9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4.exe
Size

2.1MB
MD5

d65241da727659af26d7b7ceb3ed8d9b
SHA1

3c3cdadf4a19973cf20c951373e8d98c51100e70
SHA256

9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4
SHA512

f728f7cbdb00b9e6f0ab3a7cca67a9f37bfb2fc1f7b2b36be02a626fc3692189cab37cdd964fbcc5fef4d34aa7e4ed3813d7b16cd60d842e80a5a8d82812f18a
SSDEEP

49152:h1OshM1Yt+xHzi4+FWFR6Yya1w6pFiPgXytcg:h1OwM0Gi4hR6YyECr

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2004	Uoy9fGavWGsnMwf.exe

Loads dropped DLL 4 IoCs

pid	Process
316	9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4.exe
2004	Uoy9fGavWGsnMwf.exe
976	regsvr32.exe
892	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lindbakbgibdafjofkflklkacfgepgbd\2.0\manifest.json	Uoy9fGavWGsnMwf.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lindbakbgibdafjofkflklkacfgepgbd\2.0\manifest.json	Uoy9fGavWGsnMwf.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lindbakbgibdafjofkflklkacfgepgbd\2.0\manifest.json	Uoy9fGavWGsnMwf.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	Uoy9fGavWGsnMwf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	Uoy9fGavWGsnMwf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	Uoy9fGavWGsnMwf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	Uoy9fGavWGsnMwf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	Uoy9fGavWGsnMwf.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.x64.dll	Uoy9fGavWGsnMwf.exe
File opened for modification	C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.x64.dll	Uoy9fGavWGsnMwf.exe
File created	C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.dll	Uoy9fGavWGsnMwf.exe
File opened for modification	C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.dll	Uoy9fGavWGsnMwf.exe
File created	C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.tlb	Uoy9fGavWGsnMwf.exe
File opened for modification	C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.tlb	Uoy9fGavWGsnMwf.exe
File created	C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.dat	Uoy9fGavWGsnMwf.exe
File opened for modification	C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.dat	Uoy9fGavWGsnMwf.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 2004	316	9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4.exe	27
PID 316 wrote to memory of 2004	316	9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4.exe	27
PID 316 wrote to memory of 2004	316	9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4.exe	27
PID 316 wrote to memory of 2004	316	9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4.exe	27
PID 2004 wrote to memory of 976	2004	Uoy9fGavWGsnMwf.exe	28
PID 2004 wrote to memory of 976	2004	Uoy9fGavWGsnMwf.exe	28
PID 2004 wrote to memory of 976	2004	Uoy9fGavWGsnMwf.exe	28
PID 2004 wrote to memory of 976	2004	Uoy9fGavWGsnMwf.exe	28
PID 2004 wrote to memory of 976	2004	Uoy9fGavWGsnMwf.exe	28
PID 2004 wrote to memory of 976	2004	Uoy9fGavWGsnMwf.exe	28
PID 2004 wrote to memory of 976	2004	Uoy9fGavWGsnMwf.exe	28
PID 976 wrote to memory of 892	976	regsvr32.exe	29
PID 976 wrote to memory of 892	976	regsvr32.exe	29
PID 976 wrote to memory of 892	976	regsvr32.exe	29
PID 976 wrote to memory of 892	976	regsvr32.exe	29
PID 976 wrote to memory of 892	976	regsvr32.exe	29
PID 976 wrote to memory of 892	976	regsvr32.exe	29
PID 976 wrote to memory of 892	976	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4.exe
"C:\Users\Admin\AppData\Local\Temp\9094f8e18f5e248b3fc2221af1f99eba1c32e5951a7c413e8dc4c1be5f5b00d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\Uoy9fGavWGsnMwf.exe
  .\Uoy9fGavWGsnMwf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.dat

Filesize
6KB

MD5
9cf0a31a17467d5523ecb04137b741e2

SHA1
d015b16760005224afa6b7dbb00ec51f387ccaff

SHA256
f6d55b3914565d421cb76b5763eee8342c0a24e1cff79dfcf8c9720129b0b9ec

SHA512
0640d6a8ce8c473a9b249e3933327f2abf3b223691ebaf18f581463c7f6f2bbccf7b68664f0073ac6cb303d2498ee4c3fb8d8378f9478d5a0cc7018edcbc510f

Download Submit
C:\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.x64.dll

Filesize
700KB

MD5
bfe7bf1dd7ace967828fad8f352e9edb

SHA1
c4d6e3c40d3e644674a9899c36d3784e1b1f2ce2

SHA256
6854fe28d04356e7801d8b029555da29a7ec469bd0b7c76362aa1eb1343f620f

SHA512
1edcfbe8b5073f40b552f3a574c0850eeaff23ea002c062be654efd45da0ea304f4e604e15c45861aaf6ee27690203d97221a1b8f9bd804b3487809759735af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\Uoy9fGavWGsnMwf.dat

