4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c

Analysis

max time kernel
31s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exe
Size

2.5MB
MD5

ca1e0a1029ff9ca67e32ddf93661aa93
SHA1

f1ccea6b2e1c224a8d1e2cadd9242b6dc713c7d9
SHA256

4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c
SHA512

775c521ef49675dc6cdf288d6e97dcd50e44f32ac2ca9b0233aa25e70ab0283dc77ecb7833d25e784067485d02c12936031293c2b6a2768c65997c4ca2613efd
SSDEEP

49152:h1OsF+QK3xQpjajXKioFMpYphqd3ArqvFUmEaDxEAxh4UR9TET:h1OTQCjbKioVg3ArKh40k

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

nDErn5LXsvZF0yy.exe

pid process

992 nDErn5LXsvZF0yy.exe
Loads dropped DLL 4 IoCs

Processes:

4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exenDErn5LXsvZF0yy.exeregsvr32.exeregsvr32.exe

pid process

1912 4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exe
992 nDErn5LXsvZF0yy.exe
1552 regsvr32.exe
1448 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
992	nDErn5LXsvZF0yy.exe

pid	process
1912	4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exe
992	nDErn5LXsvZF0yy.exe
1552	regsvr32.exe
1448	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exenDErn5LXsvZF0yy.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	nDErn5LXsvZF0yy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	nDErn5LXsvZF0yy.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	nDErn5LXsvZF0yy.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	nDErn5LXsvZF0yy.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	nDErn5LXsvZF0yy.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

nDErn5LXsvZF0yy.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.tlb	nDErn5LXsvZF0yy.exe
File created	C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.dat	nDErn5LXsvZF0yy.exe
File opened for modification	C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.dat	nDErn5LXsvZF0yy.exe
File created	C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.x64.dll	nDErn5LXsvZF0yy.exe
File opened for modification	C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.x64.dll	nDErn5LXsvZF0yy.exe
File created	C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.dll	nDErn5LXsvZF0yy.exe
File opened for modification	C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.dll	nDErn5LXsvZF0yy.exe
File created	C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.tlb	nDErn5LXsvZF0yy.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

nDErn5LXsvZF0yy.exe

pid process

992 nDErn5LXsvZF0yy.exe

pid	process
992	nDErn5LXsvZF0yy.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exenDErn5LXsvZF0yy.exeregsvr32.exe

description	pid	process	target process
PID 1912 wrote to memory of 992	1912	4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exe	nDErn5LXsvZF0yy.exe
PID 1912 wrote to memory of 992	1912	4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exe	nDErn5LXsvZF0yy.exe
PID 1912 wrote to memory of 992	1912	4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exe	nDErn5LXsvZF0yy.exe
PID 1912 wrote to memory of 992	1912	4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exe	nDErn5LXsvZF0yy.exe
PID 992 wrote to memory of 1552	992	nDErn5LXsvZF0yy.exe	regsvr32.exe
PID 992 wrote to memory of 1552	992	nDErn5LXsvZF0yy.exe	regsvr32.exe
PID 992 wrote to memory of 1552	992	nDErn5LXsvZF0yy.exe	regsvr32.exe
PID 992 wrote to memory of 1552	992	nDErn5LXsvZF0yy.exe	regsvr32.exe
PID 992 wrote to memory of 1552	992	nDErn5LXsvZF0yy.exe	regsvr32.exe
PID 992 wrote to memory of 1552	992	nDErn5LXsvZF0yy.exe	regsvr32.exe
PID 992 wrote to memory of 1552	992	nDErn5LXsvZF0yy.exe	regsvr32.exe
PID 1552 wrote to memory of 1448	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1448	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1448	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1448	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1448	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1448	1552	regsvr32.exe	regsvr32.exe
PID 1552 wrote to memory of 1448	1552	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exe
"C:\Users\Admin\AppData\Local\Temp\4854f159f2ab452a589051e1be97770a0c48587538d42c97715b4c333fbfc60c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\nDErn5LXsvZF0yy.exe
.\nDErn5LXsvZF0yy.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.dat

