51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6.exe
Size

2.1MB
MD5

e0f812f90181e7b9539c0e349e28a67a
SHA1

f2d0a40ef9a442c0eb4ff380102280eadf248c5b
SHA256

51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6
SHA512

4d2a98f248e5ad51d503a51c8bab5d6e37d1adea850b418a01c5406f09ff8e2d499c2e592d51595e1d8098a8f9726f3c214439e60a0ee9816000b13a437ba51a
SSDEEP

49152:h1OsjN1QvnsfWdgwLk8L8i3kcwzSZn3Yejao/NK:h1OimdUvzWY+s

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1852	AnuapjEr2Ic0q8R.exe

Loads dropped DLL 4 IoCs

pid	Process
800	51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6.exe
1852	AnuapjEr2Ic0q8R.exe
1468	regsvr32.exe
1692	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejnjponcefmbmjbcggfilhneonncopol\2.0\manifest.json	AnuapjEr2Ic0q8R.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejnjponcefmbmjbcggfilhneonncopol\2.0\manifest.json	AnuapjEr2Ic0q8R.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejnjponcefmbmjbcggfilhneonncopol\2.0\manifest.json	AnuapjEr2Ic0q8R.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	AnuapjEr2Ic0q8R.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	AnuapjEr2Ic0q8R.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	AnuapjEr2Ic0q8R.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	AnuapjEr2Ic0q8R.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	AnuapjEr2Ic0q8R.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSave\ssMu5o858jycJq.x64.dll	AnuapjEr2Ic0q8R.exe
File created	C:\Program Files (x86)\GoSave\ssMu5o858jycJq.dll	AnuapjEr2Ic0q8R.exe
File opened for modification	C:\Program Files (x86)\GoSave\ssMu5o858jycJq.dll	AnuapjEr2Ic0q8R.exe
File created	C:\Program Files (x86)\GoSave\ssMu5o858jycJq.tlb	AnuapjEr2Ic0q8R.exe
File opened for modification	C:\Program Files (x86)\GoSave\ssMu5o858jycJq.tlb	AnuapjEr2Ic0q8R.exe
File created	C:\Program Files (x86)\GoSave\ssMu5o858jycJq.dat	AnuapjEr2Ic0q8R.exe
File opened for modification	C:\Program Files (x86)\GoSave\ssMu5o858jycJq.dat	AnuapjEr2Ic0q8R.exe
File created	C:\Program Files (x86)\GoSave\ssMu5o858jycJq.x64.dll	AnuapjEr2Ic0q8R.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1852	800	51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6.exe	28
PID 800 wrote to memory of 1852	800	51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6.exe	28
PID 800 wrote to memory of 1852	800	51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6.exe	28
PID 800 wrote to memory of 1852	800	51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6.exe	28
PID 1852 wrote to memory of 1468	1852	AnuapjEr2Ic0q8R.exe	29
PID 1852 wrote to memory of 1468	1852	AnuapjEr2Ic0q8R.exe	29
PID 1852 wrote to memory of 1468	1852	AnuapjEr2Ic0q8R.exe	29
PID 1852 wrote to memory of 1468	1852	AnuapjEr2Ic0q8R.exe	29
PID 1852 wrote to memory of 1468	1852	AnuapjEr2Ic0q8R.exe	29
PID 1852 wrote to memory of 1468	1852	AnuapjEr2Ic0q8R.exe	29
PID 1852 wrote to memory of 1468	1852	AnuapjEr2Ic0q8R.exe	29
PID 1468 wrote to memory of 1692	1468	regsvr32.exe	30
PID 1468 wrote to memory of 1692	1468	regsvr32.exe	30
PID 1468 wrote to memory of 1692	1468	regsvr32.exe	30
PID 1468 wrote to memory of 1692	1468	regsvr32.exe	30
PID 1468 wrote to memory of 1692	1468	regsvr32.exe	30
PID 1468 wrote to memory of 1692	1468	regsvr32.exe	30
PID 1468 wrote to memory of 1692	1468	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6.exe
"C:\Users\Admin\AppData\Local\Temp\51f2838ebb4a87c0ec4ec0e7edda195302b4f11b051c41a594f9d86f5ca2b3c6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\AnuapjEr2Ic0q8R.exe
  .\AnuapjEr2Ic0q8R.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\ssMu5o858jycJq.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\ssMu5o858jycJq.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\ssMu5o858jycJq.dat

Filesize
6KB

MD5
a645514a622ffddeb586a8aba71ffaf3

SHA1
37fbef52ff0a0ca0398acf26e09bb59edeb3868d

SHA256
1a3d5877547f9416e4f5a5d7b86940c91e896d62238de635e0c78a6b61ebaddf

SHA512
1d22db61164d9e6b51f056509367a36fe27318813633e846cede7144d35d9d048b8526c00fba6b48710b504c140bb456cad218c4089ec35c65b74790c566d24a

