fb7d97c7117f675c1a8616f379c6d6c920610e1ffa859c1a97bf675d701b9428

Analysis

max time kernel
93s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb7d97c7117f675c1a8616f379c6d6c920610e1ffa859c1a97bf675d701b9428.exe
Size

2.5MB
MD5

5d83c09a94148f92602317b6cf5c4e6c
SHA1

2a0debc411eb92d6fd4b32b25a821290d4198c9b
SHA256

fb7d97c7117f675c1a8616f379c6d6c920610e1ffa859c1a97bf675d701b9428
SHA512

3561ccbabc168b48bac6d866fe95c2649865adafbe2e5461d8b1e226321516dc9ea771171ff25eea19fcaf2d857604a723c7b2957ce2690b89e99807c4bc1169
SSDEEP

49152:h1Os05COLX7G7GRWdmohosycWMhHnOaAxNqZ0qhgU9r:h1O5JyGRBoyLY

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

PXWokDNkntnFneX.exe

pid process

1792 PXWokDNkntnFneX.exe
Loads dropped DLL 3 IoCs

Processes:

PXWokDNkntnFneX.exeregsvr32.exeregsvr32.exe

pid process

1792 PXWokDNkntnFneX.exe
384 regsvr32.exe
2912 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1792	PXWokDNkntnFneX.exe

pid	process
1792	PXWokDNkntnFneX.exe
384	regsvr32.exe
2912	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

PXWokDNkntnFneX.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajekbdjaphbaphfjjmglglpogdoekam\2.0\manifest.json	PXWokDNkntnFneX.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajekbdjaphbaphfjjmglglpogdoekam\2.0\manifest.json	PXWokDNkntnFneX.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajekbdjaphbaphfjjmglglpogdoekam\2.0\manifest.json	PXWokDNkntnFneX.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajekbdjaphbaphfjjmglglpogdoekam\2.0\manifest.json	PXWokDNkntnFneX.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajekbdjaphbaphfjjmglglpogdoekam\2.0\manifest.json	PXWokDNkntnFneX.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

PXWokDNkntnFneX.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	PXWokDNkntnFneX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	PXWokDNkntnFneX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	PXWokDNkntnFneX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	PXWokDNkntnFneX.exe

Drops file in Program Files directory 8 IoCs

Processes:

PXWokDNkntnFneX.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.x64.dll	PXWokDNkntnFneX.exe
File created	C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.dll	PXWokDNkntnFneX.exe
File opened for modification	C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.dll	PXWokDNkntnFneX.exe
File created	C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.tlb	PXWokDNkntnFneX.exe
File opened for modification	C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.tlb	PXWokDNkntnFneX.exe
File created	C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.dat	PXWokDNkntnFneX.exe
File opened for modification	C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.dat	PXWokDNkntnFneX.exe
File created	C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.x64.dll	PXWokDNkntnFneX.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PXWokDNkntnFneX.exe

pid process

1792 PXWokDNkntnFneX.exe
1792 PXWokDNkntnFneX.exe

pid	process
1792	PXWokDNkntnFneX.exe
1792	PXWokDNkntnFneX.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fb7d97c7117f675c1a8616f379c6d6c920610e1ffa859c1a97bf675d701b9428.exePXWokDNkntnFneX.exeregsvr32.exe

description	pid	process	target process
PID 1144 wrote to memory of 1792	1144	fb7d97c7117f675c1a8616f379c6d6c920610e1ffa859c1a97bf675d701b9428.exe	PXWokDNkntnFneX.exe
PID 1144 wrote to memory of 1792	1144	fb7d97c7117f675c1a8616f379c6d6c920610e1ffa859c1a97bf675d701b9428.exe	PXWokDNkntnFneX.exe
PID 1144 wrote to memory of 1792	1144	fb7d97c7117f675c1a8616f379c6d6c920610e1ffa859c1a97bf675d701b9428.exe	PXWokDNkntnFneX.exe
PID 1792 wrote to memory of 384	1792	PXWokDNkntnFneX.exe	regsvr32.exe
PID 1792 wrote to memory of 384	1792	PXWokDNkntnFneX.exe	regsvr32.exe
PID 1792 wrote to memory of 384	1792	PXWokDNkntnFneX.exe	regsvr32.exe
PID 384 wrote to memory of 2912	384	regsvr32.exe	regsvr32.exe
PID 384 wrote to memory of 2912	384	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\fb7d97c7117f675c1a8616f379c6d6c920610e1ffa859c1a97bf675d701b9428.exe
"C:\Users\Admin\AppData\Local\Temp\fb7d97c7117f675c1a8616f379c6d6c920610e1ffa859c1a97bf675d701b9428.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\PXWokDNkntnFneX.exe
.\PXWokDNkntnFneX.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:2912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.dat