Filesize
6KB

MD5
83b66460a177985dada0d984e467db4e

SHA1
81725edd8cb6e2269b64b32930611fea03902df1

SHA256
2477946b03ab389beca1e87a549bae330dd4e1f4213a925f2c13696ef1e14aaf

SHA512
481b6bb5b3794d55dc5bb5018fbc03d1098fcb5f297e13c8a7f257b45b5daea2c6ab75d2401dcdebaf4392530ca0722cda32a4ce3e5a919a1c2f10a8b6bfdde2

Download Submit
C:\Program Files (x86)\GoSave\yEHVhHcKDeMio7.x64.dll

Filesize
887KB

MD5
fe714aa952e86e33b2cc1652e0f7f6cb

SHA1
25927512b7bef5f0586f7edab4d4804ec43409aa

SHA256
c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579

SHA512
fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a6e47e2335e83edb5df6d6eae92c0572

SHA1
62b8a6cb9519d27337f5ed1563910b4997068ff1

SHA256
b6b3153fb2c93698616c257947f137fdb5cf4276f2c100d6652ebb06cb265720

SHA512
ad79c89940cb51d611f3e67e52482cac30c22e163c383e92a023c72194cbf3aab9b05bfb33c0ba2178b25eaa14c1b98180c7ca80407dde542994b478472e232f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
fa7844ab4e950b3b114ec0025e4da77b

SHA1
a91c876da090a52f2274d32daec4f0baa89498d5

SHA256
a71c3d1321cf11d0b1f5cae5271a5a2f91ae98dff8efc227b4764b7330350357

SHA512
7bc08526d93896a41b89914da09edb6b87cd5abcc110c8d244382fef5761af6cc0476a272d59131bb7b58560165d2d8b83ec4d881f3e90bd6c78fc01ffcc2def

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\[email protected]\install.rdf

Filesize
592B

MD5
573313b898398d1b342734c594999075

SHA1
a94b6e97cae23d2f9138020c8f1b3ef4c3f86fba

SHA256
ed4307b3b8c198f6cfd85ddaf9f875952d796bf995b5611565fe5dc6872879ed

SHA512
63c247768d154668dce68b7a604514f0bfe05b025c1aa0dec1b1c4f06422e577316c05ab80ae69baea06c68cf97bd11462c945a856a0ec4622973ff087804f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\nDErn5LXsvZF0yy.dat

Filesize
6KB

MD5
83b66460a177985dada0d984e467db4e

SHA1
81725edd8cb6e2269b64b32930611fea03902df1

SHA256
2477946b03ab389beca1e87a549bae330dd4e1f4213a925f2c13696ef1e14aaf

SHA512
481b6bb5b3794d55dc5bb5018fbc03d1098fcb5f297e13c8a7f257b45b5daea2c6ab75d2401dcdebaf4392530ca0722cda32a4ce3e5a919a1c2f10a8b6bfdde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\nDErn5LXsvZF0yy.exe

Filesize
765KB

MD5
102dfa10cc29d7f1ded876dfd7274280

SHA1
f26e57d916bf7c5c3a4b49a2edaf30e945b0b44e

SHA256
67d9ee9e36b29e081ff2084dc488b0b6c4120e791a5c33ce6027cf89718e4bb3

SHA512
c3b7bb463873420f1582880308acca440c24fefaf45c9ad75319665e07c0f4548bd6fe07fabec48edd138a495a2607297773b16400e351e68a7462b45fb2c0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\nDErn5LXsvZF0yy.exe

Filesize
765KB

MD5
102dfa10cc29d7f1ded876dfd7274280

SHA1
f26e57d916bf7c5c3a4b49a2edaf30e945b0b44e

SHA256
67d9ee9e36b29e081ff2084dc488b0b6c4120e791a5c33ce6027cf89718e4bb3

SHA512
c3b7bb463873420f1582880308acca440c24fefaf45c9ad75319665e07c0f4548bd6fe07fabec48edd138a495a2607297773b16400e351e68a7462b45fb2c0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\null\S3rze3.js

Filesize
5KB

MD5
f164b1055362c2c2efa99189e42b9380

SHA1
9d313fc4589aa4ce918e780bf4cfe131bf3393b2

SHA256
e055c964078173966e0ba6f83b87cbe61c7e78a00800d688930403aa2091388e

SHA512
10817539cdc235998e7b5e75a5b431ecbd90dd3f47f8acec28d609b5dbb5042465f5614cabd15da2f69506843c60950e8add53ae44925cb4621a7f6170845d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\null\background.html

