fc5717a5981313030677bb2cc0b6e8e4bb35cdf89d6b5bb37e8534c9957027b6

Analysis

max time kernel
141s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc5717a5981313030677bb2cc0b6e8e4bb35cdf89d6b5bb37e8534c9957027b6.exe
Size

2.5MB
MD5

a7bf83d42b445adaf0bd51f8dd8ba19f
SHA1

31b74718bb5f9df5af843eab94c670a34a1fcca6
SHA256

fc5717a5981313030677bb2cc0b6e8e4bb35cdf89d6b5bb37e8534c9957027b6
SHA512

e3dc438ee23953a32274c04ff99d80ae4cb1248fe12a3552ff60b0e1b3712c50fd2bb53a2224178753321b10c1368d1465db0100178105b6f98df77af8ef4650
SSDEEP

49152:h1Os1kyT7S7xhSCUXDejvUwpRZVSVkLhfoEenMc4zppeIifw0hZ:h1OIBJvXDvwpRZVSVIwTn

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

XXmLmSE1ZqPsz4t.exe

pid process

1572 XXmLmSE1ZqPsz4t.exe
Loads dropped DLL 3 IoCs

Processes:

XXmLmSE1ZqPsz4t.exeregsvr32.exeregsvr32.exe

pid process

1572 XXmLmSE1ZqPsz4t.exe
4412 regsvr32.exe
4644 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1572	XXmLmSE1ZqPsz4t.exe

pid	process
1572	XXmLmSE1ZqPsz4t.exe
4412	regsvr32.exe
4644	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

XXmLmSE1ZqPsz4t.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\heejgnkokfefalgdojpaafofmbdahhjg\2.0\manifest.json	XXmLmSE1ZqPsz4t.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\heejgnkokfefalgdojpaafofmbdahhjg\2.0\manifest.json	XXmLmSE1ZqPsz4t.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\heejgnkokfefalgdojpaafofmbdahhjg\2.0\manifest.json	XXmLmSE1ZqPsz4t.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\heejgnkokfefalgdojpaafofmbdahhjg\2.0\manifest.json	XXmLmSE1ZqPsz4t.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\heejgnkokfefalgdojpaafofmbdahhjg\2.0\manifest.json	XXmLmSE1ZqPsz4t.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

XXmLmSE1ZqPsz4t.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	XXmLmSE1ZqPsz4t.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	XXmLmSE1ZqPsz4t.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	XXmLmSE1ZqPsz4t.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	XXmLmSE1ZqPsz4t.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

XXmLmSE1ZqPsz4t.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.dll	XXmLmSE1ZqPsz4t.exe
File opened for modification	C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.dll	XXmLmSE1ZqPsz4t.exe
File created	C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.tlb	XXmLmSE1ZqPsz4t.exe
File opened for modification	C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.tlb	XXmLmSE1ZqPsz4t.exe
File created	C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.dat	XXmLmSE1ZqPsz4t.exe
File opened for modification	C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.dat	XXmLmSE1ZqPsz4t.exe
File created	C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.x64.dll	XXmLmSE1ZqPsz4t.exe
File opened for modification	C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.x64.dll	XXmLmSE1ZqPsz4t.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

XXmLmSE1ZqPsz4t.exe

pid process

1572 XXmLmSE1ZqPsz4t.exe
1572 XXmLmSE1ZqPsz4t.exe

pid	process
1572	XXmLmSE1ZqPsz4t.exe
1572	XXmLmSE1ZqPsz4t.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fc5717a5981313030677bb2cc0b6e8e4bb35cdf89d6b5bb37e8534c9957027b6.exeXXmLmSE1ZqPsz4t.exeregsvr32.exe

description	pid	process	target process
PID 2456 wrote to memory of 1572	2456	fc5717a5981313030677bb2cc0b6e8e4bb35cdf89d6b5bb37e8534c9957027b6.exe	XXmLmSE1ZqPsz4t.exe
PID 2456 wrote to memory of 1572	2456	fc5717a5981313030677bb2cc0b6e8e4bb35cdf89d6b5bb37e8534c9957027b6.exe	XXmLmSE1ZqPsz4t.exe
PID 2456 wrote to memory of 1572	2456	fc5717a5981313030677bb2cc0b6e8e4bb35cdf89d6b5bb37e8534c9957027b6.exe	XXmLmSE1ZqPsz4t.exe
PID 1572 wrote to memory of 4412	1572	XXmLmSE1ZqPsz4t.exe	regsvr32.exe
PID 1572 wrote to memory of 4412	1572	XXmLmSE1ZqPsz4t.exe	regsvr32.exe
PID 1572 wrote to memory of 4412	1572	XXmLmSE1ZqPsz4t.exe	regsvr32.exe
PID 4412 wrote to memory of 4644	4412	regsvr32.exe	regsvr32.exe
PID 4412 wrote to memory of 4644	4412	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\fc5717a5981313030677bb2cc0b6e8e4bb35cdf89d6b5bb37e8534c9957027b6.exe
"C:\Users\Admin\AppData\Local\Temp\fc5717a5981313030677bb2cc0b6e8e4bb35cdf89d6b5bb37e8534c9957027b6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\XXmLmSE1ZqPsz4t.exe
.\XXmLmSE1ZqPsz4t.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.dat

