63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033

Analysis

max time kernel
46s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033.exe
Size

2.1MB
MD5

3a49e14cdf808ecb35f228f077262fc0
SHA1

f33aa251cadacd7ece419296328528e7cd63c9fd
SHA256

63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033
SHA512

b406387ff9ff528a2068a086711408cf09a5df9be9f1d5696567f8d95ebbf49fe56466e863109f54105f6210f45f92e0083777d2951f1c2d4510fb7674038767
SSDEEP

49152:h1OsGyuyoY0IKAVWQrQSM5eeHY1h2PlSUQ8Pciq:h1ObgoP9oM5LFC

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
768	DDYlFA7tyISo4k2.exe

Loads dropped DLL 4 IoCs

pid	Process
1752	63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033.exe
768	DDYlFA7tyISo4k2.exe
1272	regsvr32.exe
2000	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\koipaoaaifbanigjngkldcmmhnecjphd\2.0\manifest.json	DDYlFA7tyISo4k2.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\koipaoaaifbanigjngkldcmmhnecjphd\2.0\manifest.json	DDYlFA7tyISo4k2.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\koipaoaaifbanigjngkldcmmhnecjphd\2.0\manifest.json	DDYlFA7tyISo4k2.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	DDYlFA7tyISo4k2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	DDYlFA7tyISo4k2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	DDYlFA7tyISo4k2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	DDYlFA7tyISo4k2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	DDYlFA7tyISo4k2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.x64.dll	DDYlFA7tyISo4k2.exe
File created	C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.dll	DDYlFA7tyISo4k2.exe
File opened for modification	C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.dll	DDYlFA7tyISo4k2.exe
File created	C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.tlb	DDYlFA7tyISo4k2.exe
File opened for modification	C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.tlb	DDYlFA7tyISo4k2.exe
File created	C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.dat	DDYlFA7tyISo4k2.exe
File opened for modification	C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.dat	DDYlFA7tyISo4k2.exe
File created	C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.x64.dll	DDYlFA7tyISo4k2.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 768	1752	63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033.exe	28
PID 1752 wrote to memory of 768	1752	63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033.exe	28
PID 1752 wrote to memory of 768	1752	63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033.exe	28
PID 1752 wrote to memory of 768	1752	63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033.exe	28
PID 768 wrote to memory of 1272	768	DDYlFA7tyISo4k2.exe	29
PID 768 wrote to memory of 1272	768	DDYlFA7tyISo4k2.exe	29
PID 768 wrote to memory of 1272	768	DDYlFA7tyISo4k2.exe	29
PID 768 wrote to memory of 1272	768	DDYlFA7tyISo4k2.exe	29
PID 768 wrote to memory of 1272	768	DDYlFA7tyISo4k2.exe	29
PID 768 wrote to memory of 1272	768	DDYlFA7tyISo4k2.exe	29
PID 768 wrote to memory of 1272	768	DDYlFA7tyISo4k2.exe	29
PID 1272 wrote to memory of 2000	1272	regsvr32.exe	30
PID 1272 wrote to memory of 2000	1272	regsvr32.exe	30
PID 1272 wrote to memory of 2000	1272	regsvr32.exe	30
PID 1272 wrote to memory of 2000	1272	regsvr32.exe	30
PID 1272 wrote to memory of 2000	1272	regsvr32.exe	30
PID 1272 wrote to memory of 2000	1272	regsvr32.exe	30
PID 1272 wrote to memory of 2000	1272	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033.exe
"C:\Users\Admin\AppData\Local\Temp\63459b1f6f75e7cd2f9a1b482315bbe1d718e9f599531c7c8441c2ae342d9033.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\DDYlFA7tyISo4k2.exe
  .\DDYlFA7tyISo4k2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.dat

Filesize
6KB

MD5
3420077fb172d3f3d6e3d81959d6328e

SHA1
49c34cf96aa344831915d93ca11d02e69ea284a0

SHA256
742bdb0e3c7e1189dedc37c115f8c0aa1123cfc46896f718b80f60782e6e9ceb

SHA512
9b818c16d857b5e6b24f2d8b1ca4ddd63f19c067b77ccb3129839efc98eb6eb823178c9092fdbede0dd169609d377375fb197824bd232b6bb3e29732c53a870a

Download Submit
C:\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\DDYlFA7tyISo4k2.dat