Filesize
6KB

MD5
cf9427538b34ce2848a83aa3c6b4920f

SHA1
1ddacb4dc786b8dfbfa4fdd76685bf871731c745

SHA256
a6f77e04b17cb43ce65951d11b8cf2cf804cfde4db759e832f367cebaf7e5aee

SHA512
c4999531bbb4cdf7e095959c95932521692e2f54be4debe7bd8baa516e715618c46c245fdc5992c9c967f4ff9e45bedda6bdcfdfb8156623dd7a65ab41ff8100

Download Submit
C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.dll

Filesize
745KB

MD5
175f98785c3d6faa5b5b3e014ca0c6c4

SHA1
827e7ca85de729435c27b4dc5281ab74a8c74716

SHA256
d11cc3cd7c46548d4b5cb75e03ebc38055d625005fb76da2636d310d9c25ffb5

SHA512
8effb2b62cd5ecafcea5f25c45d9abdfaafb769b4e25a5cf8f745e0ff6c745d6334926b6ddfe37fa94623d4ec6c281bee54caffca9699521f5191baa2515aa56

Download Submit
C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.x64.dll

Filesize
883KB

MD5
8af28aca297e5e06910c74a9528518c3

SHA1
fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9

SHA256
f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2

SHA512
4cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6

Download Submit
C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.x64.dll

Filesize
883KB

MD5
8af28aca297e5e06910c74a9528518c3

SHA1
fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9

SHA256
f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2

SHA512
4cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6

Download Submit
C:\Program Files (x86)\GoSave\njftwU4GzYQYu4.x64.dll

Filesize
883KB

MD5
8af28aca297e5e06910c74a9528518c3

SHA1
fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9

SHA256
f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2

SHA512
4cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\PXWokDNkntnFneX.dat

Filesize
6KB

MD5
cf9427538b34ce2848a83aa3c6b4920f

SHA1
1ddacb4dc786b8dfbfa4fdd76685bf871731c745

SHA256
a6f77e04b17cb43ce65951d11b8cf2cf804cfde4db759e832f367cebaf7e5aee

SHA512
c4999531bbb4cdf7e095959c95932521692e2f54be4debe7bd8baa516e715618c46c245fdc5992c9c967f4ff9e45bedda6bdcfdfb8156623dd7a65ab41ff8100

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\PXWokDNkntnFneX.exe

Filesize
770KB

MD5
acfc58daed4c2caa7fa430c1b7e427a0

SHA1
e4ddeeaa697b3ca2df9d8a02636a69d3dd8faac3

SHA256
aaf57b2088806da2c5aa507a6673aa1a4f445e25ee10ed8621dcf3821c935906

SHA512
e10efb743a4a7b3270a23ac0ec13c6b34c65d359f7998ffcbfa6c03186c49fc6f57b83e0f8fc31f9953b8fd3a924680a212833b75c2dd3b63a4f6be26a2a69e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\PXWokDNkntnFneX.exe

Filesize
770KB

MD5
acfc58daed4c2caa7fa430c1b7e427a0

SHA1
e4ddeeaa697b3ca2df9d8a02636a69d3dd8faac3

SHA256
aaf57b2088806da2c5aa507a6673aa1a4f445e25ee10ed8621dcf3821c935906

SHA512
e10efb743a4a7b3270a23ac0ec13c6b34c65d359f7998ffcbfa6c03186c49fc6f57b83e0f8fc31f9953b8fd3a924680a212833b75c2dd3b63a4f6be26a2a69e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\lajekbdjaphbaphfjjmglglpogdoekam\background.html

