a526fa64ed23715f034803bd545dae804f7ed2d10d333c8f71269b4fe91e89cf

Analysis

max time kernel
112s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a526fa64ed23715f034803bd545dae804f7ed2d10d333c8f71269b4fe91e89cf.exe
Size

2.5MB
MD5

b71aece504ee8bcfc7695693c04d9bc8
SHA1

1857b73242e19b91e06f679f44dff92755a515f1
SHA256

a526fa64ed23715f034803bd545dae804f7ed2d10d333c8f71269b4fe91e89cf
SHA512

d8421a2495d24c4dd1dc64d22cf45c40fea2794bb4e98d1cb85f80f6daf57a00b53aaa784c71706ced2b782aba02b47d229da270937dbc466f4775a7978bebfd
SSDEEP

49152:h1OsZsbT5tEwd8c494ibL92Ff05SZ570tzKqZFsa:h1OWs35bBML92c

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

6vjNcJMU8xhH2A2.exe

pid process

4912 6vjNcJMU8xhH2A2.exe
Loads dropped DLL 3 IoCs

Processes:

6vjNcJMU8xhH2A2.exeregsvr32.exeregsvr32.exe

pid process

4912 6vjNcJMU8xhH2A2.exe
5036 regsvr32.exe
1584 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4912	6vjNcJMU8xhH2A2.exe

pid	process
4912	6vjNcJMU8xhH2A2.exe
5036	regsvr32.exe
1584	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

6vjNcJMU8xhH2A2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdfohhoocebhmhhgdjndoahdbpdkjahj\2.0\manifest.json	6vjNcJMU8xhH2A2.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdfohhoocebhmhhgdjndoahdbpdkjahj\2.0\manifest.json	6vjNcJMU8xhH2A2.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdfohhoocebhmhhgdjndoahdbpdkjahj\2.0\manifest.json	6vjNcJMU8xhH2A2.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdfohhoocebhmhhgdjndoahdbpdkjahj\2.0\manifest.json	6vjNcJMU8xhH2A2.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdfohhoocebhmhhgdjndoahdbpdkjahj\2.0\manifest.json	6vjNcJMU8xhH2A2.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe6vjNcJMU8xhH2A2.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	6vjNcJMU8xhH2A2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	6vjNcJMU8xhH2A2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	6vjNcJMU8xhH2A2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	6vjNcJMU8xhH2A2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

6vjNcJMU8xhH2A2.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.x64.dll	6vjNcJMU8xhH2A2.exe
File opened for modification	C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.x64.dll	6vjNcJMU8xhH2A2.exe
File created	C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.dll	6vjNcJMU8xhH2A2.exe
File opened for modification	C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.dll	6vjNcJMU8xhH2A2.exe
File created	C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.tlb	6vjNcJMU8xhH2A2.exe
File opened for modification	C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.tlb	6vjNcJMU8xhH2A2.exe
File created	C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.dat	6vjNcJMU8xhH2A2.exe
File opened for modification	C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.dat	6vjNcJMU8xhH2A2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6vjNcJMU8xhH2A2.exe

pid process

4912 6vjNcJMU8xhH2A2.exe
4912 6vjNcJMU8xhH2A2.exe

pid	process
4912	6vjNcJMU8xhH2A2.exe
4912	6vjNcJMU8xhH2A2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a526fa64ed23715f034803bd545dae804f7ed2d10d333c8f71269b4fe91e89cf.exe6vjNcJMU8xhH2A2.exeregsvr32.exe

description	pid	process	target process
PID 4284 wrote to memory of 4912	4284	a526fa64ed23715f034803bd545dae804f7ed2d10d333c8f71269b4fe91e89cf.exe	6vjNcJMU8xhH2A2.exe
PID 4284 wrote to memory of 4912	4284	a526fa64ed23715f034803bd545dae804f7ed2d10d333c8f71269b4fe91e89cf.exe	6vjNcJMU8xhH2A2.exe
PID 4284 wrote to memory of 4912	4284	a526fa64ed23715f034803bd545dae804f7ed2d10d333c8f71269b4fe91e89cf.exe	6vjNcJMU8xhH2A2.exe
PID 4912 wrote to memory of 5036	4912	6vjNcJMU8xhH2A2.exe	regsvr32.exe
PID 4912 wrote to memory of 5036	4912	6vjNcJMU8xhH2A2.exe	regsvr32.exe
PID 4912 wrote to memory of 5036	4912	6vjNcJMU8xhH2A2.exe	regsvr32.exe
PID 5036 wrote to memory of 1584	5036	regsvr32.exe	regsvr32.exe
PID 5036 wrote to memory of 1584	5036	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\a526fa64ed23715f034803bd545dae804f7ed2d10d333c8f71269b4fe91e89cf.exe
"C:\Users\Admin\AppData\Local\Temp\a526fa64ed23715f034803bd545dae804f7ed2d10d333c8f71269b4fe91e89cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\6vjNcJMU8xhH2A2.exe
.\6vjNcJMU8xhH2A2.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.dat