Filesize
6KB

MD5
a60c1a1bfbdff469808651cc697acacf

SHA1
233d5f33d7f04f7f75eeacd26eb097192de3b5e1

SHA256
b15e103876846c5b077b343c63407e79c97ded3d83d130e1b2cb4930ead1007d

SHA512
ec0834959e3533952a44dd9f8f0253d59415e50c25a8437fa2fbff57234cc0f98159aa2f15d5021df2b4e0f29f253041a158e5fd730395e0187fd4b927cf5a9a

Download Submit
C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.dll

Filesize
743KB

MD5
489266c672b2bab12b7c64132f367d18

SHA1
a25a0a4477595bc095184181da0d84269963702d

SHA256
4d9a9066c204f01bdfaa715fe5201152de5facb0c0d07a620ffac73c58ef4e12

SHA512
ffeb655dcb6f8d1cda90d77f28f2ee621eca5606b0b05fd9195ca5f80c0afe287acfde35653ac1a934a7da41d2f915bef5b5836831c93db82c3569cb10550006

Download Submit
C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.x64.dll

Filesize
873KB

MD5
2168b00df6f310015e3e9d44b85513cf

SHA1
8ab47b98842329532b275aa772f1e27e611ef3e8

SHA256
c0ded994b241830db88c0ec45e210d52271ec2f72e346c8e4155ea4d14b56cc9

SHA512
41bf733eb08e4374113e2db8ac673cc2bb0a8cc7650333f410272439aac254d196a36c72afa2a42b44a9565caf0cc2c812853b30985b062a0a8840f47c3252ff

Download Submit
C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.x64.dll

Filesize
873KB

MD5
2168b00df6f310015e3e9d44b85513cf

SHA1
8ab47b98842329532b275aa772f1e27e611ef3e8

SHA256
c0ded994b241830db88c0ec45e210d52271ec2f72e346c8e4155ea4d14b56cc9

SHA512
41bf733eb08e4374113e2db8ac673cc2bb0a8cc7650333f410272439aac254d196a36c72afa2a42b44a9565caf0cc2c812853b30985b062a0a8840f47c3252ff

Download Submit
C:\Program Files (x86)\GoSave\E4c6zGjGUJIeP6.x64.dll

Filesize
873KB

MD5
2168b00df6f310015e3e9d44b85513cf

SHA1
8ab47b98842329532b275aa772f1e27e611ef3e8

SHA256
c0ded994b241830db88c0ec45e210d52271ec2f72e346c8e4155ea4d14b56cc9

SHA512
41bf733eb08e4374113e2db8ac673cc2bb0a8cc7650333f410272439aac254d196a36c72afa2a42b44a9565caf0cc2c812853b30985b062a0a8840f47c3252ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\E4c6zGjGUJIeP6.dll

Filesize
743KB

MD5
489266c672b2bab12b7c64132f367d18

SHA1
a25a0a4477595bc095184181da0d84269963702d

SHA256
4d9a9066c204f01bdfaa715fe5201152de5facb0c0d07a620ffac73c58ef4e12

SHA512
ffeb655dcb6f8d1cda90d77f28f2ee621eca5606b0b05fd9195ca5f80c0afe287acfde35653ac1a934a7da41d2f915bef5b5836831c93db82c3569cb10550006

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\E4c6zGjGUJIeP6.tlb

Filesize
3KB

MD5
2d90f92c915e5cdfa043dedb29d0f2f0

SHA1
de481e671e326383b34d316d18ebd7664fe749bb

SHA256
cd4334b44270b267f9d909cb514a5b7dd4439a362491b817c5a87b262d06b52c

SHA512
ea6f84a95c4bffaacd4ddc5505bd4b7a065de33b85259aa59755d43d59b0b47a49ff24d8e8beaa4d708bdcce1d2eef0ea27fdea15f81c0cc6fb5220ce7b70ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\E4c6zGjGUJIeP6.x64.dll

Filesize
873KB

MD5
2168b00df6f310015e3e9d44b85513cf

SHA1
8ab47b98842329532b275aa772f1e27e611ef3e8

SHA256
c0ded994b241830db88c0ec45e210d52271ec2f72e346c8e4155ea4d14b56cc9

SHA512
41bf733eb08e4374113e2db8ac673cc2bb0a8cc7650333f410272439aac254d196a36c72afa2a42b44a9565caf0cc2c812853b30985b062a0a8840f47c3252ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a633e652169b8ce07eb8828f6ef69d91