Filesize
143B

MD5
a7576e6640e1e9a9b0ea3fb046d7475a

SHA1
9633b7ceeb84b00fa3f8590a3ad1c19ac04cfc36

SHA256
faadd09cef0a6c3289357156e426dd1a9b3cbdd2ba6eb7f75ef05126ed4e3fe7

SHA512
75137c46754643a982655d49553ac4b906a680dcb3448c4fd3e7280e61d88bd404632c50ef0831984df14c64cbd0d138300f45aae1d50f283754c816aab58751

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\null\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\null\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\null\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\yEHVhHcKDeMio7.dll

Filesize
748KB

MD5
c4836ef373cdfa7eac3738c59ae9fb83

SHA1
2f019c1b3357e3be378ac804acfc98ec4f80b576

SHA256
5c7ba1a9e0bf346f3b4baa8e6965981b0ff412eabc879ecc531e98f268c34e3e

SHA512
e459aeba63802639c8e7245afc139d86e75a805e14b90318b926ff00fe384d14ac209dc76fb88319218c89fe1562c737ed4c5847cd92e698d529ba6737c2fb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\yEHVhHcKDeMio7.tlb

Filesize
3KB

MD5
f461159d95e1a49a534ad0320ff3984b

SHA1
e3363285437846f046b126adbcd8e4789aa1f486

SHA256
d6967480d6f6fd4b9d31fb7e38ee6f04c76c36edd2795f852ec3938d984993d6

SHA512
2a12587d4a69c967771d8b4ed43e857a81899e177d5ec8ddf8365eaa4e8752032fac8d25b5c3a89ae5efc82b4c6dfd4ba2d26e998b3ad95cc8fdc6ef0c7416ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2888.tmp\yEHVhHcKDeMio7.x64.dll

Filesize
887KB

MD5
fe714aa952e86e33b2cc1652e0f7f6cb

SHA1
25927512b7bef5f0586f7edab4d4804ec43409aa

SHA256
c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579

SHA512
fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7

Download Submit
\Program Files (x86)\GoSave\yEHVhHcKDeMio7.dll

Filesize
748KB

MD5
c4836ef373cdfa7eac3738c59ae9fb83

SHA1
2f019c1b3357e3be378ac804acfc98ec4f80b576

SHA256
5c7ba1a9e0bf346f3b4baa8e6965981b0ff412eabc879ecc531e98f268c34e3e

SHA512
e459aeba63802639c8e7245afc139d86e75a805e14b90318b926ff00fe384d14ac209dc76fb88319218c89fe1562c737ed4c5847cd92e698d529ba6737c2fb4d

Download Submit
\Program Files (x86)\GoSave\yEHVhHcKDeMio7.x64.dll

Filesize
887KB

MD5
fe714aa952e86e33b2cc1652e0f7f6cb

SHA1
25927512b7bef5f0586f7edab4d4804ec43409aa

SHA256
c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579

SHA512
fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7

Download Submit
\Program Files (x86)\GoSave\yEHVhHcKDeMio7.x64.dll

Filesize
887KB

MD5
fe714aa952e86e33b2cc1652e0f7f6cb

SHA1
25927512b7bef5f0586f7edab4d4804ec43409aa

SHA256
c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579

SHA512
fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2888.tmp\nDErn5LXsvZF0yy.exe

Filesize
765KB

MD5
102dfa10cc29d7f1ded876dfd7274280

SHA1
f26e57d916bf7c5c3a4b49a2edaf30e945b0b44e

SHA256
67d9ee9e36b29e081ff2084dc488b0b6c4120e791a5c33ce6027cf89718e4bb3

SHA512
c3b7bb463873420f1582880308acca440c24fefaf45c9ad75319665e07c0f4548bd6fe07fabec48edd138a495a2607297773b16400e351e68a7462b45fb2c0c2

Download Submit
memory/992-56-0x0000000000000000-mapping.dmp

Download
memory/1448-77-0x0000000000000000-mapping.dmp

Download
memory/1448-78-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

Filesize
8KB

Download
memory/1552-73-0x0000000000000000-mapping.dmp

Download
memory/1912-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download