c3287e89f2fac66bccb1741550e738a4f1136f1f1f211cf5714a56565676d071

Analysis

max time kernel
171s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3287e89f2fac66bccb1741550e738a4f1136f1f1f211cf5714a56565676d071.exe
Size

2.5MB
MD5

7a6d4935894dc45400a9d598979d1307
SHA1

5b3b9abe71394580fde49ae483350957ac6e8fec
SHA256

c3287e89f2fac66bccb1741550e738a4f1136f1f1f211cf5714a56565676d071
SHA512

1420442bc16fad7e46d7ce26fb5806e781784bac9a511c6bdc2db0f5bf29efb8c319fecde8b710e53bd8aaf1de053ab082c46ed5e442ea7aec7420d249d41b45
SSDEEP

49152:h1OsN+QK3xQpjajXKioFMpYphqd3ArqvFUmEaDxEAxh4UR9TEy:h1ONQCjbKioVg3ArKh40x

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

a7BRa4Fg9CE6AzX.exe

pid process

4508 a7BRa4Fg9CE6AzX.exe
Loads dropped DLL 3 IoCs

Processes:

a7BRa4Fg9CE6AzX.exeregsvr32.exeregsvr32.exe

pid process

4508 a7BRa4Fg9CE6AzX.exe
4128 regsvr32.exe
2152 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4508	a7BRa4Fg9CE6AzX.exe

pid	process
4508	a7BRa4Fg9CE6AzX.exe
4128	regsvr32.exe
2152	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

a7BRa4Fg9CE6AzX.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	a7BRa4Fg9CE6AzX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	a7BRa4Fg9CE6AzX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	a7BRa4Fg9CE6AzX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	a7BRa4Fg9CE6AzX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

a7BRa4Fg9CE6AzX.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.dat	a7BRa4Fg9CE6AzX.exe
File created	C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.x64.dll	a7BRa4Fg9CE6AzX.exe
File opened for modification	C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.x64.dll	a7BRa4Fg9CE6AzX.exe
File created	C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.dll	a7BRa4Fg9CE6AzX.exe
File opened for modification	C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.dll	a7BRa4Fg9CE6AzX.exe
File created	C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.tlb	a7BRa4Fg9CE6AzX.exe
File opened for modification	C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.tlb	a7BRa4Fg9CE6AzX.exe
File created	C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.dat	a7BRa4Fg9CE6AzX.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a7BRa4Fg9CE6AzX.exe

pid process

4508 a7BRa4Fg9CE6AzX.exe
4508 a7BRa4Fg9CE6AzX.exe

pid	process
4508	a7BRa4Fg9CE6AzX.exe
4508	a7BRa4Fg9CE6AzX.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c3287e89f2fac66bccb1741550e738a4f1136f1f1f211cf5714a56565676d071.exea7BRa4Fg9CE6AzX.exeregsvr32.exe

description	pid	process	target process
PID 3468 wrote to memory of 4508	3468	c3287e89f2fac66bccb1741550e738a4f1136f1f1f211cf5714a56565676d071.exe	a7BRa4Fg9CE6AzX.exe
PID 3468 wrote to memory of 4508	3468	c3287e89f2fac66bccb1741550e738a4f1136f1f1f211cf5714a56565676d071.exe	a7BRa4Fg9CE6AzX.exe
PID 3468 wrote to memory of 4508	3468	c3287e89f2fac66bccb1741550e738a4f1136f1f1f211cf5714a56565676d071.exe	a7BRa4Fg9CE6AzX.exe
PID 4508 wrote to memory of 4128	4508	a7BRa4Fg9CE6AzX.exe	regsvr32.exe
PID 4508 wrote to memory of 4128	4508	a7BRa4Fg9CE6AzX.exe	regsvr32.exe
PID 4508 wrote to memory of 4128	4508	a7BRa4Fg9CE6AzX.exe	regsvr32.exe
PID 4128 wrote to memory of 2152	4128	regsvr32.exe	regsvr32.exe
PID 4128 wrote to memory of 2152	4128	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\c3287e89f2fac66bccb1741550e738a4f1136f1f1f211cf5714a56565676d071.exe
"C:\Users\Admin\AppData\Local\Temp\c3287e89f2fac66bccb1741550e738a4f1136f1f1f211cf5714a56565676d071.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\a7BRa4Fg9CE6AzX.exe
.\a7BRa4Fg9CE6AzX.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.dat
Filesize
6KB

