Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 21:05
Static task
static1
Behavioral task
behavioral1
Sample
a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe
Resource
win7-20220812-en
General
-
Target
a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe
-
Size
2.5MB
-
MD5
2c71957fc6b05cd2d03930266bce51ef
-
SHA1
5132a354211a3a36469d597abc4558c3b875a0a2
-
SHA256
a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202
-
SHA512
95d19587ed68a07bc525a89a9825c8cade6aa9a34ec9f1b598607cfae3b758294f2c58958ab6524f4028adacf71e082631e0d3d1e3114dd4152f52ca10a8bed7
-
SSDEEP
49152:h1Os+IPtchP5IawtcvlV3COH8qA0OOMC1gqEaejGfrT3:h1OnIPtrkvlBCOHgBCX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
yAIoqWIm7dmPV6x.exepid process 1880 yAIoqWIm7dmPV6x.exe -
Loads dropped DLL 4 IoCs
Processes:
a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exeyAIoqWIm7dmPV6x.exeregsvr32.exeregsvr32.exepid process 1884 a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe 1880 yAIoqWIm7dmPV6x.exe 1640 regsvr32.exe 976 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
yAIoqWIm7dmPV6x.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\opniknllhhkjihlgbmckndbkkfiadnkm\2.0\manifest.json yAIoqWIm7dmPV6x.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\opniknllhhkjihlgbmckndbkkfiadnkm\2.0\manifest.json yAIoqWIm7dmPV6x.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\opniknllhhkjihlgbmckndbkkfiadnkm\2.0\manifest.json yAIoqWIm7dmPV6x.exe -
Installs/modifies Browser Helper Object 2 TTPs 11 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exeyAIoqWIm7dmPV6x.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} yAIoqWIm7dmPV6x.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} yAIoqWIm7dmPV6x.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} yAIoqWIm7dmPV6x.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects yAIoqWIm7dmPV6x.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ yAIoqWIm7dmPV6x.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
yAIoqWIm7dmPV6x.exedescription ioc process File opened for modification C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dll yAIoqWIm7dmPV6x.exe File created C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.tlb yAIoqWIm7dmPV6x.exe File opened for modification C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.tlb yAIoqWIm7dmPV6x.exe File created C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dat yAIoqWIm7dmPV6x.exe File opened for modification C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dat yAIoqWIm7dmPV6x.exe File created C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll yAIoqWIm7dmPV6x.exe File opened for modification C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll yAIoqWIm7dmPV6x.exe File created C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dll yAIoqWIm7dmPV6x.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
yAIoqWIm7dmPV6x.exepid process 1880 yAIoqWIm7dmPV6x.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exeyAIoqWIm7dmPV6x.exeregsvr32.exedescription pid process target process PID 1884 wrote to memory of 1880 1884 a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe yAIoqWIm7dmPV6x.exe PID 1884 wrote to memory of 1880 1884 a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe yAIoqWIm7dmPV6x.exe PID 1884 wrote to memory of 1880 1884 a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe yAIoqWIm7dmPV6x.exe PID 1884 wrote to memory of 1880 1884 a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe yAIoqWIm7dmPV6x.exe PID 1880 wrote to memory of 1640 1880 yAIoqWIm7dmPV6x.exe regsvr32.exe PID 1880 