Filesize
6KB

MD5
9cf0a31a17467d5523ecb04137b741e2

SHA1
d015b16760005224afa6b7dbb00ec51f387ccaff

SHA256
f6d55b3914565d421cb76b5763eee8342c0a24e1cff79dfcf8c9720129b0b9ec

SHA512
0640d6a8ce8c473a9b249e3933327f2abf3b223691ebaf18f581463c7f6f2bbccf7b68664f0073ac6cb303d2498ee4c3fb8d8378f9478d5a0cc7018edcbc510f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\Uoy9fGavWGsnMwf.exe

Filesize
624KB

MD5
5caa15936df767f3ba4a54555410d11d

SHA1
83a51cb84d2aa60828bbe67a850f59eb1b693ee1

SHA256
7bc04a35230622c37608558212118e825b6fd48b6b06dc15ee741f968e038575

SHA512
9a49967358acfef10379f034c21bb6c1e867a941709ac9d5b06336dc45e983cd986ae212cdd1e954983d061e9f9f685e3be004d38b6d9698574f7b2d5a3ec36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\Uoy9fGavWGsnMwf.exe

Filesize
624KB

MD5
5caa15936df767f3ba4a54555410d11d

SHA1
83a51cb84d2aa60828bbe67a850f59eb1b693ee1

SHA256
7bc04a35230622c37608558212118e825b6fd48b6b06dc15ee741f968e038575

SHA512
9a49967358acfef10379f034c21bb6c1e867a941709ac9d5b06336dc45e983cd986ae212cdd1e954983d061e9f9f685e3be004d38b6d9698574f7b2d5a3ec36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\eglh0maKVCuk8h.dll

Filesize
619KB

MD5
08f3c211645ea5de102b68fbf7fb5121

SHA1
0a7c2296ec7ff7e96f210bed841a82a57680773c

SHA256
2d04a368b2f165270b48eecbec70d3e5bb87a8ccd48637fe98f1a045ab128044

SHA512
2ebd09a2c7e10e89afcc338da82a2f2b2d037cc19b48704e21a35f066890bebe29f2e6fa75b73680d0d4ab5bdb6ac74d5f284f404a70b19291905aab05d3742e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\eglh0maKVCuk8h.tlb

Filesize
3KB

MD5
0355691345e60ea18830cfe16d2ddfa9

SHA1
0c04a6b84cb89253c51c59114667cb96e57af939

SHA256
4e2e03506ef3ab3d2e87b80a39a051ba0971daa68663fb890059dc7b04f70cc6

SHA512
7ac9cfbd9f3b9c53ffa0e1a18fc9607167f22ec2e0fe74d03e0d1f53d181d708435c2229b64d4383060d71dabb589ac864a68d3f222089d16d0105a8efb4909c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\eglh0maKVCuk8h.x64.dll

Filesize
700KB

MD5
bfe7bf1dd7ace967828fad8f352e9edb

SHA1
c4d6e3c40d3e644674a9899c36d3784e1b1f2ce2

SHA256
6854fe28d04356e7801d8b029555da29a7ec469bd0b7c76362aa1eb1343f620f

SHA512
1edcfbe8b5073f40b552f3a574c0850eeaff23ea002c062be654efd45da0ea304f4e604e15c45861aaf6ee27690203d97221a1b8f9bd804b3487809759735af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\lindbakbgibdafjofkflklkacfgepgbd\CFUrpHBS9Q.js

Filesize
5KB

MD5
0cfc3249dcc2e74ab01ae5bdcb382720

SHA1
9e251c02fdd5dfdb6c60ef9b72dd8fd3237904a0

SHA256
f8da35808c235ecbb910f9191876b3424b90983dcdee3e9702af4f262153ca83

SHA512
8a52034f9fd39a4c8d9d033e417b9131d802b1d127c6e15b8da661975791dcaf8690ea34dc532cada16bcf9814b651312b55f67f0d897427717b9591d947b41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\lindbakbgibdafjofkflklkacfgepgbd\background.html

Filesize
147B

MD5
bdb7ab36bb8da6587c262000a74c3257

SHA1
a50412d093ba852674bcef4c644757cbab2d807a

SHA256
7505b7aee6d2d32f8bdcdab8433bb61c2de73198ada893fddc6b72e7037ed988

SHA512
1b051eb4250eae75b46f78708d2fe15327ea5b0b33307a5cfb3889e8d78b78b7b4227b3ad88b3a1a7f50074873786258b574a169ab66a92aaf2cb438ac1aead4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\lindbakbgibdafjofkflklkacfgepgbd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\lindbakbgibdafjofkflklkacfgepgbd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\lindbakbgibdafjofkflklkacfgepgbd\manifest.json

