2117186cbacfb73d24ce7745a51a2c3ddef4b251d19f0296ded4c6e98a423f63

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2117186cbacfb73d24ce7745a51a2c3ddef4b251d19f0296ded4c6e98a423f63.exe
Size

2.1MB
MD5

f7c33c817116c1e1036fde75792f5efa
SHA1

a179aa1c97314d44861a7dd261aa0c1d8db7aa04
SHA256

2117186cbacfb73d24ce7745a51a2c3ddef4b251d19f0296ded4c6e98a423f63
SHA512

9ba7bba27dfff82d436dfc865f33ea1360c184c0fcef2238375db4b13f78e8768366ab7c9a7f544772b274734d5a04b6574c78c5a9131d35fa8163d298fe9277
SSDEEP

24576:h1OYdaOETwLleYkTVug2PiL0jHM8WK5z6Sh19BUfOD4XRt1otyBNvJvMXzGK5Ih1:h1Os/LARTQ9PimJWtShQnvQsruq

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1468	tykD4NA6k74w8Xt.exe

Loads dropped DLL 3 IoCs

pid	Process
1468	tykD4NA6k74w8Xt.exe
4288	regsvr32.exe
5028	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\infcjjgafjlpfbgpmeochocichkopofi\2.0\manifest.json	tykD4NA6k74w8Xt.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\infcjjgafjlpfbgpmeochocichkopofi\2.0\manifest.json	tykD4NA6k74w8Xt.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\infcjjgafjlpfbgpmeochocichkopofi\2.0\manifest.json	tykD4NA6k74w8Xt.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\infcjjgafjlpfbgpmeochocichkopofi\2.0\manifest.json	tykD4NA6k74w8Xt.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\infcjjgafjlpfbgpmeochocichkopofi\2.0\manifest.json	tykD4NA6k74w8Xt.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	tykD4NA6k74w8Xt.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	tykD4NA6k74w8Xt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	tykD4NA6k74w8Xt.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	tykD4NA6k74w8Xt.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.dll	tykD4NA6k74w8Xt.exe
File opened for modification	C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.dll	tykD4NA6k74w8Xt.exe
File created	C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.tlb	tykD4NA6k74w8Xt.exe
File opened for modification	C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.tlb	tykD4NA6k74w8Xt.exe
File created	C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.dat	tykD4NA6k74w8Xt.exe
File opened for modification	C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.dat	tykD4NA6k74w8Xt.exe
File created	C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.x64.dll	tykD4NA6k74w8Xt.exe
File opened for modification	C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.x64.dll	tykD4NA6k74w8Xt.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1468	tykD4NA6k74w8Xt.exe
1468	tykD4NA6k74w8Xt.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 1468	4736	2117186cbacfb73d24ce7745a51a2c3ddef4b251d19f0296ded4c6e98a423f63.exe	80
PID 4736 wrote to memory of 1468	4736	2117186cbacfb73d24ce7745a51a2c3ddef4b251d19f0296ded4c6e98a423f63.exe	80
PID 4736 wrote to memory of 1468	4736	2117186cbacfb73d24ce7745a51a2c3ddef4b251d19f0296ded4c6e98a423f63.exe	80
PID 1468 wrote to memory of 4288	1468	tykD4NA6k74w8Xt.exe	82
PID 1468 wrote to memory of 4288	1468	tykD4NA6k74w8Xt.exe	82
PID 1468 wrote to memory of 4288	1468	tykD4NA6k74w8Xt.exe	82
PID 4288 wrote to memory of 5028	4288	regsvr32.exe	84
PID 4288 wrote to memory of 5028	4288	regsvr32.exe	84

C:\Users\Admin\AppData\Local\Temp\2117186cbacfb73d24ce7745a51a2c3ddef4b251d19f0296ded4c6e98a423f63.exe
"C:\Users\Admin\AppData\Local\Temp\2117186cbacfb73d24ce7745a51a2c3ddef4b251d19f0296ded4c6e98a423f63.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\tykD4NA6k74w8Xt.exe
  .\tykD4NA6k74w8Xt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.dat

Filesize
5KB

MD5
b8f2618cff394f01b6f06f8fe431da04

SHA1
ccf556cba275c9c53632a7d05bf631b058288658

SHA256
e71dfc9f213865eb4cabb965f33f6a9f471a95f1c124a2f1e8db24733b4e7a83

SHA512
7ce5cf6cdee2db36aa2706390b0de44083960e58160251fea21eeeb65515ffffd42914a589e1455cb4314588efcff9d38ffde9d3166f76fdd28d2c7595afc33f