MD5
d40071c29419550e9f3e47843890018f

SHA1
177c29131621dcaa8194f7753c69dce88ded4692

SHA256
2d09362153bfa603d1c0e98c8278e8db1635a1b27f5d5cd5d7cae2e44cfeeef3

SHA512
c5798c1c95c367b5d9d6538f8012f9dd8d749761e48f2940369f3f2c0cabb5576894a9d839a1d0f69583f0b84440dc25f3508b3af7295f7917d89351ea86dca4

Download Submit
C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.dll
Filesize
748KB

MD5
c4836ef373cdfa7eac3738c59ae9fb83

SHA1
2f019c1b3357e3be378ac804acfc98ec4f80b576

SHA256
5c7ba1a9e0bf346f3b4baa8e6965981b0ff412eabc879ecc531e98f268c34e3e

SHA512
e459aeba63802639c8e7245afc139d86e75a805e14b90318b926ff00fe384d14ac209dc76fb88319218c89fe1562c737ed4c5847cd92e698d529ba6737c2fb4d

Download Submit
C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.x64.dll
Filesize
887KB

MD5
fe714aa952e86e33b2cc1652e0f7f6cb

SHA1
25927512b7bef5f0586f7edab4d4804ec43409aa

SHA256
c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579

SHA512
fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7

Download Submit
C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.x64.dll
Filesize
887KB

MD5
fe714aa952e86e33b2cc1652e0f7f6cb

SHA1
25927512b7bef5f0586f7edab4d4804ec43409aa

SHA256
c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579

SHA512
fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7

Download Submit
C:\Program Files (x86)\GoSave\ddYc62S2b49Ysd.x64.dll
Filesize
887KB

MD5
fe714aa952e86e33b2cc1652e0f7f6cb

SHA1
25927512b7bef5f0586f7edab4d4804ec43409aa

SHA256
c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579

SHA512
fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\ZWYUvi@L1GA.com\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\ZWYUvi@L1GA.com\chrome.manifest
Filesize
35B

MD5
34d14f6d7e4582a578642c1e95d25521

SHA1
191718aa2d473e459c5948026a433f193166992e

SHA256
b2f29cff0e594ded3cb521000938b0cc52e5ea66ee2139fd2af46c8c8f610a72

SHA512
dbdb2bde74c6caae5d512bf2c21259bed8b97242a56ddb49bdf981bd0856790a3bdd2ae822e21e6cb5032a3d7a9f5a4bcb37236a3a3ea1730168488a95017f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\ZWYUvi@L1GA.com\content\bg.js
Filesize
7KB

MD5
532d5a3c1b4eebb4770fd6b42b30af99

SHA1
a350b33dac35f314793ccd006be5ecdee448b5cf

SHA256
015c2cd213588e2ff850d00dc8dd3c993e2d72869d1a4935cab3086f85016f93

SHA512
3330ff16d68103d0090ff1081f9572509a70623d22f598a0864492779778fa8a74aed3a9ead7c4fc00be1e9d53893614fd6ec7884b648434272701695530a16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\ZWYUvi@L1GA.com\install.rdf
Filesize
597B

MD5
2d275c3cac646359d00f6f70c01e6fbe

SHA1
68f110072a295871855be454851b4b7c147db0f1

SHA256
3bbb6f97f9e4538765f494858f0b0c55edf4c0e5b59d7e29b93c8202d8f15d4b

SHA512
e7c749d1b8016a357b06977398728e117594b5ef8b670301f7bca923fe712a7e0507b86863a1471c6ee993cb235b1cd01230ce61615e8ad7b3d285b785e4eed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\a7BRa4Fg9CE6AzX.dat
Filesize
6KB