Filesize
6KB

MD5
3420077fb172d3f3d6e3d81959d6328e

SHA1
49c34cf96aa344831915d93ca11d02e69ea284a0

SHA256
742bdb0e3c7e1189dedc37c115f8c0aa1123cfc46896f718b80f60782e6e9ceb

SHA512
9b818c16d857b5e6b24f2d8b1ca4ddd63f19c067b77ccb3129839efc98eb6eb823178c9092fdbede0dd169609d377375fb197824bd232b6bb3e29732c53a870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\DDYlFA7tyISo4k2.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\DDYlFA7tyISo4k2.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\koipaoaaifbanigjngkldcmmhnecjphd\L1Pyr.js

Filesize
5KB

MD5
d84d7067b1f962b309fd2594ef212f19

SHA1
9328879a7d22169e01fd85aedca8ba8ee1fcbf7e

SHA256
ba0a4e83f1b37bbec542f8c3f42f3eb2ee247a01f437f80861d463f379c00785

SHA512
f3385227445d874d841e29fc0d921421aa2095dd0ac5ac7537cf961d3c3893901a9b46471cfc452a116e549f409b7dd1bb5aeb4326da02979bc518c54047b6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\koipaoaaifbanigjngkldcmmhnecjphd\background.html

Filesize
142B

MD5
eb0cdfca42e9883d4754d55bc4e22d98

SHA1
7667cc33d69b3e44591f1983903f3006fd3d506f

SHA256
0714a6895bff02b92674679c2450caf34f014b9680db6027c416d9ad73b9b123

SHA512
b58dfd641848ea2102b818cd622b0635069a24aad06d5fa81d0561b7ac2074f1f9d379f10ad03cafe244930303ba5dac3309768fd4d81dda1f2eedd7eb25b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\koipaoaaifbanigjngkldcmmhnecjphd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\koipaoaaifbanigjngkldcmmhnecjphd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\koipaoaaifbanigjngkldcmmhnecjphd\manifest.json

Filesize
500B

MD5
346f1ffc5ad82a7801f77c3bdaefe6b6

SHA1
0a0e7a27733e7166acc3b5916454f23e55edf643

SHA256
ee5abeb4ae77c300cd94b5978b91cf6a26020de8adc6add765592f00ba9fd671

SHA512
cab3cad6a04a0191ea8cbabf2f2ea56c0403e3b631c11bfae36af77d6aa11b4cbee7cb830e7b44d6290995b0ca8ee867176fc5a789992640f7f1f5337de732ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
49279f1a6ab12769ef5797905ff8d5bf

SHA1
5fc4383e0951c262691c3ca39ac820fbf0766dc5

SHA256
8444c853f23187ef2f0b7cf31651e90bab7b4eda7233868ef81d34adfa3e45cd

SHA512
ac03ee44180a8667deb08f17658675ba3b617f9e6a613b7e4e10cf6b228750d8a6709a2c4009853c921a419033946add1c34e3108f002dfd9466829bf72f1d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
d66c8db4e8a92b6c91960c0c811826f1

SHA1
b7d6d01da8ce9a9889eb3614a675e804670d9300

SHA256
d8a16319da2a76f167b129a53566340242e1140ec95c398dab825a736eb9a422

SHA512
9483a845551b54f6d08d166f6f58ad8aab4ec4ff5bd95c79a8c3b308fd35327947e8e97922d49b0be4ca5271a71759f0427c302cebebe8a49e0e4a67cc1d9fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\[email protected]\install.rdf

Filesize
593B

MD5
ec24bddf228b0008271bb30128c76d57

SHA1
ab24fdd261835b2659a0fa6d38e8c9e82f565875

SHA256
db30db55b62a5ca869f75870244ac15d9adc1e9bd210e5cb3689d71709dd3095

SHA512
a8c72a746d54d6e0f31bbbffa98cdde3d15a84aeb19b0fa6da017bb57ebc26618cd61aa2d38118dbcb7338a34da87ddb50caedbf1f9a96e087406a81916be106

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\uf1aeghPlQTAan.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\uf1aeghPlQTAan.tlb

Filesize
3KB

MD5
52acf269931e562ad7445f7a803bd5e3

SHA1
ef86bb5f96b2bba4c85a73efef5df4a08ab99031

SHA256
bc29a9426767cb54f6f11ea9d457613f858aa0d0e33137ab8ad1f53ff601d8f2

SHA512
545cc433a340e0b6ef70c92ab7854058222bb76385fb4027f1cc174a0baececb48c8e04ea83e9387d2c664505d4dd3799d41512e06c3ec5b4e32d0bf4a84668b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\uf1aeghPlQTAan.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Program Files (x86)\GGoSaVea\uf1aeghPlQTAan.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS90FA.tmp\DDYlFA7tyISo4k2.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
memory/768-56-0x0000000000000000-mapping.dmp

Download
memory/1272-73-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/2000-78-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/2000-77-0x0000000000000000-mapping.dmp

Download