39b2fbb0509e4a62013111d16358d7d6c3f06b2466b0c80354e0dfa54bc9569c

Analysis

max time kernel
67s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 15:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39b2fbb0509e4a62013111d16358d7d6c3f06b2466b0c80354e0dfa54bc9569c.exe
Size

2.1MB
MD5

5529ad8afa5ffa173ab9c433772d7d8f
SHA1

0fe8a40b5a4b6c5d9f1d13cb6fd4aab72b00058c
SHA256

39b2fbb0509e4a62013111d16358d7d6c3f06b2466b0c80354e0dfa54bc9569c
SHA512

95792ddadb518951e8bca0529bcee0ce8ea8f7fe0de4e48559cd655eca2b0cd0df959d5ed5af08672359a14b66e3c319945ff764bf7843d8fa4081c8b46f1931
SSDEEP

24576:h1OYdaOxidvpcWU0nkjpTu1aiwB+JtP2ItjRwcOHx0pFz8rrqbk8250uj5rc6bJi:h1OsW5/nkFTZaPPRwTR0ptyI2q8jbJGL

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1400	uVDaE2Zf95JCe4j.exe

Loads dropped DLL 3 IoCs

pid	Process
1400	uVDaE2Zf95JCe4j.exe
1628	regsvr32.exe
2664	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbchekhppdkcbdfbpgmdcigijakjnlfb\2.0\manifest.json	uVDaE2Zf95JCe4j.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbchekhppdkcbdfbpgmdcigijakjnlfb\2.0\manifest.json	uVDaE2Zf95JCe4j.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbchekhppdkcbdfbpgmdcigijakjnlfb\2.0\manifest.json	uVDaE2Zf95JCe4j.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbchekhppdkcbdfbpgmdcigijakjnlfb\2.0\manifest.json	uVDaE2Zf95JCe4j.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbchekhppdkcbdfbpgmdcigijakjnlfb\2.0\manifest.json	uVDaE2Zf95JCe4j.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	uVDaE2Zf95JCe4j.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	uVDaE2Zf95JCe4j.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	uVDaE2Zf95JCe4j.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	uVDaE2Zf95JCe4j.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.x64.dll	uVDaE2Zf95JCe4j.exe
File created	C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.dll	uVDaE2Zf95JCe4j.exe
File opened for modification	C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.dll	uVDaE2Zf95JCe4j.exe
File created	C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.tlb	uVDaE2Zf95JCe4j.exe
File opened for modification	C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.tlb	uVDaE2Zf95JCe4j.exe
File created	C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.dat	uVDaE2Zf95JCe4j.exe
File opened for modification	C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.dat	uVDaE2Zf95JCe4j.exe
File created	C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.x64.dll	uVDaE2Zf95JCe4j.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 1400	3260	39b2fbb0509e4a62013111d16358d7d6c3f06b2466b0c80354e0dfa54bc9569c.exe	80
PID 3260 wrote to memory of 1400	3260	39b2fbb0509e4a62013111d16358d7d6c3f06b2466b0c80354e0dfa54bc9569c.exe	80
PID 3260 wrote to memory of 1400	3260	39b2fbb0509e4a62013111d16358d7d6c3f06b2466b0c80354e0dfa54bc9569c.exe	80
PID 1400 wrote to memory of 1628	1400	uVDaE2Zf95JCe4j.exe	81
PID 1400 wrote to memory of 1628	1400	uVDaE2Zf95JCe4j.exe	81
PID 1400 wrote to memory of 1628	1400	uVDaE2Zf95JCe4j.exe	81
PID 1628 wrote to memory of 2664	1628	regsvr32.exe	82
PID 1628 wrote to memory of 2664	1628	regsvr32.exe	82

C:\Users\Admin\AppData\Local\Temp\39b2fbb0509e4a62013111d16358d7d6c3f06b2466b0c80354e0dfa54bc9569c.exe
"C:\Users\Admin\AppData\Local\Temp\39b2fbb0509e4a62013111d16358d7d6c3f06b2466b0c80354e0dfa54bc9569c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\uVDaE2Zf95JCe4j.exe
  .\uVDaE2Zf95JCe4j.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.dat

Filesize
6KB

MD5
aeaa2acfcfb5a7633d1dfa451d80b23f

SHA1
92acf3943ae71609787db48fdd7e4163e161dfee

SHA256
a299d15fa12542e50ac1d1bd0fd94310bb7ae678c1718894cc2f0d3ba51334b9

SHA512
f3a71fac983bd1ec5f1b78577e3c1c825a2565d430c6b038518a460c650bd7acf85eceb3b096b1ed41b6c2314919b07842e8eeab58020b45257decefc61e5f0b