SHA1
8817f1fd69d478da0f177f621c896735c8067e42

SHA256
93a982d552cae1e543d390e8ef80736f4062d3f572a9e7e3a88d35a987c6628e

SHA512
a9cfeaf24db6bd748cbfd18d433e7c4c6d4045532f157fc58779cd42f0cff572a4fae698baaa696fabe0b8a1f203c32b6c1cac192787647b0fe32442392b262b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
24ddc4219b18790aff2ee9f29f700a31

SHA1
3b2b4c4dfe80ad9a8e9f7daa288acf21fe3dd6c2

SHA256
819fecb68a73f1ff1f4a0dd50a28b14a59c790ddec67d04149b6f3d8b27d5229

SHA512
71ebbeab4a57e8dda221f82b336831ab91b7a0c7adfa16df364f3cd27950856e0fb1d976e50f73ba34b1ba62f09e32fcfd625cfc65873fabb92b2bb6a2cdc737

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\[email protected]\install.rdf

Filesize
595B

MD5
9546d6fa3bb46c758ee9f50d69a56aa0

SHA1
d18d5bdd09a85daa7f2dd04ca3af8b74cabaaf80

SHA256
68442ef3878cfc21b0760349bccc2a6ce2b8cda514e6e5fc690c149e893aff44

SHA512
a0cc361a5c543e83c158e8583944abe63b10f1015b340b95eb76414e9d23f1ee02546478056613b5ca6939533148daabac43853127fa71d1bf78d8e2ecce0839

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\XXmLmSE1ZqPsz4t.dat

Filesize
6KB

MD5
a60c1a1bfbdff469808651cc697acacf

SHA1
233d5f33d7f04f7f75eeacd26eb097192de3b5e1

SHA256
b15e103876846c5b077b343c63407e79c97ded3d83d130e1b2cb4930ead1007d

SHA512
ec0834959e3533952a44dd9f8f0253d59415e50c25a8437fa2fbff57234cc0f98159aa2f15d5021df2b4e0f29f253041a158e5fd730395e0187fd4b927cf5a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\XXmLmSE1ZqPsz4t.exe

Filesize
791KB

MD5
8e78cd4b1c05327f9ce03f037eb2bfd0

SHA1
381caf0ead67c72ed9cb5c72fcfbf94b54627c41

SHA256
91160eda6fbf13634821b1d73a99ed6348581b31f7d76e888c759139e066baac

SHA512
7eeb6945d6fbed1a598d4de34317fc955032382f52457eb9eb8681227a15e22c233d9a2d9d90ceea87535e2dc46d1851aaa0fb3cf69d39e76768e500ec81f249

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\XXmLmSE1ZqPsz4t.exe

Filesize
791KB

MD5
8e78cd4b1c05327f9ce03f037eb2bfd0

SHA1
381caf0ead67c72ed9cb5c72fcfbf94b54627c41

SHA256
91160eda6fbf13634821b1d73a99ed6348581b31f7d76e888c759139e066baac

SHA512
7eeb6945d6fbed1a598d4de34317fc955032382f52457eb9eb8681227a15e22c233d9a2d9d90ceea87535e2dc46d1851aaa0fb3cf69d39e76768e500ec81f249

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\heejgnkokfefalgdojpaafofmbdahhjg\BO.js

Filesize
5KB

MD5
13a458c4de69578b84716093512ece5b

SHA1
c50691a5e68ff3a22b49dd4cf60827eb612963f9

SHA256
8d81aae9f295eb6276bfe4e188b72f080a2bbacbaeb639166fa7c40d8b6ff659

SHA512
ec00af63c02f37bcc0462bf930376dd676a75db8c0ed125a3083912e77ec02b9592d90c9be7d01245e51df25b10775f8090648680599dfd82455738ed8cefab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\heejgnkokfefalgdojpaafofmbdahhjg\background.html

Filesize
139B

MD5
766df10f1402e2e7a83a7c3513fa9de0

SHA1
04bb78604bf9668553aa7d6f0b1ab268275f33e3

SHA256
6aa79c298f7932ebe5c3fc65d98b156db4a2e599342d0741676255dd1a7df7a6

SHA512
f2653f854c1b1255df93e80e49ca58b4730e771766877b6546047fdb3237d4e6047b028f7917aba4251ffda2e1df079b985e582976b919897de447d99c029743

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\heejgnkokfefalgdojpaafofmbdahhjg\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\heejgnkokfefalgdojpaafofmbdahhjg\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCC3E.tmp\heejgnkokfefalgdojpaafofmbdahhjg\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/1572-132-0x0000000000000000-mapping.dmp

Download
memory/4412-149-0x0000000000000000-mapping.dmp

Download
memory/4644-152-0x0000000000000000-mapping.dmp

Download