bf4cfe2ded300e81f9db859d2d3127051c619cf2040ec5a78e390b40cd1886d3

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 13:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bf4cfe2ded300e81f9db859d2d3127051c619cf2040ec5a78e390b40cd1886d3.exe
Size

2.0MB
MD5

eb4521dbebd150987fecaeaef8a323ab
SHA1

39bbd73449a8f8b9b4d762d2495e989d816731ad
SHA256

bf4cfe2ded300e81f9db859d2d3127051c619cf2040ec5a78e390b40cd1886d3
SHA512

55a5140476faec089d89bc35ea239ca06ffd3ae77fff61d67dfeeb6ce679d43eb629e1beb7d123543095f404f38ccfaa5187e89eb3ebdbad74b29a70a5f97dfe
SSDEEP

49152:h1Os7Upag+Qk/+ouXBVm/KLp0f5fR6Tu3PHYwxzILQJsa7H:h1OaUpAWouXBVm/KLp0+Tu3jH

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1556	5zdekedJS3KMAvc.exe

Loads dropped DLL 3 IoCs

pid	Process
1556	5zdekedJS3KMAvc.exe
1628	regsvr32.exe
1820	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\manapgobjglobilhkpihgbcljckcgmkk\2.0\manifest.json	5zdekedJS3KMAvc.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\manapgobjglobilhkpihgbcljckcgmkk\2.0\manifest.json	5zdekedJS3KMAvc.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\manapgobjglobilhkpihgbcljckcgmkk\2.0\manifest.json	5zdekedJS3KMAvc.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\manapgobjglobilhkpihgbcljckcgmkk\2.0\manifest.json	5zdekedJS3KMAvc.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\manapgobjglobilhkpihgbcljckcgmkk\2.0\manifest.json	5zdekedJS3KMAvc.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	5zdekedJS3KMAvc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	5zdekedJS3KMAvc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	5zdekedJS3KMAvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	5zdekedJS3KMAvc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.tlb	5zdekedJS3KMAvc.exe
File opened for modification	C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.tlb	5zdekedJS3KMAvc.exe
File created	C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.dat	5zdekedJS3KMAvc.exe
File opened for modification	C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.dat	5zdekedJS3KMAvc.exe
File created	C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.x64.dll	5zdekedJS3KMAvc.exe
File opened for modification	C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.x64.dll	5zdekedJS3KMAvc.exe
File created	C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.dll	5zdekedJS3KMAvc.exe
File opened for modification	C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.dll	5zdekedJS3KMAvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1556	1336	bf4cfe2ded300e81f9db859d2d3127051c619cf2040ec5a78e390b40cd1886d3.exe	80
PID 1336 wrote to memory of 1556	1336	bf4cfe2ded300e81f9db859d2d3127051c619cf2040ec5a78e390b40cd1886d3.exe	80
PID 1336 wrote to memory of 1556	1336	bf4cfe2ded300e81f9db859d2d3127051c619cf2040ec5a78e390b40cd1886d3.exe	80
PID 1556 wrote to memory of 1628	1556	5zdekedJS3KMAvc.exe	81
PID 1556 wrote to memory of 1628	1556	5zdekedJS3KMAvc.exe	81
PID 1556 wrote to memory of 1628	1556	5zdekedJS3KMAvc.exe	81
PID 1628 wrote to memory of 1820	1628	regsvr32.exe	82
PID 1628 wrote to memory of 1820	1628	regsvr32.exe	82

C:\Users\Admin\AppData\Local\Temp\bf4cfe2ded300e81f9db859d2d3127051c619cf2040ec5a78e390b40cd1886d3.exe
"C:\Users\Admin\AppData\Local\Temp\bf4cfe2ded300e81f9db859d2d3127051c619cf2040ec5a78e390b40cd1886d3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\5zdekedJS3KMAvc.exe
  .\5zdekedJS3KMAvc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.dat

Filesize
6KB

MD5
1cb3bc1101161406e9664514e73c843a

SHA1
1fdd03546f7a1f284cb5235aad2f00b5d6a80cc8

SHA256
775535fbfee3773500380ec67395098ffae754534169e3581c21a5c1ba1d7fd4

SHA512
ae797ef25bdd23facc3540ed40823655caf3ce3971ac0e79864c2de25881ff41489eb0f3ec27dc4d6d74d5a4235edf62b1701a60697d57232dfeb8c226e76798

Download Submit
C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Program Files (x86)\GGoSave\E4lq3tucmPbvqk.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\5zdekedJS3KMAvc.dat

