Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 21:13
Static task
static1
Behavioral task
behavioral1
Sample
a644fe7ba3ee3ea2f06baa70edfddfa4aafbfcfb8f3cb6e78de2fc3ae4e3941b.exe
Resource
win7-20221111-en
General
-
Target
a644fe7ba3ee3ea2f06baa70edfddfa4aafbfcfb8f3cb6e78de2fc3ae4e3941b.exe
-
Size
2.5MB
-
MD5
edfeb80cb389acc06f3bcb2ee09c05ee
-
SHA1
5b522c8cf45873bf6173d42eebe04d7dc7a31595
-
SHA256
a644fe7ba3ee3ea2f06baa70edfddfa4aafbfcfb8f3cb6e78de2fc3ae4e3941b
-
SHA512
13ae44d04c4bb64d1859b019a4b87cb1cd068719c2df483a975f3d97b4d915940ec4d505d969206ed961a4527c58499d98fe36880e4ca169fcb102e98d31d280
-
SSDEEP
49152:h1Osu5COLX7G7GRWdmohosycWMhHnOaAxNqZ0qhgU9B:h1OlJyGRBoyL2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
7poPxIwuoHH4kZE.exepid process 4016 7poPxIwuoHH4kZE.exe -
Loads dropped DLL 3 IoCs
Processes:
7poPxIwuoHH4kZE.exeregsvr32.exeregsvr32.exepid process 4016 7poPxIwuoHH4kZE.exe 3724 regsvr32.exe 4808 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
7poPxIwuoHH4kZE.exedescription ioc process File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\efadhojnjaegpnpjggdmhgcicpofplgd\2.0\manifest.json 7poPxIwuoHH4kZE.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\efadhojnjaegpnpjggdmhgcicpofplgd\2.0\manifest.json 7poPxIwuoHH4kZE.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\efadhojnjaegpnpjggdmhgcicpofplgd\2.0\manifest.json 7poPxIwuoHH4kZE.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\efadhojnjaegpnpjggdmhgcicpofplgd\2.0\manifest.json 7poPxIwuoHH4kZE.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\efadhojnjaegpnpjggdmhgcicpofplgd\2.0\manifest.json 7poPxIwuoHH4kZE.exe -
Installs/modifies Browser Helper Object 2 TTPs 9 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exe7poPxIwuoHH4kZE.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 7poPxIwuoHH4kZE.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 7poPxIwuoHH4kZE.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 7poPxIwuoHH4kZE.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ 7poPxIwuoHH4kZE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
7poPxIwuoHH4kZE.exedescription ioc process File created C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.tlb 7poPxIwuoHH4kZE.exe File opened for modification C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.tlb 7poPxIwuoHH4kZE.exe File created C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.dat 7poPxIwuoHH4kZE.exe File opened for modification C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.dat 7poPxIwuoHH4kZE.exe File created C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.x64.dll 7poPxIwuoHH4kZE.exe File opened for modification C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.x64.dll 7poPxIwuoHH4kZE.exe File created C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.dll 7poPxIwuoHH4kZE.exe File opened for modification C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.dll 7poPxIwuoHH4kZE.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7poPxIwuoHH4kZE.exepid process 4016 7poPxIwuoHH4kZE.exe 4016 7poPxIwuoHH4kZE.