Download Submit
C:\Program Files (x86)\GoSave\ssMu5o858jycJq.x64.dll

Filesize
700KB

MD5
b35c2a7e6779afd13fcad69a3f57b9ad

SHA1
e09c5388a4fd7de279d056f5370066c04daf9848

SHA256
069ab79f3da8642ffdb36f00d583f884bd3468d70cc831e1d2c00249a56bd0bd

SHA512
2223aec77363dfb708553259c78f934067e5fd9e890008018ba9ebad6e0a066ffe7142797c540a63476ec11f63f5c539ff2d88ae81e91a5f4a41e1f3d81ced06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\AnuapjEr2Ic0q8R.dat

Filesize
6KB

MD5
a645514a622ffddeb586a8aba71ffaf3

SHA1
37fbef52ff0a0ca0398acf26e09bb59edeb3868d

SHA256
1a3d5877547f9416e4f5a5d7b86940c91e896d62238de635e0c78a6b61ebaddf

SHA512
1d22db61164d9e6b51f056509367a36fe27318813633e846cede7144d35d9d048b8526c00fba6b48710b504c140bb456cad218c4089ec35c65b74790c566d24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\AnuapjEr2Ic0q8R.exe

Filesize
634KB

MD5
f6a2b12337ba1c43c7c14bc853a8ef2e

SHA1
1a9bdf038523f1a5e1f8457f718d3759bd58bc91

SHA256
f4466dd466a71b75b0bcbb132ebebe0f26ace0be227fd79950eab4482259b58c

SHA512
499665d4ec2cbb785fec7de9232a87bbdbe764d05687b9da88e31b0b3f0b151d6c0b1de199281b497c8bcdaf81d47465166e18b0d2321af4c65491e0af6a2c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\AnuapjEr2Ic0q8R.exe

Filesize
634KB

MD5
f6a2b12337ba1c43c7c14bc853a8ef2e

SHA1
1a9bdf038523f1a5e1f8457f718d3759bd58bc91

SHA256
f4466dd466a71b75b0bcbb132ebebe0f26ace0be227fd79950eab4482259b58c

SHA512
499665d4ec2cbb785fec7de9232a87bbdbe764d05687b9da88e31b0b3f0b151d6c0b1de199281b497c8bcdaf81d47465166e18b0d2321af4c65491e0af6a2c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
6c918adeed1f53d9d754762cf0ce5e01

SHA1
fb8037b460622bf84f66df037c6a6039c781211c

SHA256
b3857016bbf76426f60fa8483d8bc7d59d3ca5effcb0c3a7493e8c8732741c68

SHA512
0c8ca8590e3fd9d86771d9d08428497b099e92eb66e0ac9a39b8b1ecc58478cfdeafc5c931cfbbb3a12cd1a48b96aed6ea9da39f22daee54bc8508dba436c01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
7878a9d6666339370da58dd2526dd1d6

SHA1
67aefbce5e77d510466dd0f32e8c5ec02c0a6365

SHA256
e5326cf366cb132c7c2612214ad4ff7872a29a94bfd80ebb0e056b38d16d54c4

SHA512
4e357c27c890de5081bb5e3ff03406ae5dee0db92dbc4de795798de9a13c836ac294fc82f288f69519fec6ff53498014e3a652f06881d9567ab437d8ad267b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\[email protected]\install.rdf

Filesize
590B

MD5
50df3717a4409ee9e1749fce04426daf

SHA1
6f0d6378e62c1d1ca08e700f0fd743261b496286

SHA256
434fbb72094e2e7636d52d47fcde11349db1d3c30e1cacf67fa6579998532ed1

SHA512
65a4e469c71a48a43e35a9d970ecc7a44d2eab11881aeeca1b6870ea31e0489fe74b53ffdfef239e2c49d2503ec912e3624bafe1a95cec7e7131de36db402a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\ejnjponcefmbmjbcggfilhneonncopol\TB9z5ylNm.js

Filesize
5KB

MD5
41d6348fd3469523fd8b311f41a827ab

SHA1
0e5213bd4779760e89d516a79cf24318f62ec387

SHA256
0813d2c32f9d952c660f79f5c14be523544d5176da51db140bdf64b5f919dc40

SHA512
f15c3050d642450afc225e708009d3ec688f422593d758a1ce9adb4dd3660958d58d072343841323c5f6bdd794dae5c232dfc5196c9ed67cf7a56e19de1cf8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\ejnjponcefmbmjbcggfilhneonncopol\background.html

Filesize
146B

MD5
88c99260eaf4aad1c0a5a53b574e9e08

SHA1
99e2ad3123173e87744c52aa6681b8229ca1cef4

SHA256
be9f81d24611b10ab97c58392949bffb550749cb3d3130d57f0399ed7dd22c61

SHA512
11983cefa19f74283a39e2941beebb49e88e9504ac9cd858e6cf9bff26a94903c672034013d069da6c913ffc210360d39ffeb6a2f3f76998adda9d8050da0088