Filesize
6KB

MD5
1cb3bc1101161406e9664514e73c843a

SHA1
1fdd03546f7a1f284cb5235aad2f00b5d6a80cc8

SHA256
775535fbfee3773500380ec67395098ffae754534169e3581c21a5c1ba1d7fd4

SHA512
ae797ef25bdd23facc3540ed40823655caf3ce3971ac0e79864c2de25881ff41489eb0f3ec27dc4d6d74d5a4235edf62b1701a60697d57232dfeb8c226e76798

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\5zdekedJS3KMAvc.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\5zdekedJS3KMAvc.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\E4lq3tucmPbvqk.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\E4lq3tucmPbvqk.tlb

Filesize
3KB

MD5
08b4ac9069400749555355a5f1e6b8ad

SHA1
ec078fae45087bb2ab63497cd2b4b844c178ec3c

SHA256
f996571eef02335d08b6c073024cef3ea616bb39f9d9742ffa6783f4e22c3997

SHA512
5001f7ca20cca5e85f9c6c1d90ffc2f9a25606d877ee4e6d33a727b6f689989b0486dbea62c66d2d1097194a353566de9d8b6b2bff33613a7ab763c98ca1e1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\E4lq3tucmPbvqk.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\manapgobjglobilhkpihgbcljckcgmkk\background.html

Filesize
138B

MD5
7e04afb945ad240306eb4382e62174ee

SHA1
a899f8f4444f356e504b4558d81b6df9e892937a

SHA256
fea6cd40ada053115cdf38077dafee4e95840b3837d3c2796ee6f9fa0320ae73

SHA512
8f7577ccb548c2bca83285dde49b1b8fb1ae73c4b706c7df88c2936456c48ae2c2afb9ecb5b35ee8a77bbd35e651bad5b14e7e651e81e35b35a9ade3c5314363

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\manapgobjglobilhkpihgbcljckcgmkk\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\manapgobjglobilhkpihgbcljckcgmkk\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\manapgobjglobilhkpihgbcljckcgmkk\manifest.json

Filesize
499B

MD5
f280c5b0e5962c3cc88886d712df31b0

SHA1
23a6e758c55cc173c0c01fe86b6f6f3998be4d79

SHA256
42181dce58104d2dfb1dae4dbbee0bcb8f996d34e051189e412077b46ba84c23

SHA512
bcb4bcb9b3aad8a5561b8572a7701eb9017cbb9911066d0088baf08715d70efca806c489c7f8083bddf9749c70e501004ddb60e3236735a136077da881a41bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\manapgobjglobilhkpihgbcljckcgmkk\v.js

Filesize
5KB

MD5
ccff0d67b6938d4c936df2ec198e408e

SHA1
13779794a4715b545377c2b2b29090378d499fef

SHA256
40f66578917307867ec73cb613f59038da5eba18a8776da94dc0c79c2fe52053

SHA512
8f661c51c59ede1ec08d6660bbb445dde2d6f887fbdc17754baa0145d2dcd84d5fc0b9f7567430a84487c2ec13d0d8f816329475dfa8d1c81d194e795046407d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
e643273ba797d2d204abb1fff3aa4127

SHA1
402d6c68f2c0af0e9422bd1172900a1eec26e404

SHA256
caf1fd4f92a4bdd1eb6f012b88b21fe2d66a74aeaabefc4e52d035fc3c24018b

SHA512
46738fa666aa0bb386c2fc8991aea33b723bb22ff39a2039a9f469b9630dea75f8df09f72bf1818fda02360f757127cba17aaacf592b8e2ff2769beac1570d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
581ff8a89e26ba1ce1231af711c09df2

SHA1
6a56bab99a789ad5021d92d2731c9f1c1b837998

SHA256
f916c2882a465f01d264f87ec6195ce0b44aa9139e1c461aa8a3802a74e1a76a

SHA512
4c1dc45ca589bcd2d9a41249a0d71a4344c008b1555a32447a8972d6583dcaafc5a422edbe5630e718b34d4042a7fb03b6f26636b10aad6cc443d26db5ddb903

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81A8.tmp\[email protected]\install.rdf

Filesize
593B

MD5
f9d7686b23367cdeb39ee3c159b73f5a

SHA1
6ad872e15bcae1d6305a050bc062ab030dcb77fe

SHA256
6443b539bc8f7eb3185ccf25cc113eadee45e1fc16bf20812049edcf8338d970

SHA512
5ef0e5e048b0d9a0589f2d0c79c9169dd122261c8a09e7f635762312844d6763fa3aa38c7e6029d24e20979c60304f81216bcd882be211426d0d0e87cb1f0965

Download Submit