a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202

Analysis

max time kernel
133s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe
Size

2.5MB
MD5

2c71957fc6b05cd2d03930266bce51ef
SHA1

5132a354211a3a36469d597abc4558c3b875a0a2
SHA256

a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202
SHA512

95d19587ed68a07bc525a89a9825c8cade6aa9a34ec9f1b598607cfae3b758294f2c58958ab6524f4028adacf71e082631e0d3d1e3114dd4152f52ca10a8bed7
SSDEEP

49152:h1Os+IPtchP5IawtcvlV3COH8qA0OOMC1gqEaejGfrT3:h1OnIPtrkvlBCOHgBCX

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

yAIoqWIm7dmPV6x.exe

pid process

2036 yAIoqWIm7dmPV6x.exe
Loads dropped DLL 3 IoCs

Processes:

yAIoqWIm7dmPV6x.exeregsvr32.exeregsvr32.exe

pid process

2036 yAIoqWIm7dmPV6x.exe
4876 regsvr32.exe
1388 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2036	yAIoqWIm7dmPV6x.exe

pid	process
2036	yAIoqWIm7dmPV6x.exe
4876	regsvr32.exe
1388	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

yAIoqWIm7dmPV6x.exe

description	ioc	process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\opniknllhhkjihlgbmckndbkkfiadnkm\2.0\manifest.json	yAIoqWIm7dmPV6x.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\opniknllhhkjihlgbmckndbkkfiadnkm\2.0\manifest.json	yAIoqWIm7dmPV6x.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\opniknllhhkjihlgbmckndbkkfiadnkm\2.0\manifest.json	yAIoqWIm7dmPV6x.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\opniknllhhkjihlgbmckndbkkfiadnkm\2.0\manifest.json	yAIoqWIm7dmPV6x.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\opniknllhhkjihlgbmckndbkkfiadnkm\2.0\manifest.json	yAIoqWIm7dmPV6x.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeyAIoqWIm7dmPV6x.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	yAIoqWIm7dmPV6x.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	yAIoqWIm7dmPV6x.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	yAIoqWIm7dmPV6x.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	yAIoqWIm7dmPV6x.exe

Drops file in Program Files directory 8 IoCs

Processes:

yAIoqWIm7dmPV6x.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dat	yAIoqWIm7dmPV6x.exe
File opened for modification	C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dat	yAIoqWIm7dmPV6x.exe
File created	C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll	yAIoqWIm7dmPV6x.exe
File opened for modification	C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll	yAIoqWIm7dmPV6x.exe
File created	C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dll	yAIoqWIm7dmPV6x.exe
File opened for modification	C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dll	yAIoqWIm7dmPV6x.exe
File created	C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.tlb	yAIoqWIm7dmPV6x.exe
File opened for modification	C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.tlb	yAIoqWIm7dmPV6x.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

yAIoqWIm7dmPV6x.exe

pid process

2036 yAIoqWIm7dmPV6x.exe
2036 yAIoqWIm7dmPV6x.exe

pid	process
2036	yAIoqWIm7dmPV6x.exe
2036	yAIoqWIm7dmPV6x.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exeyAIoqWIm7dmPV6x.exeregsvr32.exe

description	pid	process	target process
PID 5004 wrote to memory of 2036	5004	a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe	yAIoqWIm7dmPV6x.exe
PID 5004 wrote to memory of 2036	5004	a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe	yAIoqWIm7dmPV6x.exe
PID 5004 wrote to memory of 2036	5004	a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe	yAIoqWIm7dmPV6x.exe
PID 2036 wrote to memory of 4876	2036	yAIoqWIm7dmPV6x.exe	regsvr32.exe
PID 2036 wrote to memory of 4876	2036	yAIoqWIm7dmPV6x.exe	regsvr32.exe
PID 2036 wrote to memory of 4876	2036	yAIoqWIm7dmPV6x.exe	regsvr32.exe
PID 4876 wrote to memory of 1388	4876	regsvr32.exe	regsvr32.exe
PID 4876 wrote to memory of 1388	4876	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe
"C:\Users\Admin\AppData\Local\Temp\a8a2030db36d852ddb209434ef5491d3419a8d6e7cd7e459b8db4b6175430202.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\yAIoqWIm7dmPV6x.exe
.\yAIoqWIm7dmPV6x.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dat
Filesize
6KB

