8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79

Analysis

max time kernel
97s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79.exe
Size

2.0MB
MD5

a183055f6773e079a93dc77e4298d7ac
SHA1

4d5eca8ad12b9fbe56adebac1e6803216391ca2e
SHA256

8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79
SHA512

e3f645074fcc0195d2878d4652230340c58765c743780b04a4c33cfcf37455e3e58d6a25f8787fca039179e4a1150f212801b4515e4a9a7db39830ec37c2fe21
SSDEEP

24576:h1OYdaOCjfen1Y6KIc8dPc3Mp6CzcJcB1TE1VyDGxQQYxMfyylmCHxxyJGb8te:h1OsaZIdJc346K1TcAGb8te

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
672	9hBNk3olvbuPJ2L.exe

Loads dropped DLL 4 IoCs

pid	Process
528	8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79.exe
672	9hBNk3olvbuPJ2L.exe
1972	regsvr32.exe
1932	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhmckejfidkplbpecgcaojafkeagcdlf\2.0\manifest.json	9hBNk3olvbuPJ2L.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhmckejfidkplbpecgcaojafkeagcdlf\2.0\manifest.json	9hBNk3olvbuPJ2L.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhmckejfidkplbpecgcaojafkeagcdlf\2.0\manifest.json	9hBNk3olvbuPJ2L.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	9hBNk3olvbuPJ2L.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	9hBNk3olvbuPJ2L.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	9hBNk3olvbuPJ2L.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	9hBNk3olvbuPJ2L.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	9hBNk3olvbuPJ2L.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.dat	9hBNk3olvbuPJ2L.exe
File created	C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.x64.dll	9hBNk3olvbuPJ2L.exe
File opened for modification	C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.x64.dll	9hBNk3olvbuPJ2L.exe
File created	C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.dll	9hBNk3olvbuPJ2L.exe
File opened for modification	C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.dll	9hBNk3olvbuPJ2L.exe
File created	C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.tlb	9hBNk3olvbuPJ2L.exe
File opened for modification	C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.tlb	9hBNk3olvbuPJ2L.exe
File created	C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.dat	9hBNk3olvbuPJ2L.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 672	528	8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79.exe	27
PID 528 wrote to memory of 672	528	8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79.exe	27
PID 528 wrote to memory of 672	528	8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79.exe	27
PID 528 wrote to memory of 672	528	8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79.exe	27
PID 672 wrote to memory of 1972	672	9hBNk3olvbuPJ2L.exe	28
PID 672 wrote to memory of 1972	672	9hBNk3olvbuPJ2L.exe	28
PID 672 wrote to memory of 1972	672	9hBNk3olvbuPJ2L.exe	28
PID 672 wrote to memory of 1972	672	9hBNk3olvbuPJ2L.exe	28
PID 672 wrote to memory of 1972	672	9hBNk3olvbuPJ2L.exe	28
PID 672 wrote to memory of 1972	672	9hBNk3olvbuPJ2L.exe	28
PID 672 wrote to memory of 1972	672	9hBNk3olvbuPJ2L.exe	28
PID 1972 wrote to memory of 1932	1972	regsvr32.exe	29
PID 1972 wrote to memory of 1932	1972	regsvr32.exe	29
PID 1972 wrote to memory of 1932	1972	regsvr32.exe	29
PID 1972 wrote to memory of 1932	1972	regsvr32.exe	29
PID 1972 wrote to memory of 1932	1972	regsvr32.exe	29
PID 1972 wrote to memory of 1932	1972	regsvr32.exe	29
PID 1972 wrote to memory of 1932	1972	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79.exe
"C:\Users\Admin\AppData\Local\Temp\8141b2a3ebd69f4a4e6cf7ff4271f44049930eb73dcb17ac8155afc65bde0a79.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:528
- C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\9hBNk3olvbuPJ2L.exe
  .\9hBNk3olvbuPJ2L.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.dat

Filesize
6KB

MD5
05f6132667b47134bede28908c5fc1b2

SHA1
d8097505961b384405bd8a5fc3440de949009bf7

SHA256
65330c6755b512e6d13b21f2db1fdf718d9477862a69a4a372675726cb72895d

SHA512
56dc4259533cdff95ea6fd41d4dbae34ebbd2e37bcb83023e3b63adc7dca94b8855c1b36e1218a7498dc5795968289fde5c2d482b783689a91599bb0d5283eae

Download Submit
C:\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
096f735e64b79e77fc2a923a41bc2451