Filesize
6KB

MD5
f414a1d934121bf7868f1a6f2ca87fee

SHA1
0abfede709952743968e6ad8be9390a9b11f5380

SHA256
32792110e9938068df092e1e7f2c321b27d83d6269b46451109a89d83aefd8c9

SHA512
7aa8b5fded71608ee790200c70c30004acc7eb765c21cd0b07442ac8fea670f74a7cc1bef4855bb81e30339d7d6c0715b0590bc77d17bb995b6d4b179ebcd36c

Download Submit
C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.dll

Filesize
743KB

MD5
02484efe83390bb710807e8b7028d2b3

SHA1
8f906751d964ea6191b21bdfd81db48459bfaad7

SHA256
3956462a1cf2ecce98b616534f46d56e82d4f142abd824b0950d24ef65d81849

SHA512
6075c1999bd7526111ffb376cd9c27deb5d93fb97ad875071885527aad5014aa4814adb4cee4b7a2eae40246e158634ff2088e5656d1d012f5bd721b718ed51d

Download Submit
C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.x64.dll

Filesize
879KB

MD5
7617ae2a075b7089066f39da7d956229

SHA1
6855e92b1b46060e223719a77710d1021a433af5

SHA256
154587a45da03da5a40eb57a6523896a6b1d705c73aff46ba00d16350472caa1

SHA512
20f0a4f72eed0ca2450a5bb2ec2be932239be24309b601565cc25be675b9db3f40fed7fb534f6f673a41ef70a8c5331f66fdfd450c179f8efa36e6938ba11cfb

Download Submit
C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.x64.dll

Filesize
879KB

MD5
7617ae2a075b7089066f39da7d956229

SHA1
6855e92b1b46060e223719a77710d1021a433af5

SHA256
154587a45da03da5a40eb57a6523896a6b1d705c73aff46ba00d16350472caa1

SHA512
20f0a4f72eed0ca2450a5bb2ec2be932239be24309b601565cc25be675b9db3f40fed7fb534f6f673a41ef70a8c5331f66fdfd450c179f8efa36e6938ba11cfb

Download Submit
C:\Program Files (x86)\GoSave\xXCm4KBQhbuVBi.x64.dll

Filesize
879KB

MD5
7617ae2a075b7089066f39da7d956229

SHA1
6855e92b1b46060e223719a77710d1021a433af5

SHA256
154587a45da03da5a40eb57a6523896a6b1d705c73aff46ba00d16350472caa1

SHA512
20f0a4f72eed0ca2450a5bb2ec2be932239be24309b601565cc25be675b9db3f40fed7fb534f6f673a41ef70a8c5331f66fdfd450c179f8efa36e6938ba11cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\6vjNcJMU8xhH2A2.dat

Filesize
6KB

MD5
f414a1d934121bf7868f1a6f2ca87fee

SHA1
0abfede709952743968e6ad8be9390a9b11f5380

SHA256
32792110e9938068df092e1e7f2c321b27d83d6269b46451109a89d83aefd8c9

SHA512
7aa8b5fded71608ee790200c70c30004acc7eb765c21cd0b07442ac8fea670f74a7cc1bef4855bb81e30339d7d6c0715b0590bc77d17bb995b6d4b179ebcd36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\6vjNcJMU8xhH2A2.exe

Filesize
770KB

MD5
dcf33f8e0a56a634cb9d4db6fc143571

SHA1
ee56510bfcb8e933aa1cd25601e812aeb5f80db7

SHA256
a5cdba2198411ca2227ba589b17041aad9a08a06bea9b05befdec3423e9e8fe3

SHA512
cb8a9197b0d0632b617ab879d4366c372cbbe5e861fe33d01daf80c99d9943d349f2092ca602ef7bb913b3fd1f7bb709f03f2ef6bbf40055b713d3f1afd35841

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\6vjNcJMU8xhH2A2.exe

Filesize
770KB

MD5
dcf33f8e0a56a634cb9d4db6fc143571

SHA1
ee56510bfcb8e933aa1cd25601e812aeb5f80db7

SHA256
a5cdba2198411ca2227ba589b17041aad9a08a06bea9b05befdec3423e9e8fe3

SHA512
cb8a9197b0d0632b617ab879d4366c372cbbe5e861fe33d01daf80c99d9943d349f2092ca602ef7bb913b3fd1f7bb709f03f2ef6bbf40055b713d3f1afd35841

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
79ca9d6c0b3b43f7495e1a6971919f96