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a644fe7ba3ee3ea2f06baa70edfddfa4aafbfcfb8f3cb6e78de2fc3ae4e3941b.exe7poPxIwuoHH4kZE.exeregsvr32.exedescription pid process target process PID 384 wrote to memory of 4016 384 a644fe7ba3ee3ea2f06baa70edfddfa4aafbfcfb8f3cb6e78de2fc3ae4e3941b.exe 7poPxIwuoHH4kZE.exe PID 384 wrote to memory of 4016 384 a644fe7ba3ee3ea2f06baa70edfddfa4aafbfcfb8f3cb6e78de2fc3ae4e3941b.exe 7poPxIwuoHH4kZE.exe PID 384 wrote to memory of 4016 384 a644fe7ba3ee3ea2f06baa70edfddfa4aafbfcfb8f3cb6e78de2fc3ae4e3941b.exe 7poPxIwuoHH4kZE.exe PID 4016 wrote to memory of 3724 4016 7poPxIwuoHH4kZE.exe regsvr32.exe PID 4016 wrote to memory of 3724 4016 7poPxIwuoHH4kZE.exe regsvr32.exe PID 4016 wrote to memory of 3724 4016 7poPxIwuoHH4kZE.exe regsvr32.exe PID 3724 wrote to memory of 4808 3724 regsvr32.exe regsvr32.exe PID 3724 wrote to memory of 4808 3724 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a644fe7ba3ee3ea2f06baa70edfddfa4aafbfcfb8f3cb6e78de2fc3ae4e3941b.exe"C:\Users\Admin\AppData\Local\Temp\a644fe7ba3ee3ea2f06baa70edfddfa4aafbfcfb8f3cb6e78de2fc3ae4e3941b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\7poPxIwuoHH4kZE.exe.\7poPxIwuoHH4kZE.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.datFilesize
6KB
MD5b4ab3b7d71f253a0257a5902f9e0be5f
SHA135965eee18e3537b4f7b01ed07e0ce905abe8810
SHA256dbf4e210399e7ca22fde4aca8885cacf5f0cfd629cb85defa6e2bba35e0834f0
SHA512bba8e73404da21ba019391aec62f986ea407e765ebab7d664c70cc9c3182c154460b14ede0b6b0766e54443ad9211aac718d73896e86fb488f6561194e165888
-
C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.dllFilesize
745KB
MD5175f98785c3d6faa5b5b3e014ca0c6c4
SHA1827e7ca85de729435c27b4dc5281ab74a8c74716
SHA256d11cc3cd7c46548d4b5cb75e03ebc38055d625005fb76da2636d310d9c25ffb5
SHA5128effb2b62cd5ecafcea5f25c45d9abdfaafb769b4e25a5cf8f745e0ff6c745d6334926b6ddfe37fa94623d4ec6c281bee54caffca9699521f5191baa2515aa56
-
C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.x64.dllFilesize
883KB
MD58af28aca297e5e06910c74a9528518c3
SHA1fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9
SHA256f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2
SHA5124cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6
-
C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.x64.dllFilesize
883KB
MD58af28aca297e5e06910c74a9528518c3
SHA1fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9
SHA256f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2
SHA5124cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6
-
C:\Program Files (x86)\GoSave\46PU2IUfCvzFM4.x64.dllFilesize
883KB
MD58af28aca297e5e06910c74a9528518c3
SHA1fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9
SHA256f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2
SHA5124cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\46PU2IUfCvzFM4.dllFilesize
745KB
MD5175f98785c3d6faa5b5b3e014ca0c6c4
SHA1827e7ca85de729435c27b4dc5281ab74a8c74716
SHA256d11cc3cd7c46548d4b5cb75e03ebc38055d625005fb76da2636d310d9c25ffb5
SHA5128effb2b62cd5ecafcea5f25c45d9abdfaafb769b4e25a5cf8f745e0ff6c745d6334926b6ddfe37fa94623d4ec6c281bee54caffca9699521f5191baa2515aa56
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\46PU2IUfCvzFM4.tlbFilesize
3KB
MD5aa1b86f094611e50009eac733d790223
SHA1c80cfc36e2cf4cc4f916b2e5b51c2e393e036ec3
SHA2561d549089596b20ee3aafa5b5b5b560577da81ded6e96d1cbb115fecb2006b95a
SHA512eaaeca4c9e1d245e1c4ee6b1541f8663cc09896ae44a2167bb3c7389bce246ea2905af0a80ba4cb25d9cafaeb4b1edabb048e9075d1603367b2bc0e9475faa8d
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\46PU2IUfCvzFM4.x64.dllFilesize
883KB
MD58af28aca297e5e06910c74a9528518c3
SHA1fd5ca0d435d8e468c83c5c5e7cdf2d157c8a9ea9
SHA256f1e461c5d1922dac609f585c918135c3b69075953ae4cfc78ae6a8d88ba38ce2
SHA5124cfb013f4f3cdb7d1d1f4f604446c88606a7326a532a6297a15969ecacc40eaf434fa96f183e91a670021658f52519b2a64b227a0163a220b4c561a872d666b6
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\7poPxIwuoHH4kZE.datFilesize