wrote to memory of 1640 1880 yAIoqWIm7dmPV6x.exe regsvr32.exe PID 1880 wrote to memory of 1640 1880 yAIoqWIm7dmPV6x.exe regsvr32.exe PID 1880 wrote to memory of 1640 1880 yAIoqWIm7dmPV6x.exe regsvr32.exe PID 1880 wrote to memory of 1640 1880 yAIoqWIm7dmPV6x.exe regsvr32.exe PID 1880 wrote to memory of 1640 1880 yAIoqWIm7dmPV6x.exe regsvr32.exe PID 1880 wrote to memory of 1640 1880 yAIoqWIm7dmPV6x.exe regsvr32.exe PID 1640 wrote to memory of 976 1640 regsvr32.exe regsvr32.exe PID 1640 wrote to memory of 976 1640 regsvr32.exe regsvr32.exe PID 1640 wrote to memory of 976 1640 regsvr32.exe regsvr32.exe PID 1640 wrote to memory of 976 1640 regsvr32.exe regsvr32.exe PID 1640 wrote to memory of 976 1640 regsvr32.exe regsvr32.exe PID 1640 wrote to memory of 976 1640 regsvr32.exe regsvr32.exe PID 1640 wrote to memory of 976 1640 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe"C:\Users\Admin\AppData\Local\Temp\a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\yAIoqWIm7dmPV6x.exe.\yAIoqWIm7dmPV6x.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.datFilesize
6KB
MD5bf6c2a259c6656638320efe71e71ab17
SHA1ebec888d55d64db8694d4fdb5fde63cac715f2c2
SHA256437c362ddc38b3eba6f299a42acb572b558c9a96e9b364274198f68110c471a8
SHA512eb6aa8671a05eea3a07dff548b498e29c262d1e7f7daee75706db6229536167019a8f3bd5c548960dd8e60ab86aa3226cfbca2c0a97ecbbd2508651c9acec5ef
-
C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dllFilesize
881KB
MD58cb4c5980306da615fd3a3c0b7124d95
SHA104c3ab5e547e3644e8627f9a548a56c112792499
SHA256ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43
SHA5121852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\[email protected]\chrome.manifestFilesize
35B
MD54706b8eecf5ebf13aae2c383983ebcf2
SHA19b0aad6b2ad4777b92ccf58ceb24bd909ee7a611
SHA2569e74f1ea8e80e6e9e94074d836c650bb05b98c7a4ab27154d8580e23e22d2b13
SHA51227985da079ee10979de57500a3f08d309bc4d3378576ac3594b2273ab5000e5277559141fa0121fe4418c6bf0d12d0d098da8734a74497647960b452eacfe363
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\[email protected]\content\bg.jsFilesize
7KB
MD51e1bac133abfb4037df79e45a7b1b1aa
SHA1cb5800bdb50a4d6231a466dd82e9e795855f20dc
SHA25639adca7c83b09f0ca616dc9233ff1fc9afd094741875342015069e9849b80ff5
SHA512dac00c311d9bb452467d8e49df3303b3f69c5701a64a754576bd97d93b0e076a741d1421bb1499bf6ce0e5e89467119f5d69c7760ca3bcc33c2d4b6ea95df3ff
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\[email protected]\install.rdfFilesize
590B
MD5bcb67fbb2e716a2c01c2bcd676e507b3
SHA13ddbca7281870a8f6914083206d50ea4922c5ab9
SHA2561eb8d1e88a19f5c5e82673a0567ce804aae5c21f92dbac85aea3afc5b5922017
SHA512f4b4c451b3445f26b738bca986bb9319cf94b6547ffa7561975437eee03d3b2a15669080c7d8ff8bd1612d53a1317385135120b7e71d40fdc41277456dddc7c7
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\eyZ3BFw7Q6FJA1.dllFilesize
747KB
MD5075a34d90e4395f320b3266b2a6cc2c0
SHA1c04c7386f13b45f5cc8424109d369e1e2427e5ec
SHA25682550996793875d5d60d0479968dd63ff127ac705aca610110bc3f6ca127e8dc
SHA5122618fb83c62bfd2ea6925d15417a86144d0133c1db3d6020b93ff6bac19adf47c1d31a10fcc31010e0fd6c2bd6f0a4537763715c57b74ad094ce8d6aedbf896a
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\eyZ3BFw7Q6FJA1.tlbFilesize
3KB
MD580b66ebf00d9d7c1904175c81cf3b1e1
SHA125edfc73c30f45e1254ddec9bdc5854d0f5c3c1b
SHA2565691ef6a5460131e8fbebeed40d4f0fb81ff49e25a08d45df2178bb8d486672a
SHA512396db976a5a56df11be3f46e16908341b33be7b374c92674550a563885012c056b7213ab873745e98bf4681bf12882632260363c578105decda25a2d249fdb9d
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\eyZ3BFw7Q6FJA1.x64.dllFilesize
881KB