MD5
bf6c2a259c6656638320efe71e71ab17

SHA1
ebec888d55d64db8694d4fdb5fde63cac715f2c2

SHA256
437c362ddc38b3eba6f299a42acb572b558c9a96e9b364274198f68110c471a8

SHA512
eb6aa8671a05eea3a07dff548b498e29c262d1e7f7daee75706db6229536167019a8f3bd5c548960dd8e60ab86aa3226cfbca2c0a97ecbbd2508651c9acec5ef

Download Submit
C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.dll
Filesize
747KB

MD5
075a34d90e4395f320b3266b2a6cc2c0

SHA1
c04c7386f13b45f5cc8424109d369e1e2427e5ec

SHA256
82550996793875d5d60d0479968dd63ff127ac705aca610110bc3f6ca127e8dc

SHA512
2618fb83c62bfd2ea6925d15417a86144d0133c1db3d6020b93ff6bac19adf47c1d31a10fcc31010e0fd6c2bd6f0a4537763715c57b74ad094ce8d6aedbf896a

Download Submit
C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll
Filesize
881KB

MD5
8cb4c5980306da615fd3a3c0b7124d95

SHA1
04c3ab5e547e3644e8627f9a548a56c112792499

SHA256
ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43

SHA512
1852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf

Download Submit
C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll
Filesize
881KB

MD5
8cb4c5980306da615fd3a3c0b7124d95

SHA1
04c3ab5e547e3644e8627f9a548a56c112792499

SHA256
ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43

SHA512
1852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf

Download Submit
C:\Program Files (x86)\GoSave\eyZ3BFw7Q6FJA1.x64.dll
Filesize
881KB

MD5
8cb4c5980306da615fd3a3c0b7124d95

SHA1
04c3ab5e547e3644e8627f9a548a56c112792499

SHA256
ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43

SHA512
1852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
4706b8eecf5ebf13aae2c383983ebcf2

SHA1
9b0aad6b2ad4777b92ccf58ceb24bd909ee7a611

SHA256
9e74f1ea8e80e6e9e94074d836c650bb05b98c7a4ab27154d8580e23e22d2b13

SHA512
27985da079ee10979de57500a3f08d309bc4d3378576ac3594b2273ab5000e5277559141fa0121fe4418c6bf0d12d0d098da8734a74497647960b452eacfe363

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\[email protected]\content\bg.js
Filesize
7KB

MD5
1e1bac133abfb4037df79e45a7b1b1aa

SHA1
cb5800bdb50a4d6231a466dd82e9e795855f20dc

SHA256
39adca7c83b09f0ca616dc9233ff1fc9afd094741875342015069e9849b80ff5

SHA512
dac00c311d9bb452467d8e49df3303b3f69c5701a64a754576bd97d93b0e076a741d1421bb1499bf6ce0e5e89467119f5d69c7760ca3bcc33c2d4b6ea95df3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\[email protected]\install.rdf
Filesize
590B

MD5
bcb67fbb2e716a2c01c2bcd676e507b3

SHA1
3ddbca7281870a8f6914083206d50ea4922c5ab9

SHA256
1eb8d1e88a19f5c5e82673a0567ce804aae5c21f92dbac85aea3afc5b5922017

SHA512
f4b4c451b3445f26b738bca986bb9319cf94b6547ffa7561975437eee03d3b2a15669080c7d8ff8bd1612d53a1317385135120b7e71d40fdc41277456dddc7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\eyZ3BFw7Q6FJA1.dll
Filesize
747KB

