316bcf487801020bb06d6b614fa6e9d6743594ded6561dfd4f68193cd0c14f82

Analysis

max time kernel
139s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

316bcf487801020bb06d6b614fa6e9d6743594ded6561dfd4f68193cd0c14f82.exe
Size

2.1MB
MD5

36c068f0a2ff259379a733674ce44d20
SHA1

ee3db6ea394061dcded17b679c412b9d5582a27d
SHA256

316bcf487801020bb06d6b614fa6e9d6743594ded6561dfd4f68193cd0c14f82
SHA512

5c7312b0d6091a887822b36c16997a2d99f5f42eb2bafc9bf65476f1ada885bb8aad40a1fdb5506f79922dd959bb11d8148208bed045ab66de7ed3a88714c57c
SSDEEP

24576:h1OYdaOVGiAEAd/KjjBKyu73i8mxcmMMV6zs+G/pC2d1RJoTJnQqphTuS2MD3Gvw:h1OsKMAd/OxfV6zZGYg1RJQnFrTc2S2

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2724	e9qyPfHuKuF3vSH.exe

Loads dropped DLL 3 IoCs

pid	Process
2724	e9qyPfHuKuF3vSH.exe
4904	regsvr32.exe
4872	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgknhmapaopmnbciceebpgkhjlaokgne\2.0\manifest.json	e9qyPfHuKuF3vSH.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgknhmapaopmnbciceebpgkhjlaokgne\2.0\manifest.json	e9qyPfHuKuF3vSH.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgknhmapaopmnbciceebpgkhjlaokgne\2.0\manifest.json	e9qyPfHuKuF3vSH.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgknhmapaopmnbciceebpgkhjlaokgne\2.0\manifest.json	e9qyPfHuKuF3vSH.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgknhmapaopmnbciceebpgkhjlaokgne\2.0\manifest.json	e9qyPfHuKuF3vSH.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	e9qyPfHuKuF3vSH.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	e9qyPfHuKuF3vSH.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	e9qyPfHuKuF3vSH.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	e9qyPfHuKuF3vSH.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.dat	e9qyPfHuKuF3vSH.exe
File created	C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.x64.dll	e9qyPfHuKuF3vSH.exe
File opened for modification	C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.x64.dll	e9qyPfHuKuF3vSH.exe
File created	C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.dll	e9qyPfHuKuF3vSH.exe
File opened for modification	C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.dll	e9qyPfHuKuF3vSH.exe
File created	C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.tlb	e9qyPfHuKuF3vSH.exe
File opened for modification	C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.tlb	e9qyPfHuKuF3vSH.exe
File created	C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.dat	e9qyPfHuKuF3vSH.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 2724	5000	316bcf487801020bb06d6b614fa6e9d6743594ded6561dfd4f68193cd0c14f82.exe	80
PID 5000 wrote to memory of 2724	5000	316bcf487801020bb06d6b614fa6e9d6743594ded6561dfd4f68193cd0c14f82.exe	80
PID 5000 wrote to memory of 2724	5000	316bcf487801020bb06d6b614fa6e9d6743594ded6561dfd4f68193cd0c14f82.exe	80
PID 2724 wrote to memory of 4904	2724	e9qyPfHuKuF3vSH.exe	81
PID 2724 wrote to memory of 4904	2724	e9qyPfHuKuF3vSH.exe	81
PID 2724 wrote to memory of 4904	2724	e9qyPfHuKuF3vSH.exe	81
PID 4904 wrote to memory of 4872	4904	regsvr32.exe	82
PID 4904 wrote to memory of 4872	4904	regsvr32.exe	82

C:\Users\Admin\AppData\Local\Temp\316bcf487801020bb06d6b614fa6e9d6743594ded6561dfd4f68193cd0c14f82.exe
"C:\Users\Admin\AppData\Local\Temp\316bcf487801020bb06d6b614fa6e9d6743594ded6561dfd4f68193cd0c14f82.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\e9qyPfHuKuF3vSH.exe
  .\e9qyPfHuKuF3vSH.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.dat