MD58cb4c5980306da615fd3a3c0b7124d95
SHA104c3ab5e547e3644e8627f9a548a56c112792499
SHA256ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43
SHA5121852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\Uzza.jsFilesize
5KB
MD58b425e7a35254fabce3559de95ea2eb8
SHA1021a20dd8c03ddd8a393db6d393c5c222a7a086f
SHA2565fe9e1e6b2af8e93a5b3f891563f9aa5417760dd41ff594790b045d90914163a
SHA512485b15bbcf609840084b905add0c414e10e2a6add20aa899bc430be833f35ee29a9ead3a630743726b1d5c15d96cc3bdb00eaf449bbc38830be9938f5531831a
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\background.htmlFilesize
141B
MD5a3494987df14c69b37798d38cd5e3c35
SHA10c9f06fdcf6e9f2e5f781916b61b40b52dab2057
SHA256f8c1cdc292a1af53be5c963eab2806eecbc243516b2cb97787128a7a2be4edaa
SHA5122b6642293d6c7c077e6da2189a2423337f5ddb1ea1503a2ba7d540ebfc4886fddfc106369a0be710b9e9d6937b4adce65ae4abe45986c87435bccd1a85ca7190
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\yAIoqWIm7dmPV6x.datFilesize
6KB
MD5bf6c2a259c6656638320efe71e71ab17
SHA1ebec888d55d64db8694d4fdb5fde63cac715f2c2
SHA256437c362ddc38b3eba6f299a42acb572b558c9a96e9b364274198f68110c471a8
SHA512eb6aa8671a05eea3a07dff548b498e29c262d1e7f7daee75706db6229536167019a8f3bd5c548960dd8e60ab86aa3226cfbca2c0a97ecbbd2508651c9acec5ef
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\yAIoqWIm7dmPV6x.exeFilesize
787KB
MD57b2176326be202922b35e876bab7ff83
SHA1e7e8a0feb3fd78413b5c6d636a72bd28254bcea8
SHA256292a3ad5628c78a7956e3ff9e30e484453ca674ced5a37894415eef1055051c4
SHA512369d238f1118fe730bb49e44058999e0afca237d722ac68e3272c8e9ad27e97c368c8380f7d0c35a233ad44341e4f368fdb8a385f9b82789c1266a9b0024dd69
-
C:\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\yAIoqWIm7dmPV6x.exeFilesize
787KB
MD57b2176326be202922b35e876bab7ff83
SHA1e7e8a0feb3fd78413b5c6d636a72bd28254bcea8
SHA256292a3ad5628c78a7956e3ff9e30e484453ca674ced5a37894415eef1055051c4
SHA512369d238f1118fe730bb49e44058999e0afca237d722ac68e3272c8e9ad27e97c368c8380f7d0c35a233ad44341e4f368fdb8a385f9b82789c1266a9b0024dd69
-
\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dllFilesize
747KB
MD5075a34d90e4395f320b3266b2a6cc2c0
SHA1c04c7386f13b45f5cc8424109d369e1e2427e5ec
SHA25682550996793875d5d60d0479968dd63ff127ac705aca610110bc3f6ca127e8dc
SHA5122618fb83c62bfd2ea6925d15417a86144d0133c1db3d6020b93ff6bac19adf47c1d31a10fcc31010e0fd6c2bd6f0a4537763715c57b74ad094ce8d6aedbf896a
-
\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dllFilesize
881KB
MD58cb4c5980306da615fd3a3c0b7124d95
SHA104c3ab5e547e3644e8627f9a548a56c112792499
SHA256ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43
SHA5121852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf
-
\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dllFilesize
881KB
MD58cb4c5980306da615fd3a3c0b7124d95
SHA104c3ab5e547e3644e8627f9a548a56c112792499
SHA256ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43
SHA5121852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf
-
\Users\Admin\AppData\Local\Temp\7zSBB5.tmp\yAIoqWIm7dmPV6x.exeFilesize
787KB
MD57b2176326be202922b35e876bab7ff83
SHA1e7e8a0feb3fd78413b5c6d636a72bd28254bcea8
SHA256292a3ad5628c78a7956e3ff9e30e484453ca674ced5a37894415eef1055051c4
SHA512369d238f1118fe730bb49e44058999e0afca237d722ac68e3272c8e9ad27e97c368c8380f7d0c35a233ad44341e4f368fdb8a385f9b82789c1266a9b0024dd69
-
memory/976-78-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmpFilesize
8KB
-
memory/976-77-0x0000000000000000-mapping.dmp
-
memory/1640-73-0x0000000000000000-mapping.dmp
-
memory/1880-56-0x0000000000000000-mapping.dmp
-
memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB