cde644dae574499f6533fa29e2f2759b18584345a73729ab38e403339561744e

Analysis

max time kernel
151s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cde644dae574499f6533fa29e2f2759b18584345a73729ab38e403339561744e.exe
Size

2.1MB
MD5

30a819452bf4cf5d76a1a7892c13c091
SHA1

e46ea9bfa27919632b7faff5ef97c1eadd071bf3
SHA256

cde644dae574499f6533fa29e2f2759b18584345a73729ab38e403339561744e
SHA512

86984ece412835235c0f929cf711ed63c26bd0067f7ff00d3e6408cc6fd62c01df2accb16320a966188e6000665a0b81be7dc53a52e249a1d032514e6f74e79a
SSDEEP

49152:h1OsVl9RJLu6vcW6hGkaVR7QSiN/tObJmZcqYUuRTp:h1OGrVOhGRkSixtKDn

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rSWZzYRP4JHJg4q.exe

pid process

2820 rSWZzYRP4JHJg4q.exe
Loads dropped DLL 3 IoCs

Processes:

rSWZzYRP4JHJg4q.exeregsvr32.exeregsvr32.exe

pid process

2820 rSWZzYRP4JHJg4q.exe
3640 regsvr32.exe
1328 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2820	rSWZzYRP4JHJg4q.exe

pid	process
2820	rSWZzYRP4JHJg4q.exe
3640	regsvr32.exe
1328	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

rSWZzYRP4JHJg4q.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgobnnalmiklagpnkobhfnfheaiepfoe\2.0\manifest.json	rSWZzYRP4JHJg4q.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgobnnalmiklagpnkobhfnfheaiepfoe\2.0\manifest.json	rSWZzYRP4JHJg4q.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgobnnalmiklagpnkobhfnfheaiepfoe\2.0\manifest.json	rSWZzYRP4JHJg4q.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgobnnalmiklagpnkobhfnfheaiepfoe\2.0\manifest.json	rSWZzYRP4JHJg4q.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgobnnalmiklagpnkobhfnfheaiepfoe\2.0\manifest.json	rSWZzYRP4JHJg4q.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exerSWZzYRP4JHJg4q.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	rSWZzYRP4JHJg4q.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	rSWZzYRP4JHJg4q.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	rSWZzYRP4JHJg4q.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	rSWZzYRP4JHJg4q.exe

Drops file in Program Files directory 8 IoCs

Processes:

rSWZzYRP4JHJg4q.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.x64.dll	rSWZzYRP4JHJg4q.exe
File opened for modification	C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.x64.dll	rSWZzYRP4JHJg4q.exe
File created	C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.dll	rSWZzYRP4JHJg4q.exe
File opened for modification	C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.dll	rSWZzYRP4JHJg4q.exe
File created	C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.tlb	rSWZzYRP4JHJg4q.exe
File opened for modification	C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.tlb	rSWZzYRP4JHJg4q.exe
File created	C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.dat	rSWZzYRP4JHJg4q.exe
File opened for modification	C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.dat	rSWZzYRP4JHJg4q.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rSWZzYRP4JHJg4q.exe

pid process

2820 rSWZzYRP4JHJg4q.exe
2820 rSWZzYRP4JHJg4q.exe

pid	process
2820	rSWZzYRP4JHJg4q.exe
2820	rSWZzYRP4JHJg4q.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cde644dae574499f6533fa29e2f2759b18584345a73729ab38e403339561744e.exerSWZzYRP4JHJg4q.exeregsvr32.exe

description	pid	process	target process
PID 2892 wrote to memory of 2820	2892	cde644dae574499f6533fa29e2f2759b18584345a73729ab38e403339561744e.exe	rSWZzYRP4JHJg4q.exe
PID 2892 wrote to memory of 2820	2892	cde644dae574499f6533fa29e2f2759b18584345a73729ab38e403339561744e.exe	rSWZzYRP4JHJg4q.exe
PID 2892 wrote to memory of 2820	2892	cde644dae574499f6533fa29e2f2759b18584345a73729ab38e403339561744e.exe	rSWZzYRP4JHJg4q.exe
PID 2820 wrote to memory of 3640	2820	rSWZzYRP4JHJg4q.exe	regsvr32.exe
PID 2820 wrote to memory of 3640	2820	rSWZzYRP4JHJg4q.exe	regsvr32.exe
PID 2820 wrote to memory of 3640	2820	rSWZzYRP4JHJg4q.exe	regsvr32.exe
PID 3640 wrote to memory of 1328	3640	regsvr32.exe	regsvr32.exe
PID 3640 wrote to memory of 1328	3640	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\cde644dae574499f6533fa29e2f2759b18584345a73729ab38e403339561744e.exe
"C:\Users\Admin\AppData\Local\Temp\cde644dae574499f6533fa29e2f2759b18584345a73729ab38e403339561744e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\rSWZzYRP4JHJg4q.exe
.\rSWZzYRP4JHJg4q.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.dat

Filesize
6KB

MD5
511a40e6b64278699fb8bb48da9164ba

SHA1
d628b0e292d74e3f17ca489094c9de57dcedd5de

SHA256
093e91a7205704b3b5903b86d2d02bb6083a8303c0485b818da700467354c39e

SHA512
1126cecd84c7a157e6e6554ebccb217b557bfc54778c0c3829f1f96fc1fc6e66457d76ed982f82bac13a6fb10eab4f05a58edcb1527a0dbcc478c967aa90aff2

Download Submit
C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Program Files (x86)\GoSave\ptHVJ8ebl0zooG.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
afc89905f122860a60327c824d15c232

SHA1
93223bbb67c6da8c89c8b77e58bb6fbcd21f8ca0

SHA256
dd12a8b0c579311d6d66be24d280d0bfb4d9c1de8363b3aa2c7463e152a6d5b8

SHA512
ffb9e01b2f5dc1eae1e95096ca7863f8987f56677791be4d740d2b44aa10e1b1f6d75c73588231717a97bb280a465f1e91943d7f281fb79205cf0a2876490a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
7c1b14986abcef1b93d67e4ec9fa730f

SHA1
4cad397791698a3b741b765418097b5bca85ca9f

SHA256
1ae171010241388dfe6d2bb6c77b679aeb596367f0ef18cc8889f6577d7d3a27

SHA512
7a812cf58d2859ea680d08ada55cce8b4feadb04d0d18d5ba3c5950d3566e0430906b364c8b8eab4692367c39b53f708c52533b6f90467505a409260dfc46d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\[email protected]\install.rdf

Filesize
590B

MD5
170c006745b8b64adf3ce9ece311ca45

SHA1
5f4e8e32cb294238154b8f2d2a1c84de8b64fc08

SHA256
9bae84806d8673f408000cb4731e27f0f5d862cd69764a059b275ca4d742c819

SHA512
a2941dc9ac2f0361413ef83cedd25665c8817f898ce14148921f83df50682eefff3e60ea66818896e1c7f5228adaf8c584d360a886dc2f9f54816cda2f268c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\kgobnnalmiklagpnkobhfnfheaiepfoe\IMzZ.js

Filesize
5KB

MD5
972a588863c98668a3e3b6a70f9cd700

SHA1
58638fc3bde15f3827f37eb5e2bdd156eca4abd1

SHA256
39d850390c10c831c622bf7481f38eaeed31815dca506829e0111bb0707532a0

SHA512
0f7d107558007f9cd46123f16fa50782fe4a337699e4768c598cf1a112f06a231faa2b489189f2d3d56391ac94d598957eaeb8ad5b2b8472e128b512807d69c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\kgobnnalmiklagpnkobhfnfheaiepfoe\background.html

Filesize
141B

MD5
874c7e1529a2a3870734f6cc989674f3

SHA1
d304def335d744bcf5b783d7d92c84f15b4671e8

SHA256
55f162aca2f796d3e23a7af81591d2ad2c87aaf7c041926957d3568daaf4bd77

SHA512
4493b2b9beb1989e1472a41967a0387623e6f261c0dc1bbb409aa290a0a1e7d3155c7465f36c36d0407eea0eca771160fc18f798c9fe41ba0e184b172a877465

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\kgobnnalmiklagpnkobhfnfheaiepfoe\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\kgobnnalmiklagpnkobhfnfheaiepfoe\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\kgobnnalmiklagpnkobhfnfheaiepfoe\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\ptHVJ8ebl0zooG.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\ptHVJ8ebl0zooG.tlb

Filesize
3KB

MD5
38dcedc06ce882652b73038799f369c1

SHA1
09985c74e62920963791808be0765222d2a517d3

SHA256
37996a9f383f824002a73026332578b823bacad0a736f2f4c25401f6e2da307c

SHA512
78b7ab8fc102a0f874d24bb40e7b399befe3eb8788c08b059487770dd83a390daf0011c34d6cd29dd78e3436bfd6587fff2f50bde0c3bed49e6ffe27ef0b4c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\ptHVJ8ebl0zooG.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\rSWZzYRP4JHJg4q.dat

Filesize
6KB

MD5
511a40e6b64278699fb8bb48da9164ba

SHA1
d628b0e292d74e3f17ca489094c9de57dcedd5de

SHA256
093e91a7205704b3b5903b86d2d02bb6083a8303c0485b818da700467354c39e

SHA512
1126cecd84c7a157e6e6554ebccb217b557bfc54778c0c3829f1f96fc1fc6e66457d76ed982f82bac13a6fb10eab4f05a58edcb1527a0dbcc478c967aa90aff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\rSWZzYRP4JHJg4q.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE6E.tmp\rSWZzYRP4JHJg4q.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
memory/1328-152-0x0000000000000000-mapping.dmp

Download
memory/2820-132-0x0000000000000000-mapping.dmp

Download
memory/3640-149-0x0000000000000000-mapping.dmp

Download