8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538

Analysis

max time kernel
45s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 14:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538.exe
Size

2.1MB
MD5

e59eb18afc40e5dfd9ea3d8b86d4b59a
SHA1

0aa2b60104c9efedcaebde15f732abf7030f84bf
SHA256

8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538
SHA512

af1f65495d7d0754582d30f5091d7724bd122423f91e102db5de24d0fa5369d008363956fd19d4dff5aaf161018c56c18e21e3b75c7986708aa28f7485655c63
SSDEEP

49152:h1Os5yuyoY0IKAVWQrQSM5eeHY1h2PlSUQ8Pcin:h1OsgoP9oM5LFv

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	UP7o8yDJjAueu2Y.exe

Loads dropped DLL 4 IoCs

pid	Process
1784	8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538.exe
1712	UP7o8yDJjAueu2Y.exe
1068	regsvr32.exe
1688	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckjjkfhkhfolilhmegcifdccoahanegm\2.0\manifest.json	UP7o8yDJjAueu2Y.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckjjkfhkhfolilhmegcifdccoahanegm\2.0\manifest.json	UP7o8yDJjAueu2Y.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckjjkfhkhfolilhmegcifdccoahanegm\2.0\manifest.json	UP7o8yDJjAueu2Y.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	UP7o8yDJjAueu2Y.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	UP7o8yDJjAueu2Y.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	UP7o8yDJjAueu2Y.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	UP7o8yDJjAueu2Y.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	UP7o8yDJjAueu2Y.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.x64.dll	UP7o8yDJjAueu2Y.exe
File opened for modification	C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.x64.dll	UP7o8yDJjAueu2Y.exe
File created	C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.dll	UP7o8yDJjAueu2Y.exe
File opened for modification	C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.dll	UP7o8yDJjAueu2Y.exe
File created	C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.tlb	UP7o8yDJjAueu2Y.exe
File opened for modification	C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.tlb	UP7o8yDJjAueu2Y.exe
File created	C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.dat	UP7o8yDJjAueu2Y.exe
File opened for modification	C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.dat	UP7o8yDJjAueu2Y.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1712	1784	8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538.exe	28
PID 1784 wrote to memory of 1712	1784	8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538.exe	28
PID 1784 wrote to memory of 1712	1784	8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538.exe	28
PID 1784 wrote to memory of 1712	1784	8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538.exe	28
PID 1712 wrote to memory of 1068	1712	UP7o8yDJjAueu2Y.exe	29
PID 1712 wrote to memory of 1068	1712	UP7o8yDJjAueu2Y.exe	29
PID 1712 wrote to memory of 1068	1712	UP7o8yDJjAueu2Y.exe	29
PID 1712 wrote to memory of 1068	1712	UP7o8yDJjAueu2Y.exe	29
PID 1712 wrote to memory of 1068	1712	UP7o8yDJjAueu2Y.exe	29
PID 1712 wrote to memory of 1068	1712	UP7o8yDJjAueu2Y.exe	29
PID 1712 wrote to memory of 1068	1712	UP7o8yDJjAueu2Y.exe	29
PID 1068 wrote to memory of 1688	1068	regsvr32.exe	30
PID 1068 wrote to memory of 1688	1068	regsvr32.exe	30
PID 1068 wrote to memory of 1688	1068	regsvr32.exe	30
PID 1068 wrote to memory of 1688	1068	regsvr32.exe	30
PID 1068 wrote to memory of 1688	1068	regsvr32.exe	30
PID 1068 wrote to memory of 1688	1068	regsvr32.exe	30
PID 1068 wrote to memory of 1688	1068	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538.exe
"C:\Users\Admin\AppData\Local\Temp\8d74e9e4f674da9bfad54dc475673dec35df31b57f1d8b5de08e9c252c8c3538.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\UP7o8yDJjAueu2Y.exe
  .\UP7o8yDJjAueu2Y.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.dat

Filesize
6KB

MD5
fa478ff0b1ba9e28e0416516e3bc5d6b

SHA1
dbf38ee479ef36af300954893b723ec9f18dd317

SHA256
ed510ae4c2e83b9309c387c1c44d60efa695b5d1b5463c0ebec8d0604a5fb805

SHA512
3264899611dc0c7c8b8e32b1fdb84c2236e4081b5c192d68f8b9b8a760161c1c26afcc5677abca9c3c8d6a03259512c958a274d380b0a14e676a04d0b14f36ac

Download Submit
C:\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
3db5b807739ac2bb8e973d40a4805a5c

SHA1
a1c8fe1141eec1c151075d7b304325a6147987fb

SHA256
90427a2e73f7b397bbe3dbfa5f1898c31119367ec7d7d9d06b47178fb86e01c1

SHA512
4492328246c9f21b23d1504b1399c8ea04a445fb0949e3dc2cefa583dd8641997000f45b88a903b68c4b1018cf5cac690733b6440cec87adb6afb909c1ef0d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
b418120fff5e38894ad8a1491c79c021