6KB
MD5b4ab3b7d71f253a0257a5902f9e0be5f
SHA135965eee18e3537b4f7b01ed07e0ce905abe8810
SHA256dbf4e210399e7ca22fde4aca8885cacf5f0cfd629cb85defa6e2bba35e0834f0
SHA512bba8e73404da21ba019391aec62f986ea407e765ebab7d664c70cc9c3182c154460b14ede0b6b0766e54443ad9211aac718d73896e86fb488f6561194e165888
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\7poPxIwuoHH4kZE.exeFilesize
770KB
MD5acfc58daed4c2caa7fa430c1b7e427a0
SHA1e4ddeeaa697b3ca2df9d8a02636a69d3dd8faac3
SHA256aaf57b2088806da2c5aa507a6673aa1a4f445e25ee10ed8621dcf3821c935906
SHA512e10efb743a4a7b3270a23ac0ec13c6b34c65d359f7998ffcbfa6c03186c49fc6f57b83e0f8fc31f9953b8fd3a924680a212833b75c2dd3b63a4f6be26a2a69e1
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\7poPxIwuoHH4kZE.exeFilesize
770KB
MD5acfc58daed4c2caa7fa430c1b7e427a0
SHA1e4ddeeaa697b3ca2df9d8a02636a69d3dd8faac3
SHA256aaf57b2088806da2c5aa507a6673aa1a4f445e25ee10ed8621dcf3821c935906
SHA512e10efb743a4a7b3270a23ac0ec13c6b34c65d359f7998ffcbfa6c03186c49fc6f57b83e0f8fc31f9953b8fd3a924680a212833b75c2dd3b63a4f6be26a2a69e1
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\[email protected]\chrome.manifestFilesize
35B
MD5c1db8881032d3bd9774006ecc1f786f0
SHA11af69bdf4ac608bc32a5de9ed319e76f5839a58b
SHA256c43ee972b4c65eee6ff65dc801a57734626a9dc615228be4aafc9d139b55a0aa
SHA512e02c8be99649ee6a6701371f5ca7f54273cff2835c526900711b75610b56cb47c4f952330a3a6a784a9303a4a92f89a69f2aec64834e27210172b6f82d291032
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\[email protected]\content\bg.jsFilesize
7KB
MD5c3ab0f4d206e33b7baf4d4beddccc7fc
SHA1e5a8598678f8f864b5f63f9dba43f9f2997e739d
SHA2569c224cffb92abc9ac914f31d77760b157e17135549f41af7dfe1da1e34d9138c
SHA5120cb7f2c81420184d136548a6aaebb68637456163ad198a99449ef683b7411ebd2e093d8c0ec08b34eeb53f96bbc799c66e41db052963e7263145a049191aa1b6
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\[email protected]\install.rdfFilesize
594B
MD56032167df28b59a387822ef28daba01e
SHA18884cf6b8148c016fa1444bf3b780ff4bdb7c5eb
SHA25608a3955cf393a1632831417ae689a5d4ad3c26dd4a667d81b10ad9736be993a6
SHA5122b48646c7dc75f713b953fed9b3451936653dbdc46e6287f074f958f748e2ee289377a41f84a172c8a5cabbe77d96b4f67f508ef1e6d3b4b07f67d58486cd8cd
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\efadhojnjaegpnpjggdmhgcicpofplgd\XHPX.jsFilesize
5KB
MD501cde540e18b946cf59dbcc3784d8507
SHA1c45db31ff83136d157bc0b0bb29dfd7965dc6051
SHA256e055f76a9c62a240e00be4cf606c0a79b085f89c6e2f58baaa486725d09751bb
SHA512298b14cff7cdfd117a62b37c536ecd9174c6daaa1d740c70ddf384403f2e6b78d6e6c5eccfb0a5eb8c48bc63aad1ce74c60e5a694f21965c958c0d23dead73b3
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\efadhojnjaegpnpjggdmhgcicpofplgd\background.htmlFilesize
141B
MD5f33801ac459d9c55f2a5289fc6e220b6
SHA136c01a98dac6506f1ae3c4c2975692def76d2af3
SHA25655db248dd86c8b87980105067a6e38d255021e16cc221c562171690189bae847
SHA512d244ce5a60e818c9933873f87731ba3eba0d7f3210d9c01c5ee257db2dd10b935a4c0742e270883316594ddc5f91ccb1dc1bfccba93d0b8019641128546a34e5
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\efadhojnjaegpnpjggdmhgcicpofplgd\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\efadhojnjaegpnpjggdmhgcicpofplgd\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSC180.tmp\efadhojnjaegpnpjggdmhgcicpofplgd\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
memory/3724-149-0x0000000000000000-mapping.dmp
-
memory/4016-132-0x0000000000000000-mapping.dmp
-
memory/4808-152-0x0000000000000000-mapping.dmp