a4f3039ef5463c550205f9a2e51a2f6f6fc093aef2d724397c0faf41bd3be106

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f3039ef5463c550205f9a2e51a2f6f6fc093aef2d724397c0faf41bd3be106.exe
Size

2.5MB
MD5

82a73ff03e7dd1c459fe009bbfe18931
SHA1

f1afd50424c8dfe7695062cdf07fd0c98ccae43b
SHA256

a4f3039ef5463c550205f9a2e51a2f6f6fc093aef2d724397c0faf41bd3be106
SHA512

6652a7b6044391963b249d5671de2bab577e268ca973eec0974937d4e8958aac3697df9de35274f76352188a081ed07bbad32f274615780d631e9bcbe2207ca9
SSDEEP

49152:h1OsvPHVmVhYwiLtKkKyW4nFU0I+NP/f7I3lMOaYjdxvL0Hk:h1OGHVl71RnFXINxvp

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

WecZ1onH1q09Wgb.exe

pid process

3372 WecZ1onH1q09Wgb.exe
Loads dropped DLL 3 IoCs

Processes:

WecZ1onH1q09Wgb.exeregsvr32.exeregsvr32.exe

pid process

3372 WecZ1onH1q09Wgb.exe
4860 regsvr32.exe
1500 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3372	WecZ1onH1q09Wgb.exe

pid	process
3372	WecZ1onH1q09Wgb.exe
4860	regsvr32.exe
1500	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

WecZ1onH1q09Wgb.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcokhglemmkidhecgkbogaanlfdmmkgg\2.0\manifest.json	WecZ1onH1q09Wgb.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcokhglemmkidhecgkbogaanlfdmmkgg\2.0\manifest.json	WecZ1onH1q09Wgb.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcokhglemmkidhecgkbogaanlfdmmkgg\2.0\manifest.json	WecZ1onH1q09Wgb.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcokhglemmkidhecgkbogaanlfdmmkgg\2.0\manifest.json	WecZ1onH1q09Wgb.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcokhglemmkidhecgkbogaanlfdmmkgg\2.0\manifest.json	WecZ1onH1q09Wgb.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeWecZ1onH1q09Wgb.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	WecZ1onH1q09Wgb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	WecZ1onH1q09Wgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	WecZ1onH1q09Wgb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	WecZ1onH1q09Wgb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

WecZ1onH1q09Wgb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.dat	WecZ1onH1q09Wgb.exe
File created	C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.x64.dll	WecZ1onH1q09Wgb.exe
File opened for modification	C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.x64.dll	WecZ1onH1q09Wgb.exe
File created	C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.dll	WecZ1onH1q09Wgb.exe
File opened for modification	C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.dll	WecZ1onH1q09Wgb.exe
File created	C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.tlb	WecZ1onH1q09Wgb.exe
File opened for modification	C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.tlb	WecZ1onH1q09Wgb.exe
File created	C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.dat	WecZ1onH1q09Wgb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WecZ1onH1q09Wgb.exe

pid process

3372 WecZ1onH1q09Wgb.exe
3372 WecZ1onH1q09Wgb.exe

pid	process
3372	WecZ1onH1q09Wgb.exe
3372	WecZ1onH1q09Wgb.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a4f3039ef5463c550205f9a2e51a2f6f6fc093aef2d724397c0faf41bd3be106.exeWecZ1onH1q09Wgb.exeregsvr32.exe

description	pid	process	target process
PID 4556 wrote to memory of 3372	4556	a4f3039ef5463c550205f9a2e51a2f6f6fc093aef2d724397c0faf41bd3be106.exe	WecZ1onH1q09Wgb.exe
PID 4556 wrote to memory of 3372	4556	a4f3039ef5463c550205f9a2e51a2f6f6fc093aef2d724397c0faf41bd3be106.exe	WecZ1onH1q09Wgb.exe
PID 4556 wrote to memory of 3372	4556	a4f3039ef5463c550205f9a2e51a2f6f6fc093aef2d724397c0faf41bd3be106.exe	WecZ1onH1q09Wgb.exe
PID 3372 wrote to memory of 4860	3372	WecZ1onH1q09Wgb.exe	regsvr32.exe
PID 3372 wrote to memory of 4860	3372	WecZ1onH1q09Wgb.exe	regsvr32.exe
PID 3372 wrote to memory of 4860	3372	WecZ1onH1q09Wgb.exe	regsvr32.exe
PID 4860 wrote to memory of 1500	4860	regsvr32.exe	regsvr32.exe
PID 4860 wrote to memory of 1500	4860	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\a4f3039ef5463c550205f9a2e51a2f6f6fc093aef2d724397c0faf41bd3be106.exe
"C:\Users\Admin\AppData\Local\Temp\a4f3039ef5463c550205f9a2e51a2f6f6fc093aef2d724397c0faf41bd3be106.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\WecZ1onH1q09Wgb.exe
.\WecZ1onH1q09Wgb.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.dat