Download Submit
C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Program Files (x86)\GoSave\coYy3RYBbhP8OS.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\coYy3RYBbhP8OS.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\coYy3RYBbhP8OS.tlb

Filesize
3KB

MD5
d5c4233a6c3de331b459f5f6a35ae3dd

SHA1
b5f1bf145f4e0896d7ae500abecbfaca715c18ab

SHA256
f3fca93b2a2848af13dcd30cad6305d20319d0a96f622f96753c1aebb91c885c

SHA512
4af48daa80dcd76cf45018d7edef74f35c5917457dd598f5a2071bba8875d75280326e41f3f5885d5301a596c22a3833cb062e2f4c97e0d83a01ad2644056e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\coYy3RYBbhP8OS.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
e2dc0fd10ba8a66ce3218aebc5243a10

SHA1
fc6475f39a839abd13c73937b146cb0e3199e3d4

SHA256
49074203cefb795dde4ef20b417ce472a900b6daae4261ddde6be63ba32a1d15

SHA512
87667135af54bf6642d4696cf199bfcf2199235f3d68b20871aebe4e1ee4d5b26c568ef9b2adcd6a38bfa92c9aea28e30fe23d58d965a9259206ec94bb58b3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
f6ec9084aeb7189dd72f64075b2452cd

SHA1
b64852a7cdd5bdf0fe2b03b55ad7dc4b251aecfc

SHA256
db792aecc21e8d74726c210004f21e009a450e3ff834ac56003578c9165be461

SHA512
83cf129c26257f84ac288970e040d8e1f3be1ded94c480292f5f9367579884bca0cf923a74585beea002047d8a8ae462e7db91f53bc5f8c0a27d8b0af368efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\[email protected]\install.rdf

Filesize
597B

MD5
499dfdfbfa57489319f7d39fd80ef4fa

SHA1
a1ebf3821d477f271456ddbc56dba3cad0120e90

SHA256
e44bd593c22e881eff039460a6310fd39fd18a75bf3c6a235494f34b2b1252bd

SHA512
cb336e83d526766d7ff506678330cbc3bdc59be16352f13e51297c24e7cc40197f2566d17264292db2f95a1193b4b2e5cb99cea185bc18fbcfb0725a671a5a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\infcjjgafjlpfbgpmeochocichkopofi\AHVqfqtH.js

Filesize
5KB

MD5
0288956a6ebeb5ea97cd45273e3541e1

SHA1
ba6a1a6c1a3c8249560076568ac3db4a7f41145b

SHA256
fdf66a83e7908b5d5e4e3f489eb4e0809d83e04af6612f509a40844240038281

SHA512
f00b8401d26c8f679611284db48afeb10cfc457bb9595987bc10a664339fa9746c4ba5c0ca33eb6be32ed799c6002dab201b55c82796bacfa9043836d3463550

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\infcjjgafjlpfbgpmeochocichkopofi\background.html

Filesize
145B

MD5
896b9606273537c3c2f0b1d4962b4acc

SHA1
09c246157096207594daede8fc36096cc1a29d56

SHA256
349419d64a8783af6553e0005d645518aa0480ca6903644ab36061a9f676c4ff

SHA512
691f0617e9ee57a368c75a8140b626a79be8250f1e7f890b6cc5c8777f489283c61c7a32ae94e6d000b64efd1aa7bfee59b3105573a929c750245deae1ed7dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\infcjjgafjlpfbgpmeochocichkopofi\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\infcjjgafjlpfbgpmeochocichkopofi\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\infcjjgafjlpfbgpmeochocichkopofi\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\tykD4NA6k74w8Xt.dat

Filesize
5KB

MD5
b8f2618cff394f01b6f06f8fe431da04

SHA1
ccf556cba275c9c53632a7d05bf631b058288658

SHA256
e71dfc9f213865eb4cabb965f33f6a9f471a95f1c124a2f1e8db24733b4e7a83

SHA512
7ce5cf6cdee2db36aa2706390b0de44083960e58160251fea21eeeb65515ffffd42914a589e1455cb4314588efcff9d38ffde9d3166f76fdd28d2c7595afc33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\tykD4NA6k74w8Xt.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CC6.tmp\tykD4NA6k74w8Xt.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
memory/1468-132-0x0000000000000000-mapping.dmp

Download
memory/4288-149-0x0000000000000000-mapping.dmp

Download
memory/5028-152-0x0000000000000000-mapping.dmp

Download