d85db683140d3fa74a23da617b1b93f34ef84eb0036451784153e8fc78be2980

Analysis

max time kernel
156s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 13:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d85db683140d3fa74a23da617b1b93f34ef84eb0036451784153e8fc78be2980.exe
Size

2.1MB
MD5

d6b7ed16675d1a13817c2a1ae2e5bbb5
SHA1

e3f109e1f1ef0c605999b88699c7327f79203ea9
SHA256

d85db683140d3fa74a23da617b1b93f34ef84eb0036451784153e8fc78be2980
SHA512

7b7f59626b168cedeaa128ca1f4fc7c7e4905e0ae4a340f2959fc5dae94c8167913b2ac43324faef607517849d54eb9ac36bc7b37fbebe531b4199221b61ac33
SSDEEP

49152:h1OsgyuyoY0IKAVWQrQSM5eeHY1h2PlSUQ8Pcih:h1OdgoP9oM5LFZ

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2348	9GMfOPSiVuvG2GX.exe

Loads dropped DLL 3 IoCs

pid	Process
2348	9GMfOPSiVuvG2GX.exe
3144	regsvr32.exe
4300	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hanmghaldmenambhehhcecllcgbocica\3.0\manifest.json	9GMfOPSiVuvG2GX.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hanmghaldmenambhehhcecllcgbocica\3.0\manifest.json	9GMfOPSiVuvG2GX.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hanmghaldmenambhehhcecllcgbocica\3.0\manifest.json	9GMfOPSiVuvG2GX.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hanmghaldmenambhehhcecllcgbocica\3.0\manifest.json	9GMfOPSiVuvG2GX.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hanmghaldmenambhehhcecllcgbocica\3.0\manifest.json	9GMfOPSiVuvG2GX.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	9GMfOPSiVuvG2GX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	9GMfOPSiVuvG2GX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	9GMfOPSiVuvG2GX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	9GMfOPSiVuvG2GX.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.tlb	9GMfOPSiVuvG2GX.exe
File created	C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.dat	9GMfOPSiVuvG2GX.exe
File opened for modification	C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.dat	9GMfOPSiVuvG2GX.exe
File created	C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.x64.dll	9GMfOPSiVuvG2GX.exe
File opened for modification	C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.x64.dll	9GMfOPSiVuvG2GX.exe
File created	C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.dll	9GMfOPSiVuvG2GX.exe
File opened for modification	C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.dll	9GMfOPSiVuvG2GX.exe
File created	C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.tlb	9GMfOPSiVuvG2GX.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2348	2688	d85db683140d3fa74a23da617b1b93f34ef84eb0036451784153e8fc78be2980.exe	82
PID 2688 wrote to memory of 2348	2688	d85db683140d3fa74a23da617b1b93f34ef84eb0036451784153e8fc78be2980.exe	82
PID 2688 wrote to memory of 2348	2688	d85db683140d3fa74a23da617b1b93f34ef84eb0036451784153e8fc78be2980.exe	82
PID 2348 wrote to memory of 3144	2348	9GMfOPSiVuvG2GX.exe	84
PID 2348 wrote to memory of 3144	2348	9GMfOPSiVuvG2GX.exe	84
PID 2348 wrote to memory of 3144	2348	9GMfOPSiVuvG2GX.exe	84
PID 3144 wrote to memory of 4300	3144	regsvr32.exe	85
PID 3144 wrote to memory of 4300	3144	regsvr32.exe	85

C:\Users\Admin\AppData\Local\Temp\d85db683140d3fa74a23da617b1b93f34ef84eb0036451784153e8fc78be2980.exe
"C:\Users\Admin\AppData\Local\Temp\d85db683140d3fa74a23da617b1b93f34ef84eb0036451784153e8fc78be2980.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\9GMfOPSiVuvG2GX.exe
  .\9GMfOPSiVuvG2GX.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.dat

Filesize
6KB

MD5
864db9a10555dcadd1c2907afdebdae2

SHA1
40eec0a343b652ebec9e4365cc7ba367789a5786

SHA256
daadbc64279f0d25fe7864b35d93ed1bdea6aa9ff0ae3a4dc7e3b2938a7882fa

SHA512
009bf05bf598582e0998bfcfac3e9ad7a99ca5688b7f7ec6c9a547b9f64f254f874facf81df2d12257be8901e8a86ad4b8d34f4b0bd9bd9fa7aa87633ea8dc86

Download Submit
C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Program Files (x86)\GoSSave\JmKeZjqbYy28V9.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\9GMfOPSiVuvG2GX.dat