Filesize
6KB

MD5
685b81bbc41bc27a8e87fd99a1c80373

SHA1
0e4e8aecb668b88da25b2437ebc0cef4716bc3d1

SHA256
9d6509f1df00157f2b2261eb17aae8e8a6db36dbb03138114682ca4cee293ebf

SHA512
c780f8a445ed6fcb25e027042991431d3c59dbc015fc60c2599c45050235697d49d84f2343eb81f72e332be8dc42f07570dd0e2f9eae91e15716262b9710f10c

Download Submit
C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.dll

Filesize
747KB

MD5
d949da968ea04ac3a7ddf0e300bb32be

SHA1
581d7d799c538b8e9e578cf57c420fb802d5a201

SHA256
5c4756451acf8622efa75639f9131ca8215c165e2ef21cc1ab7f8fee77db462b

SHA512
fd00e332af52646425f0d4032bb1bbfc85a44ff274bcf212f1264a29be546db4c1ceab7da32c70248a6baa2c55d2dff47dcb2ac441c783a1d9d1260c4685eb7e

Download Submit
C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.x64.dll

Filesize
885KB

MD5
1a6b1013f17c1cdc6e98f82cd2568ea8

SHA1
c96e7bdba616743a5c05b08a342d89ed102376b0

SHA256
fa9dd2bd7850053b251c9b5f27f1ac43ad04abf85de61b1928b7c2d562d3290a

SHA512
10596f46c52ca3f50d6b3c7c894fff8b41f4fe920c6e5e0138cf7e95e85bfe1db8d5f1a63939832cd48cf29f571dd36de40ebb931fb9b14a106518ae4fc17ef9

Download Submit
C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.x64.dll

Filesize
885KB

MD5
1a6b1013f17c1cdc6e98f82cd2568ea8

SHA1
c96e7bdba616743a5c05b08a342d89ed102376b0

SHA256
fa9dd2bd7850053b251c9b5f27f1ac43ad04abf85de61b1928b7c2d562d3290a

SHA512
10596f46c52ca3f50d6b3c7c894fff8b41f4fe920c6e5e0138cf7e95e85bfe1db8d5f1a63939832cd48cf29f571dd36de40ebb931fb9b14a106518ae4fc17ef9

Download Submit
C:\Program Files (x86)\GoSave\3CaWN2st81yBmL.x64.dll

Filesize
885KB

MD5
1a6b1013f17c1cdc6e98f82cd2568ea8

SHA1
c96e7bdba616743a5c05b08a342d89ed102376b0

SHA256
fa9dd2bd7850053b251c9b5f27f1ac43ad04abf85de61b1928b7c2d562d3290a

SHA512
10596f46c52ca3f50d6b3c7c894fff8b41f4fe920c6e5e0138cf7e95e85bfe1db8d5f1a63939832cd48cf29f571dd36de40ebb931fb9b14a106518ae4fc17ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\3CaWN2st81yBmL.dll

Filesize
747KB

MD5
d949da968ea04ac3a7ddf0e300bb32be

SHA1
581d7d799c538b8e9e578cf57c420fb802d5a201

SHA256
5c4756451acf8622efa75639f9131ca8215c165e2ef21cc1ab7f8fee77db462b

SHA512
fd00e332af52646425f0d4032bb1bbfc85a44ff274bcf212f1264a29be546db4c1ceab7da32c70248a6baa2c55d2dff47dcb2ac441c783a1d9d1260c4685eb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\3CaWN2st81yBmL.tlb

Filesize
3KB

MD5
5b503f1b4056c3d4fbf2d03f88e1adfe

SHA1
c8d659ea27bf0ca0bbfd46865d5796589bf9ef68

SHA256
231ef0fef77ab6c7fea053f64a9ce7f9e21646b868bfe391962262fc15c9bb6c

SHA512
229207201368d9674258389df19132070390f913aa5cc21b7567c515be5f5e0f07cdaa460d497ae355f27f00f7fc75538783d8890f6c9c0e861a7ecb8f520bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\3CaWN2st81yBmL.x64.dll

