c40c2c6cab9e303b00f5c453b56ae8079f769df819f2b6d4e386e44d155037fe

Analysis

max time kernel
179s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c40c2c6cab9e303b00f5c453b56ae8079f769df819f2b6d4e386e44d155037fe.exe
Size

2.5MB
MD5

876dd8f46ee1cba676ce60175c20c52b
SHA1

41a421251fbf5348b82b905dfde83ab9c741b5f7
SHA256

c40c2c6cab9e303b00f5c453b56ae8079f769df819f2b6d4e386e44d155037fe
SHA512

a47708aa3d936a1745594764a2a56b3a239eb45fb485c7f3258e97da41d6cfc993c66f7ec8f9d142159f033309367a9881681ad25172a1cb1782e5615fa047fc
SSDEEP

49152:h1OsFsNQH0eNGTTOxTnkSM1XN+QMz3p6bOkAk+YetEW6FOCMwEFhjzdUwe:h1OSH0eNGunkt3+1z3p6iVCl

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

uMMj6HEnxtWDDv8.exe

pid process

1164 uMMj6HEnxtWDDv8.exe
Loads dropped DLL 3 IoCs

Processes:

uMMj6HEnxtWDDv8.exeregsvr32.exeregsvr32.exe

pid process

1164 uMMj6HEnxtWDDv8.exe
2148 regsvr32.exe
2564 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1164	uMMj6HEnxtWDDv8.exe

pid	process
1164	uMMj6HEnxtWDDv8.exe
2148	regsvr32.exe
2564	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

uMMj6HEnxtWDDv8.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\dblinoemocgkdninkcbmjllfghhcfmid\2.0\manifest.json	uMMj6HEnxtWDDv8.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\dblinoemocgkdninkcbmjllfghhcfmid\2.0\manifest.json	uMMj6HEnxtWDDv8.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dblinoemocgkdninkcbmjllfghhcfmid\2.0\manifest.json	uMMj6HEnxtWDDv8.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dblinoemocgkdninkcbmjllfghhcfmid\2.0\manifest.json	uMMj6HEnxtWDDv8.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\dblinoemocgkdninkcbmjllfghhcfmid\2.0\manifest.json	uMMj6HEnxtWDDv8.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

uMMj6HEnxtWDDv8.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	uMMj6HEnxtWDDv8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	uMMj6HEnxtWDDv8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	uMMj6HEnxtWDDv8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	uMMj6HEnxtWDDv8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

uMMj6HEnxtWDDv8.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.dat	uMMj6HEnxtWDDv8.exe
File opened for modification	C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.dat	uMMj6HEnxtWDDv8.exe
File created	C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.x64.dll	uMMj6HEnxtWDDv8.exe
File opened for modification	C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.x64.dll	uMMj6HEnxtWDDv8.exe
File created	C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.dll	uMMj6HEnxtWDDv8.exe
File opened for modification	C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.dll	uMMj6HEnxtWDDv8.exe
File created	C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.tlb	uMMj6HEnxtWDDv8.exe
File opened for modification	C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.tlb	uMMj6HEnxtWDDv8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

uMMj6HEnxtWDDv8.exe

pid process

1164 uMMj6HEnxtWDDv8.exe
1164 uMMj6HEnxtWDDv8.exe

pid	process
1164	uMMj6HEnxtWDDv8.exe
1164	uMMj6HEnxtWDDv8.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c40c2c6cab9e303b00f5c453b56ae8079f769df819f2b6d4e386e44d155037fe.exeuMMj6HEnxtWDDv8.exeregsvr32.exe

description	pid	process	target process
PID 1408 wrote to memory of 1164	1408	c40c2c6cab9e303b00f5c453b56ae8079f769df819f2b6d4e386e44d155037fe.exe	uMMj6HEnxtWDDv8.exe
PID 1408 wrote to memory of 1164	1408	c40c2c6cab9e303b00f5c453b56ae8079f769df819f2b6d4e386e44d155037fe.exe	uMMj6HEnxtWDDv8.exe
PID 1408 wrote to memory of 1164	1408	c40c2c6cab9e303b00f5c453b56ae8079f769df819f2b6d4e386e44d155037fe.exe	uMMj6HEnxtWDDv8.exe
PID 1164 wrote to memory of 2148	1164	uMMj6HEnxtWDDv8.exe	regsvr32.exe
PID 1164 wrote to memory of 2148	1164	uMMj6HEnxtWDDv8.exe	regsvr32.exe
PID 1164 wrote to memory of 2148	1164	uMMj6HEnxtWDDv8.exe	regsvr32.exe
PID 2148 wrote to memory of 2564	2148	regsvr32.exe	regsvr32.exe
PID 2148 wrote to memory of 2564	2148	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\c40c2c6cab9e303b00f5c453b56ae8079f769df819f2b6d4e386e44d155037fe.exe
"C:\Users\Admin\AppData\Local\Temp\c40c2c6cab9e303b00f5c453b56ae8079f769df819f2b6d4e386e44d155037fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\uMMj6HEnxtWDDv8.exe
  .\uMMj6HEnxtWDDv8.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.dat

