7e7839fb3e990a6897212b794aa8722ebf68b97af05c114e30f81aeced48eac4

Analysis

max time kernel
179s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e7839fb3e990a6897212b794aa8722ebf68b97af05c114e30f81aeced48eac4.exe
Size

2.1MB
MD5

be8a68335905b89c8db2df87d3bf3fa7
SHA1

6b577edc80a3120bca840594d12603e8d0adb8e5
SHA256

7e7839fb3e990a6897212b794aa8722ebf68b97af05c114e30f81aeced48eac4
SHA512

5f423a689f65ff6b3c9c63a339029493745d85a47d4857f928945ab20fba7c61742bb3821b33af54920952bba9fdfe13360678962a4fbc2850b6b2380ff8229d
SSDEEP

24576:h1OYdaO5TwLleYkTVug2PiL0jHM8WK5z6Sh19BUfOD4XRt1otyBNvJvMXzGK5Iht:h1Os4LARTQ9PimJWtShQnvQsru2

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

7s7WHbpsKzLTJbZ.exe

pid process

4088 7s7WHbpsKzLTJbZ.exe
Loads dropped DLL 3 IoCs

Processes:

7s7WHbpsKzLTJbZ.exeregsvr32.exeregsvr32.exe

pid process

4088 7s7WHbpsKzLTJbZ.exe
4592 regsvr32.exe
3428 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4088	7s7WHbpsKzLTJbZ.exe

pid	process
4088	7s7WHbpsKzLTJbZ.exe
4592	regsvr32.exe
3428	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

7s7WHbpsKzLTJbZ.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkmddoelhahpnngnaghpjmdgkdianonl\2.0\manifest.json	7s7WHbpsKzLTJbZ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkmddoelhahpnngnaghpjmdgkdianonl\2.0\manifest.json	7s7WHbpsKzLTJbZ.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkmddoelhahpnngnaghpjmdgkdianonl\2.0\manifest.json	7s7WHbpsKzLTJbZ.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkmddoelhahpnngnaghpjmdgkdianonl\2.0\manifest.json	7s7WHbpsKzLTJbZ.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkmddoelhahpnngnaghpjmdgkdianonl\2.0\manifest.json	7s7WHbpsKzLTJbZ.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

7s7WHbpsKzLTJbZ.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	7s7WHbpsKzLTJbZ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	7s7WHbpsKzLTJbZ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	7s7WHbpsKzLTJbZ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	7s7WHbpsKzLTJbZ.exe

Drops file in Program Files directory 8 IoCs

Processes:

7s7WHbpsKzLTJbZ.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.tlb	7s7WHbpsKzLTJbZ.exe
File created	C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.dat	7s7WHbpsKzLTJbZ.exe
File opened for modification	C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.dat	7s7WHbpsKzLTJbZ.exe
File created	C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.x64.dll	7s7WHbpsKzLTJbZ.exe
File opened for modification	C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.x64.dll	7s7WHbpsKzLTJbZ.exe
File created	C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.dll	7s7WHbpsKzLTJbZ.exe
File opened for modification	C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.dll	7s7WHbpsKzLTJbZ.exe
File created	C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.tlb	7s7WHbpsKzLTJbZ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7s7WHbpsKzLTJbZ.exe

pid process

4088 7s7WHbpsKzLTJbZ.exe
4088 7s7WHbpsKzLTJbZ.exe

pid	process
4088	7s7WHbpsKzLTJbZ.exe
4088	7s7WHbpsKzLTJbZ.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7e7839fb3e990a6897212b794aa8722ebf68b97af05c114e30f81aeced48eac4.exe7s7WHbpsKzLTJbZ.exeregsvr32.exe

description	pid	process	target process
PID 444 wrote to memory of 4088	444	7e7839fb3e990a6897212b794aa8722ebf68b97af05c114e30f81aeced48eac4.exe	7s7WHbpsKzLTJbZ.exe
PID 444 wrote to memory of 4088	444	7e7839fb3e990a6897212b794aa8722ebf68b97af05c114e30f81aeced48eac4.exe	7s7WHbpsKzLTJbZ.exe
PID 444 wrote to memory of 4088	444	7e7839fb3e990a6897212b794aa8722ebf68b97af05c114e30f81aeced48eac4.exe	7s7WHbpsKzLTJbZ.exe
PID 4088 wrote to memory of 4592	4088	7s7WHbpsKzLTJbZ.exe	regsvr32.exe
PID 4088 wrote to memory of 4592	4088	7s7WHbpsKzLTJbZ.exe	regsvr32.exe
PID 4088 wrote to memory of 4592	4088	7s7WHbpsKzLTJbZ.exe	regsvr32.exe
PID 4592 wrote to memory of 3428	4592	regsvr32.exe	regsvr32.exe
PID 4592 wrote to memory of 3428	4592	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\7e7839fb3e990a6897212b794aa8722ebf68b97af05c114e30f81aeced48eac4.exe
"C:\Users\Admin\AppData\Local\Temp\7e7839fb3e990a6897212b794aa8722ebf68b97af05c114e30f81aeced48eac4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\7s7WHbpsKzLTJbZ.exe
.\7s7WHbpsKzLTJbZ.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.dat