SHA1
8c8b7a132daf4e11458bad413ef0ae1d0992ed15

SHA256
c8b10e2ec0259a3033f91e4f7058d4f2729139cc5397953650c442785ed93ec8

SHA512
9329c9382bd4ab380bed3c43c70db0b89602c85dca2f76555c0d2488ab22ea0631fe0075616946b985044e331c02319989a0aa1f92bcc8b9f0569601baea1b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
9ccfa969ad505d8ac0f58def26bbd850

SHA1
96a669dca712474d81796c38f7dee5819b831d64

SHA256
ac04ded2a0123442ad1be46547b4811ec68fe402c379a755bde03b87d7900233

SHA512
124e2bfd36c84b1a0a8ded9194a23a0971331622177dff814685f077ef917f11884d82ee83fb817f5a4d954e5ddc6ae5d8bee44697b715a70a32632d0f805665

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\[email protected]\install.rdf

Filesize
597B

MD5
e28203566e0cc6ead39391bba77b58c2

SHA1
9a29c59fecacd2bf6c7776ae725665c66ea51e8a

SHA256
f5175df238f2718c165da6fcbfb74536ef5ddffcbe462937c9ff59c658b70038

SHA512
545268328543e440ed0cbfcefb9f29cdbe2b80149526600182ee2f44bf3e81bb19c6187f21e08b94a0385464051c5d09f1b8308799550ff3d035378736552199

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\9hBNk3olvbuPJ2L.dat

Filesize
6KB

MD5
05f6132667b47134bede28908c5fc1b2

SHA1
d8097505961b384405bd8a5fc3440de949009bf7

SHA256
65330c6755b512e6d13b21f2db1fdf718d9477862a69a4a372675726cb72895d

SHA512
56dc4259533cdff95ea6fd41d4dbae34ebbd2e37bcb83023e3b63adc7dca94b8855c1b36e1218a7498dc5795968289fde5c2d482b783689a91599bb0d5283eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\9hBNk3olvbuPJ2L.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\9hBNk3olvbuPJ2L.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\iuxfRVvNTUXFzd.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\iuxfRVvNTUXFzd.tlb

Filesize
3KB

MD5
ab50bfd160f5251c1c06947ba8523db0

SHA1
7940cc61ab4e0bb82afc03dd141eaf8bd963c091

SHA256
a23c9c376478404d8f90d1d984935f7b5e5f2e5674fd8a7642dc89f2b1b2c4a8

SHA512
506baa3f8ca880eeb4d26e9744babef326d2b5b1fb0971c712072c4aeeaaaff702847c045fe0270d45cc71a0b7fb53ba0af60aeaa34f5154f9617c85a06c3334

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\iuxfRVvNTUXFzd.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\jhmckejfidkplbpecgcaojafkeagcdlf\EtO.js

Filesize
5KB

MD5
9b499ed46ca9069fd5f52dab97ad434f

SHA1
cbe50b263ea132ddb56b4f8311b6a1c22ceb0b55

SHA256
89f3114deb2f5a334fbe0665048639ad4d5398ffefdb800e7a81cbbbae4082e3

SHA512
54b0c6b13a13b17c8adae635e478564601a8b45a34e04472b4ff8ed28789d5dd229cba62ef37d44c14b05631d7a7c604772ea5e262b78abadd5021df597a486d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\jhmckejfidkplbpecgcaojafkeagcdlf\background.html

Filesize
140B

MD5
6a51f828ed92f1ca59cf48a20ad4f594

SHA1
a7763bd5892c9eadac6db69402289b7c53dba902

SHA256
b83c435db8743c030811a5e2afbfb99ec9df6eb305e67aab5230ee52a4439ce9

SHA512
3c1802e101048a28943a7eaed61c8bf69fe23abad03a364ad8039feec203a76212d013fe4e103818f5157fc7c3c48af25977edb0a8f38ac2ec30adf6dec86303

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\jhmckejfidkplbpecgcaojafkeagcdlf\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\jhmckejfidkplbpecgcaojafkeagcdlf\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC015.tmp\jhmckejfidkplbpecgcaojafkeagcdlf\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Program Files (x86)\GoSave\iuxfRVvNTUXFzd.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC015.tmp\9hBNk3olvbuPJ2L.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
memory/528-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/672-56-0x0000000000000000-mapping.dmp

Download
memory/1932-78-0x0000000000000000-mapping.dmp

Download
memory/1932-79-0x000007FEFC201000-0x000007FEFC203000-memory.dmp

Filesize
8KB

Download
memory/1972-73-0x0000000000000000-mapping.dmp

Download