Filesize
6KB

MD5
c006e2b68d4185ae7d54b151246f58d4

SHA1
61fec617c84ed17e255d69584bba007a3f5d6973

SHA256
644d8fe5170c1a98e104cf8d128e7b0ebaa692c0bbfbf3b25acb4cc255c4f5de

SHA512
01f1a8f28a4826d95e5259cdba5b13b6a1ec12411e8a8fd45c52e972f84a487aba397d84a4d7b9c9681c49a8e1d5d7c42a81d2e1c7a6173a77eb8fa17bacceb3

Download Submit
C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.dll

Filesize
754KB

MD5
0ea14ffbf9bc129f87d5a633ca028a12

SHA1
c91e00a9d6590556a4c13a46cb6c934f84cf2b2b

SHA256
9206058e3e04af4fb8d5c05ae8f088cf0a289ea0e4cd692c4f2d76439adb0d47

SHA512
0cfd075335346690ead8c5aef2340b56ce07c59d6243ad102fee0053d64f1a7847e56ba27f5bbcac4048f2c1cf70038e7cdffafe1cc28994603fdd65d2bf7bb2

Download Submit
C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.x64.dll

Filesize
891KB

MD5
bef492ffc032769cde00802f48a17fab

SHA1
a91e733c1269eb785f8e23dc475acac7432f0563

SHA256
473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d

SHA512
4f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0

Download Submit
C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.x64.dll

Filesize
891KB

MD5
bef492ffc032769cde00802f48a17fab

SHA1
a91e733c1269eb785f8e23dc475acac7432f0563

SHA256
473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d

SHA512
4f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0

Download Submit
C:\Program Files (x86)\GoSave\nXbwbHrsWWkyMb.x64.dll

Filesize
891KB

MD5
bef492ffc032769cde00802f48a17fab

SHA1
a91e733c1269eb785f8e23dc475acac7432f0563

SHA256
473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d

SHA512
4f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\dblinoemocgkdninkcbmjllfghhcfmid\EQAdq.js

Filesize
5KB

MD5
8b6c47d491912f49ad20ead521c01181

SHA1
64e6a8a3372978af682f2e47c5729d147ddfdbc6

SHA256
615be935561801b78238fbb558f6b79a2fd2fe6b5966d5beb93910bf5b21699d

SHA512
1fe909d1e0061d6b11eccc4a7171f134f2fdc2260fa7b8b6fb78dc5e9df18fbdbaba3539be78d348fa527167f458e9d6e85ce39f23cec8e5cb31988c2f78fa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\dblinoemocgkdninkcbmjllfghhcfmid\background.html

Filesize
142B

MD5
039ffd12ce57a9b8a2d9d2bec9518327

SHA1
2b49beaacf54c9850942742a320c48cbc699f4db

SHA256
ce668a43e7c2545c9915c80794f1c9b9757d0565dd90441146c7616943867edb

SHA512
d05a624e1eecb762b45476e28f58d4728abd72db11e44245249af3de694dd5e197c6642ad94a1e5cb588debf1987d58071c101a5f872c9f33e2d56ee418888a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\dblinoemocgkdninkcbmjllfghhcfmid\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\dblinoemocgkdninkcbmjllfghhcfmid\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\dblinoemocgkdninkcbmjllfghhcfmid\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
53b8a7d575773567fe10f00dd2851be5

SHA1
f82c15d0fd4275e974cc40a1ca892d855152434e

SHA256
6043fc073d094cd11b662265ac4ae570c490f13b2af529b1fba8bfb6ebd4ccc8

SHA512
ed44ec8e66744241c44d8865b6cbcc517814618c6b2a0893cae652b31d57222653309919c6beda8516874c21049aa1e2f195a8bb56a1df323589b93c819ea1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
63c9021274e20710f98706b60cd5f068