Filesize
5KB

MD5
2f47c562f92637ee58af503eef6e34d1

SHA1
aeaee5a80e718c1c237ab10a2120ebbb328e9215

SHA256
e21cb1ea7856d921fda7c0f6fcfdf675c8bd59c1cd6de4ad90d367f9a48b5fb8

SHA512
dfd2c9dffd1cec8cc586ae478d315b56fb69f95523931fdc3cc4d87ad14a71ae6eb1a6499d1640495e908d211b846be5364a75731f20d8cc0c354d7df4ddf09d

Download Submit
C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Program Files (x86)\GoSave\M6K9bD4wLM1rVH.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\7s7WHbpsKzLTJbZ.dat

Filesize
5KB

MD5
2f47c562f92637ee58af503eef6e34d1

SHA1
aeaee5a80e718c1c237ab10a2120ebbb328e9215

SHA256
e21cb1ea7856d921fda7c0f6fcfdf675c8bd59c1cd6de4ad90d367f9a48b5fb8

SHA512
dfd2c9dffd1cec8cc586ae478d315b56fb69f95523931fdc3cc4d87ad14a71ae6eb1a6499d1640495e908d211b846be5364a75731f20d8cc0c354d7df4ddf09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\7s7WHbpsKzLTJbZ.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\7s7WHbpsKzLTJbZ.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\M6K9bD4wLM1rVH.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\M6K9bD4wLM1rVH.tlb

Filesize
3KB

MD5
d5c4233a6c3de331b459f5f6a35ae3dd

SHA1
b5f1bf145f4e0896d7ae500abecbfaca715c18ab

SHA256
f3fca93b2a2848af13dcd30cad6305d20319d0a96f622f96753c1aebb91c885c

SHA512
4af48daa80dcd76cf45018d7edef74f35c5917457dd598f5a2071bba8875d75280326e41f3f5885d5301a596c22a3833cb062e2f4c97e0d83a01ad2644056e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\M6K9bD4wLM1rVH.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
70dc05ce85f111ce10c37b990fa352a6

SHA1
5a8e4ab9776081c506b9e24087bd5762fdab5846

SHA256
73b659a986217e40a6e5dd2934117300e140f20b788d1dda9c1bce524da9d88d

SHA512
54a501d4f43a255209d766642ef7ebb81969828bc2acf5ab0560820e340b90d62733ded03d8c618dd5cd59004b8e6fcce517036a56a2bdd30911402b8d56cd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
4e5b3fc893471e004241aed235287ac1

SHA1
8f6fa79f8120d8a7a57d72b813dbf71d4556316f

SHA256
1ce1ddbcbb90ca2bda5bd579b97db7ffb019018959626a889b2086d2f7dc2094

SHA512
f1e2b5a589d101b5e077ad38bef10cfbde3669945060ec6b7bb6f914473b468d3e2cc4128e924506d94ac13ce235185311db9e7f594f58eb93fe315dea96d120

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\[email protected]\install.rdf

Filesize
590B

MD5
83e6b01bc1d228d704f35d79a6353386

SHA1
925682e6651ae8b22c0d1f0cfa8958d4df1ee7d3

SHA256
8182fca633d6e50d0a87bea3baab769207f547f03c8e303a683806f1c8a471b7

SHA512
b88060b8f0fcdb523917bdd142d0cb4204df8878c8e03a40ec471d834592a0a412fd2ff6392f316ba546a2a31083ab5f8a80485efcf83dfa8565454d59c83650

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\fkmddoelhahpnngnaghpjmdgkdianonl\QyjqcG.js

Filesize
5KB

MD5
9bdee10bd3cec43854e2179deace7df3

SHA1
0c6b9fa76838520b0e0ea29b0db494109c3e5f6c

SHA256
8551cd2ddca6cf1fb524f3eb9ee98f7bb11657fe4673b0d2bb25487052643f8b

SHA512
a422394985b0a85ca6b8bab1cf4049910275834c2ba5a94d0ac27a55b95a2a3c1cd0d7e0fcb82e88d2fe92281a39bbf21568fb490712c2b7bd1c29379d982a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\fkmddoelhahpnngnaghpjmdgkdianonl\background.html

Filesize
143B

MD5
74d8dab82fb20134fc218a48c2cc8b41

SHA1
80c24622ca3e99d8fd867ab1d6122a209fbd6f70

SHA256
507dd8afaca62ecdfa794ade7701bb1620e5ab0582f3fca56082e29d4ec0ba69

SHA512
6f8340fb7cb9c9e056228370868755e79187975fac80ff31e5d89baa210d92d84c884a271ce9ed71e4dc80f4d3a1184e5d4664f2d76216447a6716824eb1568e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\fkmddoelhahpnngnaghpjmdgkdianonl\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\fkmddoelhahpnngnaghpjmdgkdianonl\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8F.tmp\fkmddoelhahpnngnaghpjmdgkdianonl\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/3428-152-0x0000000000000000-mapping.dmp

Download
memory/4088-132-0x0000000000000000-mapping.dmp

Download
memory/4592-149-0x0000000000000000-mapping.dmp

Download