07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996

Analysis

max time kernel
39s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996.exe
Size

2.1MB
MD5

04e1fe6413b5c1a92e98958284b3efe1
SHA1

522e834cdf39174c3b0273d9e3abeaabf5c7c7b4
SHA256

07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996
SHA512

0da6b9eaaa8bc91006fc77fb6943a6fe6a89b70c23a13e6971d4f24a3bbbba214cea8ac15026c84bd8d2520f96df1a81372e432c730a66eec9d9662b610aff8b
SSDEEP

49152:h1OsHyuyoY0IKAVWQrQSM5eeHY1h2PlSUQ8PciK:h1OEgoP9oM5LFy

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1568	1zO2VlOH1POMPlr.exe

Loads dropped DLL 4 IoCs

pid	Process
1912	07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996.exe
1568	1zO2VlOH1POMPlr.exe
1264	regsvr32.exe
956	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjecfeecemnejeofbkgbikbdfmllodch\2.0\manifest.json	1zO2VlOH1POMPlr.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjecfeecemnejeofbkgbikbdfmllodch\2.0\manifest.json	1zO2VlOH1POMPlr.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjecfeecemnejeofbkgbikbdfmllodch\2.0\manifest.json	1zO2VlOH1POMPlr.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	1zO2VlOH1POMPlr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	1zO2VlOH1POMPlr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	1zO2VlOH1POMPlr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	1zO2VlOH1POMPlr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	1zO2VlOH1POMPlr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.x64.dll	1zO2VlOH1POMPlr.exe
File created	C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.dll	1zO2VlOH1POMPlr.exe
File opened for modification	C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.dll	1zO2VlOH1POMPlr.exe
File created	C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.tlb	1zO2VlOH1POMPlr.exe
File opened for modification	C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.tlb	1zO2VlOH1POMPlr.exe
File created	C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.dat	1zO2VlOH1POMPlr.exe
File opened for modification	C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.dat	1zO2VlOH1POMPlr.exe
File created	C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.x64.dll	1zO2VlOH1POMPlr.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1568	1912	07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996.exe	28
PID 1912 wrote to memory of 1568	1912	07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996.exe	28
PID 1912 wrote to memory of 1568	1912	07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996.exe	28
PID 1912 wrote to memory of 1568	1912	07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996.exe	28
PID 1568 wrote to memory of 1264	1568	1zO2VlOH1POMPlr.exe	29
PID 1568 wrote to memory of 1264	1568	1zO2VlOH1POMPlr.exe	29
PID 1568 wrote to memory of 1264	1568	1zO2VlOH1POMPlr.exe	29
PID 1568 wrote to memory of 1264	1568	1zO2VlOH1POMPlr.exe	29
PID 1568 wrote to memory of 1264	1568	1zO2VlOH1POMPlr.exe	29
PID 1568 wrote to memory of 1264	1568	1zO2VlOH1POMPlr.exe	29
PID 1568 wrote to memory of 1264	1568	1zO2VlOH1POMPlr.exe	29
PID 1264 wrote to memory of 956	1264	regsvr32.exe	30
PID 1264 wrote to memory of 956	1264	regsvr32.exe	30
PID 1264 wrote to memory of 956	1264	regsvr32.exe	30
PID 1264 wrote to memory of 956	1264	regsvr32.exe	30
PID 1264 wrote to memory of 956	1264	regsvr32.exe	30
PID 1264 wrote to memory of 956	1264	regsvr32.exe	30
PID 1264 wrote to memory of 956	1264	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996.exe
"C:\Users\Admin\AppData\Local\Temp\07428f1d8c51e635bc5d8968c601a159431f02cfd4c3f47d06bfef7db01a0996.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\1zO2VlOH1POMPlr.exe
  .\1zO2VlOH1POMPlr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.dat

Filesize
6KB

MD5
1aa23c00473278f0c82cefc46ffdb01d

SHA1
465852496c579bc3f7b667ac8b964433a1368fdc

SHA256
c9a0c695f59d78539caebdf0f2d5fc8c499c12b7cbbb9c78f0a04cc91dd1967c

SHA512
01667475ab20ed495fba83c7af78dad65e71ac469c984441d7a3695da86e43050646eb6f28fc6890004a3906244f1904fbaf24da68c2dbfed0ba68131dd3325d

Download Submit
C:\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\1zO2VlOH1POMPlr.dat