Filesize
6KB

MD5
264a2401a1f286fb0843277c8ffc2dbe

SHA1
8d393d6e4cbe51f4609d8126b1524fe0b4846df4

SHA256
3f3c60581547e8f1c0fa909a6d3f06db59557ff621cb87d2c3ffe429f796af1b

SHA512
f268c390d9765e749a572f3e1866cd47a16d516893f0afef4f7e7cb9c140256231576a3d245de1111a20f7bf434c210ed1cda467d5f419caf1ab85fd33303b25

Download Submit
C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.dll

Filesize
619KB

MD5
4f328f4e17a2c81830aac4c8c3d67141

SHA1
063c8e33d6a263dd604d072ffd143305f6c3d4a8

SHA256
303917029755e7a44a6e7392c5e751e4fbcb66feaa8a5f09142efaf5a91ad2fc

SHA512
d387cf9ee95426717be8bac7a6cd422b8ddc2aa925723a9b25a169d9b4a0f5cb5607e2f2b8161cadb0e4333d1fda4ba24ecb838dbb49571d55a6799efce404c0

Download Submit
C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.x64.dll

Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.x64.dll

Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
C:\Program Files (x86)\GoSaveo\Bk7xfjTutYd1fy.x64.dll

Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\Bk7xfjTutYd1fy.dll

Filesize
619KB

MD5
4f328f4e17a2c81830aac4c8c3d67141

SHA1
063c8e33d6a263dd604d072ffd143305f6c3d4a8

SHA256
303917029755e7a44a6e7392c5e751e4fbcb66feaa8a5f09142efaf5a91ad2fc

SHA512
d387cf9ee95426717be8bac7a6cd422b8ddc2aa925723a9b25a169d9b4a0f5cb5607e2f2b8161cadb0e4333d1fda4ba24ecb838dbb49571d55a6799efce404c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\Bk7xfjTutYd1fy.tlb

Filesize
3KB

MD5
62cb4133d9d3a46f4f1c6c0fb3688619

SHA1
feaaef6e2b8c41be2575d0763cc8de3e8c19478e

SHA256
3ddcfb4b206fc4856f5bb5c06bcc3761dde53882eea20b5dc5ddf4ee8864bea5

SHA512
cb30dc73d52eb502f745fe32b4055b53306f62f0847cae1275d0856608949ea62c30f40d7f252ad450909a4bd425cf0e50012400175cc42a4096cf1451d90123

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\Bk7xfjTutYd1fy.x64.dll

Filesize
702KB

MD5
1287246338d36f26f77735bd58d74e70

SHA1
aabda37cd307e50f2444c73bd656eaf2b78fc291

SHA256
4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

SHA512
ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\bgknhmapaopmnbciceebpgkhjlaokgne\background.html

Filesize
143B

MD5
78b9e6d405f6d52e947d7333d590065e

SHA1
6f3895f46baa31df7da076fa406f0cda66d92109

SHA256
2eeff8ef8fa8f4d9d4c8c374cebf540331bf0027024fe7b7918e2e4d47bd0031

SHA512
fd5e753224a016eb4c59cd8bfbb9835a35997ad23742a529e11aacf691906b549ac6f63eb6a79b8b6d3b8dd185bc7e5b3a1a43e9abbf44fe5ab6c75071b0a19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\bgknhmapaopmnbciceebpgkhjlaokgne\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\bgknhmapaopmnbciceebpgkhjlaokgne\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\bgknhmapaopmnbciceebpgkhjlaokgne\manifest.json

Filesize
499B

MD5
eced7dd24fd286d55bcb7b575ddf2cc4

SHA1
88af159df49206cda41b163cde7feccbb99511b4

SHA256
36599ee12940b8790cab4e4fe7a532068d4f035b3eb007b9ee30dfee4a14e424

SHA512
96a7f329ffdf6e9141f3659a77b691c72d820a5f2152b2b7d064aacef1172b54eeccef3ad4bac28ed4061a66fe7b98ebb8c3b156ba231d0c325137cad0325d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\bgknhmapaopmnbciceebpgkhjlaokgne\oxdz7U.js