Download Submit
C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.dll

Filesize
608KB

MD5
0a8d35bd724d803984bb64ae91deb8b5

SHA1
1d2a0e9db9278fde2d2aab979036671f2985c4be

SHA256
a44498519e643c24d57943cdf34d8ced80fce043a370c29def1a0f7388dde3a2

SHA512
9c3a21f75c5598976ef5896eca7e21a7f8d86f5948756e07f16f3528384c7dbe54cdaedd6d07bfdafb165d9a570d12db1ec3b20e74ca0d9cb944e1cfa85e5934

Download Submit
C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.x64.dll

Filesize
687KB

MD5
eb9b79bcb3041dad9754753cb8290dfa

SHA1
9ef9446b24e067c4ccf2b750f15adbdd5d748a55

SHA256
14338baeee3f7acff67d3aba587e71991022bac28da4f2763f5b9eda6f681bd6

SHA512
52fec043c6d2025268963790990fad7cec2ef384a778f4ad3e1cd75eaf75efef0a70b497f0e30b7c792d14903d5a4950fd4ab4f956301272641c65f2cd888f43

Download Submit
C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.x64.dll

Filesize
687KB

MD5
eb9b79bcb3041dad9754753cb8290dfa

SHA1
9ef9446b24e067c4ccf2b750f15adbdd5d748a55

SHA256
14338baeee3f7acff67d3aba587e71991022bac28da4f2763f5b9eda6f681bd6

SHA512
52fec043c6d2025268963790990fad7cec2ef384a778f4ad3e1cd75eaf75efef0a70b497f0e30b7c792d14903d5a4950fd4ab4f956301272641c65f2cd888f43

Download Submit
C:\Program Files (x86)\GoSAive\uPemNUMgpw96vi.x64.dll

Filesize
687KB

MD5
eb9b79bcb3041dad9754753cb8290dfa

SHA1
9ef9446b24e067c4ccf2b750f15adbdd5d748a55

SHA256
14338baeee3f7acff67d3aba587e71991022bac28da4f2763f5b9eda6f681bd6

SHA512
52fec043c6d2025268963790990fad7cec2ef384a778f4ad3e1cd75eaf75efef0a70b497f0e30b7c792d14903d5a4950fd4ab4f956301272641c65f2cd888f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a83f965769c2ca3b6abffc8fc4a86935

SHA1
07fb00c2bf67e63ae2484eba72f378f11e74d1eb

SHA256
ce4dcbbcb7741fb9f186bcbea7cfd7eaf98172726ab8e1b36a43abf2001d8627

SHA512
cf92db075fbf5ae4d79d4931502f749f815b280ff106dd7563ffca4e7eceb7d0cc0a8128db0ffcf8b8390a95b6a3e4c4d5c6f4daa5544bf696163a4852bc866c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
b4174760b0dfd3b12c2fe6ab6015784c

SHA1
d7495624598f404e6d388d00fd1fb07ca74bbea0

SHA256
773def90704bf75b75ff7f9a88f46c824949ac60d1c91a033e8dba0a2c2c8196

SHA512
c4cb2cb419b3ad2944b588845328b5310a395fc631e27b086eceb7aa6c5cfcdb68f5bbf569ee889c2027ff4675339b10b211b5bd76e30eedb1ced3a71d2d23a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\[email protected]\install.rdf

Filesize
594B

MD5
8d21df8a76d6463422989c746e4464d7

SHA1
8ddb0d7bca83922ef4a126525109072923e85253

SHA256
abcd46f9fcd206639dc828052bff838fc81d3b1987ae7035868685ce6f010a6d

SHA512
f8c513766312a891d71a544952cc4adb848fffd64dd9268234633678a984c57f6cef7a170951261251bf037d1e35fcabde0b63b7be3f4ef4e531a1fbed4e81ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\hbchekhppdkcbdfbpgmdcigijakjnlfb\background.html

Filesize
146B

MD5
80f557edd25fe956c331e2d0987c79c3

SHA1
373bf3f1ff94cb5243a01653a4d4d66580cf2e7f

SHA256
3e16e796ed90c6ce30cb2ed9db92c96fde288782c11f94649ce7011364561867

SHA512
b39d091151dc57cea9c67fc09e53ddabe81e77a095b7ba23c16c1367677222a2971eee53d3dd810ec6170307ac0ddae17fb2ba7aadfd5c511757f4a79dddbc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\hbchekhppdkcbdfbpgmdcigijakjnlfb\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\hbchekhppdkcbdfbpgmdcigijakjnlfb\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\hbchekhppdkcbdfbpgmdcigijakjnlfb\manifest.json