SHA1
abdc9ed7dea5c08d9e483ec0f771abf6fe63f0ec

SHA256
13358fcd532874b821c5777e6867ac613a783ce48f2d0dbe3bf04e2038439836

SHA512
3ae015a3c85ac69297109f6ed5b5ada1ef3bb7fd36775d90314c7159aa7f114e7a055ab93b8c51154e3e4e3f26a016bfcedfd7e8e660bf4303359c7a75872e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\[email protected]\install.rdf

Filesize
595B

MD5
3b35cb4c15badfa06bb8a95f698561d5

SHA1
68a8cb7860b871bf0613dd689c458c076f5ef77d

SHA256
a1b61055c5e7358fea0be9238fe641526b03d1b8a6f21203c10c57410ea26f3b

SHA512
d8dfaf31948c48b7d753ee0df084c14ed4528bffe68aa49b7b956ffb452c9a3785f13daab7c3dcecc829cabc263934618bbc02d12ef9aa9206f54fb4b3315ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\UP7o8yDJjAueu2Y.dat

Filesize
6KB

MD5
fa478ff0b1ba9e28e0416516e3bc5d6b

SHA1
dbf38ee479ef36af300954893b723ec9f18dd317

SHA256
ed510ae4c2e83b9309c387c1c44d60efa695b5d1b5463c0ebec8d0604a5fb805

SHA512
3264899611dc0c7c8b8e32b1fdb84c2236e4081b5c192d68f8b9b8a760161c1c26afcc5677abca9c3c8d6a03259512c958a274d380b0a14e676a04d0b14f36ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\UP7o8yDJjAueu2Y.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\UP7o8yDJjAueu2Y.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\ckjjkfhkhfolilhmegcifdccoahanegm\background.html

Filesize
138B

MD5
6633372fcb12aa40842ae38a64e5df9b

SHA1
fbca88520834d7c436bdae9f17cc787c58f8000f

SHA256
4c6f87330bdcf6b9a24e30b9483e617aec761a848905881f061483daabd951f3

SHA512
e507cee9cea3be5b325c1d6d9e81a9f89ddf0b86d6efc4a61d65a56b9f66e68a033cec3361f04bf3b39aa6aee5cd57d7f04e4d7d3c54e67135ac8875e5155490

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\ckjjkfhkhfolilhmegcifdccoahanegm\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\ckjjkfhkhfolilhmegcifdccoahanegm\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\ckjjkfhkhfolilhmegcifdccoahanegm\manifest.json

Filesize
500B

MD5
1164c644c1a91452c22139b15578bb79

SHA1
14fddd660a301dd2fc17847865a0b32afc192886

SHA256
74f33e862731afb5891e9545b96084dae64a6ba4e53a57802fe1276f1e13c320

SHA512
c88ba4ab6d04be6a8867890fe363f56c8fc61a2e707caa86e9db77ece4c66e015e86c45fdbeafe521da4856dc86d01d75b7c0aecb2380c5c9cb3d45755a83de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\ckjjkfhkhfolilhmegcifdccoahanegm\z.js

Filesize
5KB

MD5
d0bfac29a5f294eb86663931e33e03de

SHA1
cdac7670a0247d3a93d2b09f3796281b2eef9c76

SHA256
8a49917fc7db55435f7f063041b897fb475540ece4419b9b880d2ac7f60ca3bb

SHA512
f2ccbb34eccf24b3ffca4b76f596cc88f97bfe669c71b95527a9b13a1384041a3a075c3b0baa28e34a2e3503bd3ef30e0abae7b3a32d5e3d4402d4c476b24ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\e6Hh2RlmvNv2wA.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\e6Hh2RlmvNv2wA.tlb

Filesize
3KB

MD5
52acf269931e562ad7445f7a803bd5e3

SHA1
ef86bb5f96b2bba4c85a73efef5df4a08ab99031

SHA256
bc29a9426767cb54f6f11ea9d457613f858aa0d0e33137ab8ad1f53ff601d8f2

SHA512
545cc433a340e0b6ef70c92ab7854058222bb76385fb4027f1cc174a0baececb48c8e04ea83e9387d2c664505d4dd3799d41512e06c3ec5b4e32d0bf4a84668b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS427D.tmp\e6Hh2RlmvNv2wA.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Program Files (x86)\GeoSaave\e6Hh2RlmvNv2wA.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS427D.tmp\UP7o8yDJjAueu2Y.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
memory/1688-78-0x000007FEFC631000-0x000007FEFC633000-memory.dmp

Filesize
8KB

Download
memory/1784-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download