mapping.dmp

Download