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\ejnjponcefmbmjbcggfilhneonncopol\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\ejnjponcefmbmjbcggfilhneonncopol\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\ejnjponcefmbmjbcggfilhneonncopol\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\ssMu5o858jycJq.dll

Filesize
622KB

MD5
2dfff2c4ff19c44abf2bd235a75a4605

SHA1
e3d8eecb4acf261b70bb0ff231cccadeb18fba5b

SHA256
6626b98a94ef2ebbac3d6627dd05699fdba4c5840ba101ca2954e17581f3444d

SHA512
91c99b421953d7ba7e9d7c4bfa21fcc2440dbb5f00f27b709a0de3d7c4a60d2d6e3f94cb6462fd2ecc9596c06c933d6f54e7b7f64128e95282c4db9e325b45f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\ssMu5o858jycJq.tlb

Filesize
3KB

MD5
779b5c810c1a2b89eb45c75ff12c0e21

SHA1
00d185a97296c2545c6361edf6ace23bf38a096e

SHA256
0ce1c0a5d7ffbcb82406d20ea42989311ff9bcd993527270d983b533cd66765a

SHA512
0e33c14061c6a2ef3ac75c19283b4caecfc9dfaa5bf57da285ea7610988a14f194807df5d799a86a777caf87b9a3c9714b4528afb32b15cce914f672bb143441

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\ssMu5o858jycJq.x64.dll

Filesize
700KB

MD5
b35c2a7e6779afd13fcad69a3f57b9ad

SHA1
e09c5388a4fd7de279d056f5370066c04daf9848

SHA256
069ab79f3da8642ffdb36f00d583f884bd3468d70cc831e1d2c00249a56bd0bd

SHA512
2223aec77363dfb708553259c78f934067e5fd9e890008018ba9ebad6e0a066ffe7142797c540a63476ec11f63f5c539ff2d88ae81e91a5f4a41e1f3d81ced06

Download Submit
\Program Files (x86)\GoSave\ssMu5o858jycJq.dll

Filesize
622KB

MD5
2dfff2c4ff19c44abf2bd235a75a4605

SHA1
e3d8eecb4acf261b70bb0ff231cccadeb18fba5b

SHA256
6626b98a94ef2ebbac3d6627dd05699fdba4c5840ba101ca2954e17581f3444d

SHA512
91c99b421953d7ba7e9d7c4bfa21fcc2440dbb5f00f27b709a0de3d7c4a60d2d6e3f94cb6462fd2ecc9596c06c933d6f54e7b7f64128e95282c4db9e325b45f1

Download Submit
\Program Files (x86)\GoSave\ssMu5o858jycJq.x64.dll

Filesize
700KB

MD5
b35c2a7e6779afd13fcad69a3f57b9ad

SHA1
e09c5388a4fd7de279d056f5370066c04daf9848

SHA256
069ab79f3da8642ffdb36f00d583f884bd3468d70cc831e1d2c00249a56bd0bd

SHA512
2223aec77363dfb708553259c78f934067e5fd9e890008018ba9ebad6e0a066ffe7142797c540a63476ec11f63f5c539ff2d88ae81e91a5f4a41e1f3d81ced06

Download Submit
\Program Files (x86)\GoSave\ssMu5o858jycJq.x64.dll

Filesize
700KB

MD5
b35c2a7e6779afd13fcad69a3f57b9ad

SHA1
e09c5388a4fd7de279d056f5370066c04daf9848

SHA256
069ab79f3da8642ffdb36f00d583f884bd3468d70cc831e1d2c00249a56bd0bd

SHA512
2223aec77363dfb708553259c78f934067e5fd9e890008018ba9ebad6e0a066ffe7142797c540a63476ec11f63f5c539ff2d88ae81e91a5f4a41e1f3d81ced06

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEEB3.tmp\AnuapjEr2Ic0q8R.exe

Filesize
634KB

MD5
f6a2b12337ba1c43c7c14bc853a8ef2e

SHA1
1a9bdf038523f1a5e1f8457f718d3759bd58bc91

SHA256
f4466dd466a71b75b0bcbb132ebebe0f26ace0be227fd79950eab4482259b58c

SHA512
499665d4ec2cbb785fec7de9232a87bbdbe764d05687b9da88e31b0b3f0b151d6c0b1de199281b497c8bcdaf81d47465166e18b0d2321af4c65491e0af6a2c1f

Download Submit
memory/800-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1468-73-0x0000000000000000-mapping.dmp

Download
memory/1692-78-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1692-77-0x0000000000000000-mapping.dmp

Download
memory/1852-56-0x0000000000000000-mapping.dmp

Download