Filesize
499B

MD5
e2f60f27c8e77e5333144ee8f1c2391f

SHA1
8842255ea8fef0482f3d96ff8f74ca0cd5703faf

SHA256
c97e2855932cd5175fbba70e891d4d34bc9664aaf2d1d215119f48bc532f4ded

SHA512
4fd78c2395ed234f0530bb236cf194891d0bd974efeaea2171c6ef04640d7c819302d9d2a738855472adc5bb9e15f8195e723ff2a2ef048bc354fe1433756d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
3dfce8491634543857b1d7993bf1e036

SHA1
8de24841cff5df88ef56284ac860f49a168373bf

SHA256
206f8283d68280a0fa678a11bc7747be827673af15d366123ae5028cc9834127

SHA512
d238d9b6189e5972cec64079f3a0b0ef4fbcc62561e35f8e463bdbc29d2fec33a4aa1052887e297457ece70709afb9946b8d37f5b42ad51b2939d5d111e08e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
4bd037c9358359fb58b23f0816d7b7cf

SHA1
ecc3a940ee032941bfb918cdcc7ca6198cb8b3a5

SHA256
1528861abe009956f93d63051c31b5c8a138f72bcc5e167812f7156b8c027742

SHA512
6df580f8954fd7989ed461e139f9bcaa9a5d2164652b882d329f4b9d7faae5b3ca687664003967d766a0d2851da168d3a07cdc8dad0dc225d97ec611e8db222f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\[email protected]\install.rdf

Filesize
595B

MD5
98b4335befa95c93c25e51ddec5489d9

SHA1
06cf1ae8c555d4bb9f9bb2dd2b608a43e138379b

SHA256
8c27ec57e433df985f9c57531ea298c0eb5331f4b3de84eeec893c670429960a

SHA512
f261bd272cef05e2efb0acc99c707c4ced94db3d4dd554e6ca00e6dd59ab483ed08a3fa3dba36e2dc605d125674c7140f29c05d118be49a595c313a9d4125e97

Download Submit
\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.dll

Filesize
619KB

MD5
08f3c211645ea5de102b68fbf7fb5121

SHA1
0a7c2296ec7ff7e96f210bed841a82a57680773c

SHA256
2d04a368b2f165270b48eecbec70d3e5bb87a8ccd48637fe98f1a045ab128044

SHA512
2ebd09a2c7e10e89afcc338da82a2f2b2d037cc19b48704e21a35f066890bebe29f2e6fa75b73680d0d4ab5bdb6ac74d5f284f404a70b19291905aab05d3742e

Download Submit
\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.x64.dll

Filesize
700KB

MD5
bfe7bf1dd7ace967828fad8f352e9edb

SHA1
c4d6e3c40d3e644674a9899c36d3784e1b1f2ce2

SHA256
6854fe28d04356e7801d8b029555da29a7ec469bd0b7c76362aa1eb1343f620f

SHA512
1edcfbe8b5073f40b552f3a574c0850eeaff23ea002c062be654efd45da0ea304f4e604e15c45861aaf6ee27690203d97221a1b8f9bd804b3487809759735af2

Download Submit
\Program Files (x86)\GoSaeve\eglh0maKVCuk8h.x64.dll

Filesize
700KB

MD5
bfe7bf1dd7ace967828fad8f352e9edb

SHA1
c4d6e3c40d3e644674a9899c36d3784e1b1f2ce2

SHA256
6854fe28d04356e7801d8b029555da29a7ec469bd0b7c76362aa1eb1343f620f

SHA512
1edcfbe8b5073f40b552f3a574c0850eeaff23ea002c062be654efd45da0ea304f4e604e15c45861aaf6ee27690203d97221a1b8f9bd804b3487809759735af2

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB55C.tmp\Uoy9fGavWGsnMwf.exe

Filesize
624KB

MD5
5caa15936df767f3ba4a54555410d11d

SHA1
83a51cb84d2aa60828bbe67a850f59eb1b693ee1

SHA256
7bc04a35230622c37608558212118e825b6fd48b6b06dc15ee741f968e038575

SHA512
9a49967358acfef10379f034c21bb6c1e867a941709ac9d5b06336dc45e983cd986ae212cdd1e954983d061e9f9f685e3be004d38b6d9698574f7b2d5a3ec36e

Download Submit
memory/316-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/892-78-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download