SHA1
823be8fef66fdbfb63df7377bbd88fe9cf39037b

SHA256
b9b3a2524c33c7e9003fcde9e9cabc39981f249d710c925710a4550e94c1d515

SHA512
a375f1187a29bac16e0a2a4f1a0dad81a3fe651528451fbee99bb43cc345dbb580b7d6af64451c15aeb40180ccc2116d681295c9faa5905b8fb5f697e6188260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
e27a9a52c4969e2b94ae6144f535fc99

SHA1
ed9a0a694220625e6ca762c88a734fc84e261d2c

SHA256
b1cf29fef7a54a9dd442860d3e7d5595f8858adcdc3e1607336f38be0f266ca6

SHA512
a800d9a71b87885b89a8dd30adfd1e731784a880ae2450e698e04df289f6eac5c083fe0b1fa8b2794e74011eaaa94ac164187bc8da2871c340e849a02e450b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\[email protected]\install.rdf

Filesize
597B

MD5
4f0376b02315b3ad0df3a9ebfdb54fb6

SHA1
c8d305b428dc00f13bbe52033bfd285e8358ca3c

SHA256
cd4d9ca926fb64a9bcbd4fa4efff59c8cedc7239b55b9ffa92999e016a2af486

SHA512
21fcad206ac56fd8c695b4da191848c724716d542e1cac9484cdba1c85eb1b768feeade9f8a06687aac2bf594c14a80a611e731867efe790fd056c324e27f424

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\mdfohhoocebhmhhgdjndoahdbpdkjahj\Ei.js

Filesize
5KB

MD5
955d6b8a6a2507eb861cde80ea94b160

SHA1
bc9942ec2a4f316f86f140f9f984cacb86b7e760

SHA256
180f34ed74d4d37289e2d549b06a956e276e59c0510d55601b011849e7642b84

SHA512
fcfe10e2aae7d682326592a7381dfff515c81394a074cf601a5bbb6ed5175b14aaf08e06163f3d38730b5cbe0c77a0cd658deda4086e5dcc7d800b1c757b82d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\mdfohhoocebhmhhgdjndoahdbpdkjahj\background.html

Filesize
139B

MD5
4cdd5872f39f579a131c496650eb2e90

SHA1
2ee2bdf699f4e43383f3d1569793c5137b1aef55

SHA256
a7cce06cc84ffc00553ec1514614d42b5fe66c42891785a4bacd23a0bee5f31d

SHA512
478bbea88deb1f0353b16f521fb1b0c44560840cdadb2442fd295258fa2c5a0b73df3a9df37738190e4e9475e5f8af56117f5fd19cff084fe8eda808f9d09e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\mdfohhoocebhmhhgdjndoahdbpdkjahj\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\mdfohhoocebhmhhgdjndoahdbpdkjahj\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\mdfohhoocebhmhhgdjndoahdbpdkjahj\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\xXCm4KBQhbuVBi.dll

Filesize
743KB

MD5
02484efe83390bb710807e8b7028d2b3

SHA1
8f906751d964ea6191b21bdfd81db48459bfaad7

SHA256
3956462a1cf2ecce98b616534f46d56e82d4f142abd824b0950d24ef65d81849

SHA512
6075c1999bd7526111ffb376cd9c27deb5d93fb97ad875071885527aad5014aa4814adb4cee4b7a2eae40246e158634ff2088e5656d1d012f5bd721b718ed51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\xXCm4KBQhbuVBi.tlb

Filesize
3KB

MD5
cfff5983771bbd5152621b2713813c95

SHA1
008d3011244235d20bffa06043a2dcb4b469061d

SHA256
fab4ae91b4502d972a69f95ed66866b2f17a8d61bed89d20aec2cf659e7c50f8

SHA512
e9b8f0047626795e194c87cd13fdcb8d3fe5e8ac20d7b0cdc8b88c6d147f98cbd212469315ca8cc8aa018c9b9d1662ab422f4fb4dcfd4a15f18ad3cba6be0964

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF707.tmp\xXCm4KBQhbuVBi.x64.dll

Filesize
879KB

MD5
7617ae2a075b7089066f39da7d956229

SHA1
6855e92b1b46060e223719a77710d1021a433af5

SHA256
154587a45da03da5a40eb57a6523896a6b1d705c73aff46ba00d16350472caa1

SHA512
20f0a4f72eed0ca2450a5bb2ec2be932239be24309b601565cc25be675b9db3f40fed7fb534f6f673a41ef70a8c5331f66fdfd450c179f8efa36e6938ba11cfb

Download Submit
memory/1584-152-0x0000000000000000-mapping.dmp

Download
memory/4912-132-0x0000000000000000-mapping.dmp

Download
memory/5036-149-0x0000000000000000-mapping.dmp

Download