SHA1
adf38a8bb0391fa7d3194ae3ce24116b81aabc1d

SHA256
2fc4ef4c1b7cb864401d1989b9bdffb6a09c83aa710ea83a2e985676154cfddb

SHA512
92fec6c369221a65a2722b3fb5b61aa5e48b5687f116f2d61480c176fa4a728a3e78e3682df7096fa1b5c3aa17e5b9dc217ad92097e8f5a254e104b7c33035b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\[email protected]\install.rdf

Filesize
595B

MD5
69e3e21e1ae09b8d4dd5f839bd370bb5

SHA1
220bd77e257a387fde084271168acbb51b97b496

SHA256
16bcecfeb65bd5486abe73646996fc5cc7d0237c883822eb711aad3bcc989155

SHA512
e5c9f5d7174aad66a607eb6625736258db9ccaa7b1cccb2bb2022ab57526f5d50d6f3ee56210e4fdab851fd80660fbc857698531f4743c38ec28638270bc192e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\nXbwbHrsWWkyMb.dll

Filesize
754KB

MD5
0ea14ffbf9bc129f87d5a633ca028a12

SHA1
c91e00a9d6590556a4c13a46cb6c934f84cf2b2b

SHA256
9206058e3e04af4fb8d5c05ae8f088cf0a289ea0e4cd692c4f2d76439adb0d47

SHA512
0cfd075335346690ead8c5aef2340b56ce07c59d6243ad102fee0053d64f1a7847e56ba27f5bbcac4048f2c1cf70038e7cdffafe1cc28994603fdd65d2bf7bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\nXbwbHrsWWkyMb.tlb

Filesize
3KB

MD5
4ab2bba691d66beca01f76ac65546fe8

SHA1
16f05ce91f3e2fe4b43452e24d56836fc65615af

SHA256
12816936003f13a1711de73328e38f311926a4cc9d1a836f46c9ccc02b6fb06f

SHA512
f034390bfd57618bbfd218c3df9e465dda8f4fa51fc0445c74e246472a4cde2bc0bfe4607cbc8cb31ac0edff62a84e954179fadddc2b644b8726cfa3e01694a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\nXbwbHrsWWkyMb.x64.dll

Filesize
891KB

MD5
bef492ffc032769cde00802f48a17fab

SHA1
a91e733c1269eb785f8e23dc475acac7432f0563

SHA256
473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d

SHA512
4f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\uMMj6HEnxtWDDv8.dat

Filesize
6KB

MD5
c006e2b68d4185ae7d54b151246f58d4

SHA1
61fec617c84ed17e255d69584bba007a3f5d6973

SHA256
644d8fe5170c1a98e104cf8d128e7b0ebaa692c0bbfbf3b25acb4cc255c4f5de

SHA512
01f1a8f28a4826d95e5259cdba5b13b6a1ec12411e8a8fd45c52e972f84a487aba397d84a4d7b9c9681c49a8e1d5d7c42a81d2e1c7a6173a77eb8fa17bacceb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\uMMj6HEnxtWDDv8.exe

Filesize
774KB

MD5
fac681323e2e0ea322ef16fa551cf1e8

SHA1
744f89e591a6ced737cfe9214ce09c263de50211

SHA256
537f2df71a2f21f943a39d1c6d093a442e7ee975ed3e29b733b8bc5bf646793c

SHA512
22626bd0e79edac062b61d64234f563e3a8218703276a19a0b01749e2cad8387c8bd39bfe13810b787fb9e4c7f1669ea542e36bbf63c7c243fc68bb6fdf5c7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2A3C.tmp\uMMj6HEnxtWDDv8.exe

Filesize
774KB

MD5
fac681323e2e0ea322ef16fa551cf1e8

SHA1
744f89e591a6ced737cfe9214ce09c263de50211

SHA256
537f2df71a2f21f943a39d1c6d093a442e7ee975ed3e29b733b8bc5bf646793c

SHA512
22626bd0e79edac062b61d64234f563e3a8218703276a19a0b01749e2cad8387c8bd39bfe13810b787fb9e4c7f1669ea542e36bbf63c7c243fc68bb6fdf5c7b2

Download Submit
memory/1164-132-0x0000000000000000-mapping.dmp

Download
memory/2148-149-0x0000000000000000-mapping.dmp

Download
memory/2564-152-0x0000000000000000-mapping.dmp

Download