MD5
075a34d90e4395f320b3266b2a6cc2c0

SHA1
c04c7386f13b45f5cc8424109d369e1e2427e5ec

SHA256
82550996793875d5d60d0479968dd63ff127ac705aca610110bc3f6ca127e8dc

SHA512
2618fb83c62bfd2ea6925d15417a86144d0133c1db3d6020b93ff6bac19adf47c1d31a10fcc31010e0fd6c2bd6f0a4537763715c57b74ad094ce8d6aedbf896a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\eyZ3BFw7Q6FJA1.tlb
Filesize
3KB

MD5
80b66ebf00d9d7c1904175c81cf3b1e1

SHA1
25edfc73c30f45e1254ddec9bdc5854d0f5c3c1b

SHA256
5691ef6a5460131e8fbebeed40d4f0fb81ff49e25a08d45df2178bb8d486672a

SHA512
396db976a5a56df11be3f46e16908341b33be7b374c92674550a563885012c056b7213ab873745e98bf4681bf12882632260363c578105decda25a2d249fdb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\eyZ3BFw7Q6FJA1.x64.dll
Filesize
881KB

MD5
8cb4c5980306da615fd3a3c0b7124d95

SHA1
04c3ab5e547e3644e8627f9a548a56c112792499

SHA256
ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43

SHA512
1852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\Uzza.js
Filesize
5KB

MD5
8b425e7a35254fabce3559de95ea2eb8

SHA1
021a20dd8c03ddd8a393db6d393c5c222a7a086f

SHA256
5fe9e1e6b2af8e93a5b3f891563f9aa5417760dd41ff594790b045d90914163a

SHA512
485b15bbcf609840084b905add0c414e10e2a6add20aa899bc430be833f35ee29a9ead3a630743726b1d5c15d96cc3bdb00eaf449bbc38830be9938f5531831a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\background.html
Filesize
141B

MD5
a3494987df14c69b37798d38cd5e3c35

SHA1
0c9f06fdcf6e9f2e5f781916b61b40b52dab2057

SHA256
f8c1cdc292a1af53be5c963eab2806eecbc243516b2cb97787128a7a2be4edaa

SHA512
2b6642293d6c7c077e6da2189a2423337f5ddb1ea1503a2ba7d540ebfc4886fddfc106369a0be710b9e9d6937b4adce65ae4abe45986c87435bccd1a85ca7190

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\opniknllhhkjihlgbmckndbkkfiadnkm\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\yAIoqWIm7dmPV6x.dat
Filesize
6KB

MD5
bf6c2a259c6656638320efe71e71ab17

SHA1
ebec888d55d64db8694d4fdb5fde63cac715f2c2

SHA256
437c362ddc38b3eba6f299a42acb572b558c9a96e9b364274198f68110c471a8

SHA512
eb6aa8671a05eea3a07dff548b498e29c262d1e7f7daee75706db6229536167019a8f3bd5c548960dd8e60ab86aa3226cfbca2c0a97ecbbd2508651c9acec5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\yAIoqWIm7dmPV6x.exe
Filesize
787KB

MD5
7b2176326be202922b35e876bab7ff83

SHA1
e7e8a0feb3fd78413b5c6d636a72bd28254bcea8

SHA256
292a3ad5628c78a7956e3ff9e30e484453ca674ced5a37894415eef1055051c4

SHA512
369d238f1118fe730bb49e44058999e0afca237d722ac68e3272c8e9ad27e97c368c8380f7d0c35a233ad44341e4f368fdb8a385f9b82789c1266a9b0024dd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS689D.tmp\yAIoqWIm7dmPV6x.exe
Filesize
787KB

MD5
7b2176326be202922b35e876bab7ff83

SHA1
e7e8a0feb3fd78413b5c6d636a72bd28254bcea8

SHA256
292a3ad5628c78a7956e3ff9e30e484453ca674ced5a37894415eef1055051c4

SHA512
369d238f1118fe730bb49e44058999e0afca237d722ac68e3272c8e9ad27e97c368c8380f7d0c35a233ad44341e4f368fdb8a385f9b82789c1266a9b0024dd69

Download Submit
memory/1388-152-0x0000000000000000-mapping.dmp

Download
memory/2036-132-0x0000000000000000-mapping.dmp

Download
memory/4876-149-0x0000000000000000-mapping.dmp

Download