MD5
d40071c29419550e9f3e47843890018f

SHA1
177c29131621dcaa8194f7753c69dce88ded4692

SHA256
2d09362153bfa603d1c0e98c8278e8db1635a1b27f5d5cd5d7cae2e44cfeeef3

SHA512
c5798c1c95c367b5d9d6538f8012f9dd8d749761e48f2940369f3f2c0cabb5576894a9d839a1d0f69583f0b84440dc25f3508b3af7295f7917d89351ea86dca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\a7BRa4Fg9CE6AzX.exe
Filesize
765KB

MD5
102dfa10cc29d7f1ded876dfd7274280

SHA1
f26e57d916bf7c5c3a4b49a2edaf30e945b0b44e

SHA256
67d9ee9e36b29e081ff2084dc488b0b6c4120e791a5c33ce6027cf89718e4bb3

SHA512
c3b7bb463873420f1582880308acca440c24fefaf45c9ad75319665e07c0f4548bd6fe07fabec48edd138a495a2607297773b16400e351e68a7462b45fb2c0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\a7BRa4Fg9CE6AzX.exe
Filesize
765KB

MD5
102dfa10cc29d7f1ded876dfd7274280

SHA1
f26e57d916bf7c5c3a4b49a2edaf30e945b0b44e

SHA256
67d9ee9e36b29e081ff2084dc488b0b6c4120e791a5c33ce6027cf89718e4bb3

SHA512
c3b7bb463873420f1582880308acca440c24fefaf45c9ad75319665e07c0f4548bd6fe07fabec48edd138a495a2607297773b16400e351e68a7462b45fb2c0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\ddYc62S2b49Ysd.dll
Filesize
748KB

MD5
c4836ef373cdfa7eac3738c59ae9fb83

SHA1
2f019c1b3357e3be378ac804acfc98ec4f80b576

SHA256
5c7ba1a9e0bf346f3b4baa8e6965981b0ff412eabc879ecc531e98f268c34e3e

SHA512
e459aeba63802639c8e7245afc139d86e75a805e14b90318b926ff00fe384d14ac209dc76fb88319218c89fe1562c737ed4c5847cd92e698d529ba6737c2fb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\ddYc62S2b49Ysd.tlb
Filesize
3KB

MD5
f461159d95e1a49a534ad0320ff3984b

SHA1
e3363285437846f046b126adbcd8e4789aa1f486

SHA256
d6967480d6f6fd4b9d31fb7e38ee6f04c76c36edd2795f852ec3938d984993d6

SHA512
2a12587d4a69c967771d8b4ed43e857a81899e177d5ec8ddf8365eaa4e8752032fac8d25b5c3a89ae5efc82b4c6dfd4ba2d26e998b3ad95cc8fdc6ef0c7416ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\ddYc62S2b49Ysd.x64.dll
Filesize
887KB

MD5
fe714aa952e86e33b2cc1652e0f7f6cb

SHA1
25927512b7bef5f0586f7edab4d4804ec43409aa

SHA256
c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579

SHA512
fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\null\Z.js
Filesize
5KB

MD5
c5ea9ffab1b044328c7fb6fc3f126aca

SHA1
7f09b304bfc2b4461ed53707cca5f29b21b64d9a

SHA256
d3cbab1087e8f85bef5db1c3331654f5ca8e6efb444f3e49f5e3b6f053a47860

SHA512
42fdb758d876120921d717068726e571d944f03959253b12bd7d0c0b429e90442e96eb94f680fe3ac04184341dc1f9849bc42f54ce0c76401b1c3c4e2e1edcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\null\background.html
Filesize
138B

MD5
5b20647745785bcb1751ef5b08974d41

SHA1
06496283131d57474a01c5ff94016ed138a8acbe

SHA256
a7e45527765321b5943d2a3da8a9412965391e29d5615b51335cee9cb6b4dec5

SHA512
e43de57075993e79f6667b0d8cd29387337b02a11ed95434dbcc8e84f07153f588b0c4eec0072e4cb81e9be8613746b4d1e878055cc2afcb5a1f1c988637259b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\null\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\null\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30D.tmp\null\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/2152-152-0x0000000000000000-mapping.dmp

Download
memory/4128-149-0x0000000000000000-mapping.dmp

Download
memory/4508-132-0x0000000000000000-mapping.dmp

Download