Filesize
6KB

MD5
864db9a10555dcadd1c2907afdebdae2

SHA1
40eec0a343b652ebec9e4365cc7ba367789a5786

SHA256
daadbc64279f0d25fe7864b35d93ed1bdea6aa9ff0ae3a4dc7e3b2938a7882fa

SHA512
009bf05bf598582e0998bfcfac3e9ad7a99ca5688b7f7ec6c9a547b9f64f254f874facf81df2d12257be8901e8a86ad4b8d34f4b0bd9bd9fa7aa87633ea8dc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\9GMfOPSiVuvG2GX.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\9GMfOPSiVuvG2GX.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\JmKeZjqbYy28V9.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\JmKeZjqbYy28V9.tlb

Filesize
3KB

MD5
52acf269931e562ad7445f7a803bd5e3

SHA1
ef86bb5f96b2bba4c85a73efef5df4a08ab99031

SHA256
bc29a9426767cb54f6f11ea9d457613f858aa0d0e33137ab8ad1f53ff601d8f2

SHA512
545cc433a340e0b6ef70c92ab7854058222bb76385fb4027f1cc174a0baececb48c8e04ea83e9387d2c664505d4dd3799d41512e06c3ec5b4e32d0bf4a84668b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\JmKeZjqbYy28V9.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
06d1187c1e5d766da6fc3e57a92e90ce

SHA1
cee539099b711cf9a1df5e89df8a9fe672d63589

SHA256
0b3f9c22246685b9da8f295eac27b77273dbfa2048c495b6b1375ef11001a9e1

SHA512
49f29b2c7270bb7aeb78d0a6f32b21c75121e9dde36a1be4204ecc17ab0d707be9fb723f8f80fb53e043d1cc2c7a8b50c318c30ec8fbead217fa02a4b570cb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
59c48bd35d38f7286d127424031a8388

SHA1
7f0029def7ddd2f07664d3611c94174ea4f3a6b2

SHA256
699f07416a4c765b1d13e6199c0cf90e29325d87c6a6d0e77ed91c01b6709995

SHA512
752e386d0ecce2ce62ea60d7c72d6d1b1ce0114a7067affe862c20ea719a5a923e12d57a2c0cdc92820e3205235f51c396091fdcd18b9b003729cc7eba4b2431

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\[email protected]\install.rdf

Filesize
592B

MD5
c9effb2126eecf24f394bb53e9d5bb51

SHA1
ba275d0e98ab9b0979e1ca7714fe1b8088c5cfc0

SHA256
08a030d542a484e55d7c3f3f0c0ced03472b5671d483c5d71ae3e50e55c8933b

SHA512
9ff01baab191ff601ef4365cb11ad6366c5a3640edad375c8fd9c0dadaa10ba678ba628be1dcda116ec5c1378972a44f96fc2734edd2ab49b8feb3091323c17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\hanmghaldmenambhehhcecllcgbocica\background.html

Filesize
146B

MD5
86182d9f3761a1bb772c1ccdfe138585

SHA1
5c14c578cd3f498eaa69c8906f123662532ef317

SHA256
fe39a3431691748fd989f24d928e5870d2ec4f3ba57e7eb754f7226be2aa3cba

SHA512
6a084c84876bc7846b563314664da5d98fc0e62f81b4dc3a8a25f24941c52369e83753b0bd07c8cb9923a38b32834c64cac2e03fae5a637d4c732b2643cf4ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\hanmghaldmenambhehhcecllcgbocica\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\hanmghaldmenambhehhcecllcgbocica\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\hanmghaldmenambhehhcecllcgbocica\manifest.json

Filesize
499B

MD5
abd02a6dbea76a51bff172917aec681c

SHA1
a8e8fe55c9acd794331f28bbad5576ec70ea1670

SHA256
551fb9df7da893fd5ce056aa4018c48b8876bbb77a2bb8c2f88d2438807468b5

SHA512
d57ee4db97d4479101cbf868a3d7d94ec898ddc2e0c2a50fa5cd6f31298ae0c71e285791912a42e3035e5706a8ff0f961824a702a015fc9f94aaa6bfc0f7127d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB8D.tmp\hanmghaldmenambhehhcecllcgbocica\vVDC3TY2T.js

Filesize
5KB

MD5
9251c247f93e20a5a28df2f23443d06e

SHA1
0aaeee44e4bb4ea64f5b21383a94e5a4de8fd587

SHA256
50a8ed3ab75fe7be5644d6f0866769cc35e3bc3e1bf7dc8e27e435c2b9f25dc6

SHA512
ccfbe6a33aa1c5fad3c12b95031c42cd8aff271271a6ca5bec22b4aabf1326ef1a61af763bc05b3f63850c75d2a6286e51175bc43a9d49f954c58c6a069d1da7

Download Submit