Filesize
5KB

MD5
f96d4bc747a6692ae815f2abfbf475e2

SHA1
451bd8654064b53e9f5710ace43fb3634a7c3565

SHA256
427a72536e7b969e89f840c0da9138bc9f4d597943d9f682edf1f1312c58cb16

SHA512
b964d410416ca088d2fdc8e049679379407acf87268c1722593220c8bab81ca5b877cb173bbc774e8b023fb75ecb2a0f77f00f1c1a61ddd5d53ab5994c8951a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\e9qyPfHuKuF3vSH.dat

Filesize
6KB

MD5
264a2401a1f286fb0843277c8ffc2dbe

SHA1
8d393d6e4cbe51f4609d8126b1524fe0b4846df4

SHA256
3f3c60581547e8f1c0fa909a6d3f06db59557ff621cb87d2c3ffe429f796af1b

SHA512
f268c390d9765e749a572f3e1866cd47a16d516893f0afef4f7e7cb9c140256231576a3d245de1111a20f7bf434c210ed1cda467d5f419caf1ab85fd33303b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\e9qyPfHuKuF3vSH.exe

Filesize
623KB

MD5
cd6bf363f5af45a16926343310023db4

SHA1
e5bcbe9735e5a8d6243af1c2a4593784e8e63aa6

SHA256
bfa98e4e677c8bcb7348aed64d51915e3bacb05925d0234e646e2bb7cc3cdd06

SHA512
3ccb2c4ea143ac58d4df43751bf1c8781795b2321f3acb5d85a0249e4b43c1bf3f93c41c0c59cc2933b923069340a3f7425e9ddce1d7355e60eec843d9158ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\e9qyPfHuKuF3vSH.exe

Filesize
623KB

MD5
cd6bf363f5af45a16926343310023db4

SHA1
e5bcbe9735e5a8d6243af1c2a4593784e8e63aa6

SHA256
bfa98e4e677c8bcb7348aed64d51915e3bacb05925d0234e646e2bb7cc3cdd06

SHA512
3ccb2c4ea143ac58d4df43751bf1c8781795b2321f3acb5d85a0249e4b43c1bf3f93c41c0c59cc2933b923069340a3f7425e9ddce1d7355e60eec843d9158ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
c8c96dc1d1111299a8e31d3b81799f8d

SHA1
e53a88af6e8f9088856e205d5f3ea07f02d62fc3

SHA256
751f4bc0be848393795a5fabe70a55a9c924e0dbe9db394258835009bef2ca70

SHA512
53dc6053f447306400755a97f18b8031bc05b6e5e391d2a694ab0a4e19ff26e40b95c631c58856da58348ef6eb446258a527910179db0d037a6a2fdd24fe964d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
f1a340b43b66fb3edbc1eec30f046c93

SHA1
d34962a8ecc9a055cfe2d969af6c17d9030d69ab

SHA256
735b56dccb6c1b14d110a425acf188b30219a1b559e66a81555474d556dbe19f

SHA512
14f41fe668e8fc976669c6edc787d312a4765a75df156a1b534f501e81e68112068d8d3b363c0b6ee750d239cfc0f185fdc2129ffc7f822606eaa4b17a47aee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF68A.tmp\[email protected]\install.rdf

Filesize
596B

MD5
5664ff6d489771ecc3034fb7c8fff71c

SHA1
e7d8db9e9929d59a590b16bc26812a52b405eeac

SHA256
834cbf64c773560fe9398bb46bee5699ebc12a9cdaabc92147bdc9e84718d76e

SHA512
5d9a7b2aa8711841503c595c74ca080975c4a834570b009bae3b75bcccda1d42da17bffb4bf07d6a4ec75b692284f3e34d4f220ea4df9b88df3e94185d71c517

Download Submit