Filesize
499B

MD5
2ff885cba81736703bc47f59c12c0af1

SHA1
3b27c6534b5509ac4f638964af434f6498ea82da

SHA256
a23436ba46db6c0c108177a3f7a6ee5bc1544f146a9f7ad00731debacb7fd790

SHA512
f8ec92b60f506c424d18fdf901984e193649095152bed85aa529d5920105d7e3df2730b4677f24f8ecd1b7bc01e1ed4fa8cfd5e31a315d11e5a1b69e7035c27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\hbchekhppdkcbdfbpgmdcigijakjnlfb\y7goO6dZd.js

Filesize
5KB

MD5
b38c7d25c92a2bddf851224d643ca7df

SHA1
b243da637467851802a7d46cee49e37eacab71ff

SHA256
cd7d277789e8cedee945740027511076c59a1f36c6cd339d15529450c3b52c39

SHA512
9f8c77f90db301d6cebe99a4b65c10c9de1183c3242133ff6bc6d0d3d879b77cf7cf7cdb43c88e6cecf07d8b663da9793227a9ac72bc877467cffb8f03505280

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\uPemNUMgpw96vi.dll

Filesize
608KB

MD5
0a8d35bd724d803984bb64ae91deb8b5

SHA1
1d2a0e9db9278fde2d2aab979036671f2985c4be

SHA256
a44498519e643c24d57943cdf34d8ced80fce043a370c29def1a0f7388dde3a2

SHA512
9c3a21f75c5598976ef5896eca7e21a7f8d86f5948756e07f16f3528384c7dbe54cdaedd6d07bfdafb165d9a570d12db1ec3b20e74ca0d9cb944e1cfa85e5934

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\uPemNUMgpw96vi.tlb

Filesize
3KB

MD5
825074f7df4e6542c682e2529c7c2bc8

SHA1
0c11e0abe3bd3bfd0edaa4a9e79c65cf165ca7ed

SHA256
cf76185e63bf7b048aaccabe85522f4bbf987cd159e93dc7e8ee3f13312e101e

SHA512
d249ba8d1f5940dcdd745f13e9ead69469cf8c547561a06bcc443c20b1a62fce799e59dc59fc5d07d312836bbeed1c85a9abc943210d328c7605b502a520d44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\uPemNUMgpw96vi.x64.dll

Filesize
687KB

MD5
eb9b79bcb3041dad9754753cb8290dfa

SHA1
9ef9446b24e067c4ccf2b750f15adbdd5d748a55

SHA256
14338baeee3f7acff67d3aba587e71991022bac28da4f2763f5b9eda6f681bd6

SHA512
52fec043c6d2025268963790990fad7cec2ef384a778f4ad3e1cd75eaf75efef0a70b497f0e30b7c792d14903d5a4950fd4ab4f956301272641c65f2cd888f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\uVDaE2Zf95JCe4j.dat

Filesize
6KB

MD5
aeaa2acfcfb5a7633d1dfa451d80b23f

SHA1
92acf3943ae71609787db48fdd7e4163e161dfee

SHA256
a299d15fa12542e50ac1d1bd0fd94310bb7ae678c1718894cc2f0d3ba51334b9

SHA512
f3a71fac983bd1ec5f1b78577e3c1c825a2565d430c6b038518a460c650bd7acf85eceb3b096b1ed41b6c2314919b07842e8eeab58020b45257decefc61e5f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\uVDaE2Zf95JCe4j.exe

Filesize
643KB

MD5
239a80538887713f0d8471057f55e170

SHA1
4df6ef79bd07d962cc09c1279248af034fd22d03

SHA256
0ced38390b12b12a9aaec52a2ad8664e603c825abb318e5b743aed8a09afab78

SHA512
7b8c6f8270e2d7a2501e9eb11af4905d299c5e5dc3bd3b5bf8073cb22fd5677401ed2dd748d6ae0560be988bce257ca92ec19aa7b78740aa5ec53d98cf4936aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE5C.tmp\uVDaE2Zf95JCe4j.exe

Filesize
643KB

MD5
239a80538887713f0d8471057f55e170

SHA1
4df6ef79bd07d962cc09c1279248af034fd22d03

SHA256
0ced38390b12b12a9aaec52a2ad8664e603c825abb318e5b743aed8a09afab78

SHA512
7b8c6f8270e2d7a2501e9eb11af4905d299c5e5dc3bd3b5bf8073cb22fd5677401ed2dd748d6ae0560be988bce257ca92ec19aa7b78740aa5ec53d98cf4936aa

Download Submit