Filesize
6KB

MD5
1aa23c00473278f0c82cefc46ffdb01d

SHA1
465852496c579bc3f7b667ac8b964433a1368fdc

SHA256
c9a0c695f59d78539caebdf0f2d5fc8c499c12b7cbbb9c78f0a04cc91dd1967c

SHA512
01667475ab20ed495fba83c7af78dad65e71ac469c984441d7a3695da86e43050646eb6f28fc6890004a3906244f1904fbaf24da68c2dbfed0ba68131dd3325d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\1zO2VlOH1POMPlr.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\1zO2VlOH1POMPlr.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\hjecfeecemnejeofbkgbikbdfmllodch\Gu0gYHJYsL.js

Filesize
5KB

MD5
dc686140f3ab40347c56425bbbd78e2a

SHA1
8349695a51ec2fabb40554c030c6ae35ff1e1f20

SHA256
6ef1a2ec85d67e717f56eeec003ae08dbb46ef36fbb6ea5befb35cd3aa6cbff6

SHA512
58f7ac5fb2088e902f1b5c6f4e1614c1824307835bcf91ff7fb027a985c36f4462886996ef7586befc3db934c90fc372be364f0c61a9e64218a34acc69e05355

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\hjecfeecemnejeofbkgbikbdfmllodch\background.html

Filesize
147B

MD5
307dbd47975897cf5dc85a1503cbdff8

SHA1
8380e670408a867d755752270e090a87623f9572

SHA256
aff318f1270a602d994701f324027e17f8f52d79bc5152ef252b8464c769e54f

SHA512
97719b8240588c496632967a2e7c41a83b72cda3e94bc9773adc9a3cb102fd9d554bde1bde228876996aa3be72c46db85a122d82d2e381e276d1535399d14aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\hjecfeecemnejeofbkgbikbdfmllodch\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\hjecfeecemnejeofbkgbikbdfmllodch\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\hjecfeecemnejeofbkgbikbdfmllodch\manifest.json

Filesize
498B

MD5
5d8b560f900f00e62aa129f1fd677989

SHA1
50d03404e935374cada2779f89c33c096ce6fb80

SHA256
9427cc79b9bd56a0ce543ab1cbb63264be500e5596b91a387afa5b7bebabcca2

SHA512
3ed280bd8c5b377df319c09069efc8f17a873bc0cba878a835b1f61eb684594741538735ff6e43feb938778859aa19b4f9ce5cbaccdca0db1b4b54d6400cb7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
8ad1633820cdcb1b9ef81ecbba74f01e

SHA1
9ce9c1079515fa2a45dc5e6522cf2f9d8c723306

SHA256
460e4a4580209ba484107ffd217551a594e9ba68382988c208caf0a47bd13288

SHA512
732d28b2e776a3104e83840429e0a10acf867ce7b9d497297538d6691b6211d404e610972924cc0fb76c6ef635abd3a285ffebe36f3c398c3ebae7f6c8f12e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
215bce3d9901c370baf7bb2db72d91a7

SHA1
f9fc458dcc8296c192fd5fafc3815fdbbce6284b

SHA256
bdfb2d64ea6879ace98e746efec280cafefcb86d6985ecd8dbb2b71787107b1c

SHA512
c51e1fdc95f3386c6757d2fd36ae9a20aaa2c34ff3c5414eead420cc7d8145d0a0ab756fdec0dc4b15d3611808fc8b4e59a64e28cc3b55c48dd01bf010b5b35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\[email protected]\install.rdf

Filesize
593B

MD5
23a14b3446fbd898a0fd1eb2dfbdc54c

SHA1
c0d312d887f28351397241fc925501b6d3522f70

SHA256
ec997b17a19dd668627682bed46d5fc048b9af7cdea350e7f2e99a87cf5d5053

SHA512
0bfb228eec1b4cd7c087b8e06f88b9c53b06852e80a5bed78738b2dc7011417e2bd105cd3014bb6f7fb70f9d6b1ca0b8025a173922e7ed0cd77459436d1f2693

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\xngKBhxeK8yzxT.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\xngKBhxeK8yzxT.tlb

Filesize
3KB

MD5
52acf269931e562ad7445f7a803bd5e3

SHA1
ef86bb5f96b2bba4c85a73efef5df4a08ab99031

SHA256
bc29a9426767cb54f6f11ea9d457613f858aa0d0e33137ab8ad1f53ff601d8f2

SHA512
545cc433a340e0b6ef70c92ab7854058222bb76385fb4027f1cc174a0baececb48c8e04ea83e9387d2c664505d4dd3799d41512e06c3ec5b4e32d0bf4a84668b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\xngKBhxeK8yzxT.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Program Files (x86)\GoSAve\xngKBhxeK8yzxT.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7FFA.tmp\1zO2VlOH1POMPlr.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
memory/956-78-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download
memory/1912-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download