Filesize
138B

MD5
2643a603cad6cfdb7ebea9e3d6a3acd1

SHA1
609cfc18a6e8dae074fb63d9a823d2ef70f3c504

SHA256
9e35d464502aaa3709c4927afff45850b32ac8dbec80408b277776c1852e2248

SHA512
11221727792a766d9ac3f960c552e52706462ff7a0b0e737f3c7d4f0626e3eee5f4b70be848ed16747b38ba0189e691578a93d6644dedf5729dc510b9ffe9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\lajekbdjaphbaphfjjmglglpogdoekam\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\lajekbdjaphbaphfjjmglglpogdoekam\j.js

Filesize
5KB

MD5
8bd1863b48e0932411c917af73ef6346

SHA1
33191409e99d9b998043585e31f6edfb38ff17d2

SHA256
676c30766b103f8234f2f9b9bdbc1bdde9f82beba1bfa07ab442e1a39391171c

SHA512
c0dc5cce937744d45a7796754a733e0332171f06b66aacac7286b56e5f1f8d6f60d30f1572adce73cbb198b8243a87503923db10ad187184d64c0e76080ee3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\lajekbdjaphbaphfjjmglglpogdoekam\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\lajekbdjaphbaphfjjmglglpogdoekam\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\njftwU4GzYQYu4.dll

Filesize
745KB

MD5
175f98785c3d6faa5b5b3e014ca0c6c4

SHA1
827e7ca85de729435c27b4dc5281ab74a8c74716

SHA256
d11cc3cd7c46548d4b5cb75e03ebc38055d625005fb76da2636d310d9c25ffb5

SHA512
8effb2b62cd5ecafcea5f25c45d9abdfaafb769b4e25a5cf8f745e0ff6c745d6334926b6ddfe37fa94623d4ec6c281bee54caffca9699521f5191baa2515aa56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\njftwU4GzYQYu4.tlb

Filesize
3KB

MD5
aa1b86f094611e50009eac733d790223

SHA1
c80cfc36e2cf4cc4f916b2e5b51c2e393e036ec3

SHA256
1d549089596b20ee3aafa5b5b5b560577da81ded6e96d1cbb115fecb2006b95a

SHA512
eaaeca4c9e1d245e1c4ee6b1541f8663cc09896ae44a2167bb3c7389bce246ea2905af0a80ba4cb25d9cafaeb4b1edabb048e9075d1603367b2bc0e9475faa8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\njftwU4GzYQYu4.x64.dll

Filesize
883KB

MD5
8af28aca297e5e06910c74a9528518c3

SHA1
fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9

SHA256
f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2

SHA512
4cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
b6c80422b4e8d3a3997fdf42d9ca1ca2

SHA1
f27872e387d94fdfed362528c2d24d5b3ea61ad1

SHA256
ffd61d16ab67e4a77d84601f533e665c456b662143f5c202a81df8e7872981e7

SHA512
dfd73f97ee9dc10965e5774cfee5bd8cbfb1e67d47353df35c84e2b1d9063a5875df9a0b2a1b79550358c99b3f01232b25af27b6cb262da04dc80456e6c3dc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
fbe5c917e1331ad4109654f273388f4b

SHA1
6630b48de7073108ebd6870acd90882dbdfba66e

SHA256
e24f1dcf782dd174b9d8504a043aef435526129bc028433235b0cfbb45cb4551

SHA512
a27d2fd835dc8b674d2783c2b8d94f2a6b583ee55957479987bb94587e9960ab69aef94ac5e14eec6b717e64632ead63037a0d42c1ee9e18fecf32a8e0a402f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF1C7.tmp\[email protected]\install.rdf

Filesize
593B

MD5
2d0d3e1a84f27b2d4c9b6acddb5e162b

SHA1
2cef41d257676cfe96a90e0a1fc19e9ede8fef34

SHA256
93f343553f28a74b24bacbc5b6d02278bc686bbd9825eb4a42951fc299043fe9

SHA512
76f7214ad31f2539f37d19dbf26fd2835ab46c11e40ecde111f09e50530d497886de89d0e75cd5c69dc83f770e395724875592b1686e93786c6944da0432cb9b

Download Submit
memory/384-149-0x0000000000000000-mapping.dmp

Download
memory/1792-132-0x0000000000000000-mapping.dmp

Download
memory/2912-152-0x0000000000000000-mapping.dmp

Download