Filesize
885KB

MD5
1a6b1013f17c1cdc6e98f82cd2568ea8

SHA1
c96e7bdba616743a5c05b08a342d89ed102376b0

SHA256
fa9dd2bd7850053b251c9b5f27f1ac43ad04abf85de61b1928b7c2d562d3290a

SHA512
10596f46c52ca3f50d6b3c7c894fff8b41f4fe920c6e5e0138cf7e95e85bfe1db8d5f1a63939832cd48cf29f571dd36de40ebb931fb9b14a106518ae4fc17ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\WecZ1onH1q09Wgb.dat

Filesize
6KB

MD5
685b81bbc41bc27a8e87fd99a1c80373

SHA1
0e4e8aecb668b88da25b2437ebc0cef4716bc3d1

SHA256
9d6509f1df00157f2b2261eb17aae8e8a6db36dbb03138114682ca4cee293ebf

SHA512
c780f8a445ed6fcb25e027042991431d3c59dbc015fc60c2599c45050235697d49d84f2343eb81f72e332be8dc42f07570dd0e2f9eae91e15716262b9710f10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\WecZ1onH1q09Wgb.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\WecZ1onH1q09Wgb.exe

Filesize
760KB

MD5
dcd148f6f3af3e3b0935c4fcc9f41811

SHA1
ee9bdbc7c568c7832d90b85921ab20030b6734cd

SHA256
f8689641199c6fc430121797965485d95abfbc430753e0e668817ab3b511a1e4

SHA512
34be8e60dc2decf8287a71516f359e80bb858ce52218dde1b01c821c9b95be38821f068b79b0da8dbe90865560e7ddab77b25e3971dda9be667fb3ae8f174886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
607e19963435adea5c3e38c0e3cb8cfa

SHA1
29b0819b7e1a157f0698a91ddb3930b0e7782bea

SHA256
82a64366a516538e793b4c0d23d1943e385ddf0a0e2110e8c55aa549499a1330

SHA512
205037a419e5cf9307038f90ff193153b8493815fc0fe3afb223784f3d6e3fdbc38dfa6187ee4141fe20d89937d245b3226b1da53fb38c714ef6d3e79da4efba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
372b25fbc051db07e14adbe61d15a222

SHA1
d3ec4bd4a47a2e1b314986b05d8e75112bd8978e

SHA256
73540c8add997d1b66a78031dde1fadeea5de82a3dd997393257ee7fda4c8927

SHA512
f3799f8045aaa69995f5f9d7e09892835ae82677ded84e4195f17b07852981c49e4fd409158704d769b5d7fe7b5b0e2a3ab3437bb5d4c3d0f5cf938c43bbdb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\[email protected]\install.rdf

Filesize
597B

MD5
2fcb9dd5794cfe4df0c51de9a7075f88

SHA1
bc94e87f521056518d8bbfba90c3fffef2ee0a5f

SHA256
e81fd8370cad11827e6c927918a0ba25895534b2ef11ed973c50ab66f9e62b4b

SHA512
8b42276517af51674e2f9afb9d21b4c4ce6f70ba14ca9288ae6a0ad0174bb87346ed6b107ba8ad38564df8c13511606ae1b656d8253d514f319e6aa9ce267a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\bcokhglemmkidhecgkbogaanlfdmmkgg\background.html

Filesize
142B

MD5
de0f771bf87bf4ec13ef9c706c4e90c1

SHA1
2cca8871bf7e80390ea1cd245b012e6f8d2b1054

SHA256
33f99ac8e07d3bc967cbd6e5e96377f2f77ab32cbad0302870b7c26040955495

SHA512
1ffa426db61ec4def2c647926044f9f0b166e8e241577f8f7887bb031aa0d624aad9f2fd564f37e2c9a84ea3ae18ac8e907e5b890286150b11685c04af8ea2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\bcokhglemmkidhecgkbogaanlfdmmkgg\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\bcokhglemmkidhecgkbogaanlfdmmkgg\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\bcokhglemmkidhecgkbogaanlfdmmkgg\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA54D.tmp\bcokhglemmkidhecgkbogaanlfdmmkgg\wwfDQ.js

Filesize
5KB

MD5
2c63c821e4d7187f979db20fe4908fba

SHA1
a5ad58f5e6049d1ef298d48a44c6c3021332f6a2

SHA256
fd59617036d03f5c7355fb9d5862a477c632c71c28d276f743bc189a8c3e6c1f

SHA512
0dad14e3ccad9ab09c2f23444be4560b0d70ac3daeee59b527895360d178cff05438396e208115e4e69e7f29e767a70371149192dc3691f7cb116b94cb7c67d8

Download Submit
memory/1500-152-0x0000000000000000-mapping.dmp

Download
memory/3372-132-0x0000000000000000-mapping.dmp

Download
memory/4860-149-0x0000000000000000-mapping.dmp

Download