33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9

Analysis

max time kernel
43s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9.exe
Size

2.1MB
MD5

dc95a730e2075fe709dd5d3f134500b4
SHA1

5c25100da83ddb1b9d91c02ab12460142811f1dc
SHA256

33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9
SHA512

fbb01739b5d2a6460162bd4b9c9c0c14709f1770a945dff83c819cc6c396b200a81ca90831afdc935593157453002a81872f116b8fc0e86ed3233907874e04a0
SSDEEP

24576:h1OYdaOuzoi5Fm2qmA+L4zKWQt0moNdqNFSj8y0j9jtaJB5ZuUUr2YGnEQ/VfVx:h1OsgmLmVJWQt0mozqW78bSVfVx

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1760	0OGQBKkVXgl5hNR.exe

Loads dropped DLL 4 IoCs

pid	Process
1896	33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9.exe
1760	0OGQBKkVXgl5hNR.exe
1348	regsvr32.exe
1744	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cflbfhffdophdkeghdjkojibhibedelm\2.0\manifest.json	0OGQBKkVXgl5hNR.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cflbfhffdophdkeghdjkojibhibedelm\2.0\manifest.json	0OGQBKkVXgl5hNR.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cflbfhffdophdkeghdjkojibhibedelm\2.0\manifest.json	0OGQBKkVXgl5hNR.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	0OGQBKkVXgl5hNR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	0OGQBKkVXgl5hNR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	0OGQBKkVXgl5hNR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	0OGQBKkVXgl5hNR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	0OGQBKkVXgl5hNR.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.dll	0OGQBKkVXgl5hNR.exe
File opened for modification	C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.dll	0OGQBKkVXgl5hNR.exe
File created	C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.tlb	0OGQBKkVXgl5hNR.exe
File opened for modification	C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.tlb	0OGQBKkVXgl5hNR.exe
File created	C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.dat	0OGQBKkVXgl5hNR.exe
File opened for modification	C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.dat	0OGQBKkVXgl5hNR.exe
File created	C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.x64.dll	0OGQBKkVXgl5hNR.exe
File opened for modification	C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.x64.dll	0OGQBKkVXgl5hNR.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1760	0OGQBKkVXgl5hNR.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1760	1896	33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9.exe	28
PID 1896 wrote to memory of 1760	1896	33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9.exe	28
PID 1896 wrote to memory of 1760	1896	33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9.exe	28
PID 1896 wrote to memory of 1760	1896	33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9.exe	28
PID 1760 wrote to memory of 1348	1760	0OGQBKkVXgl5hNR.exe	29
PID 1760 wrote to memory of 1348	1760	0OGQBKkVXgl5hNR.exe	29
PID 1760 wrote to memory of 1348	1760	0OGQBKkVXgl5hNR.exe	29
PID 1760 wrote to memory of 1348	1760	0OGQBKkVXgl5hNR.exe	29
PID 1760 wrote to memory of 1348	1760	0OGQBKkVXgl5hNR.exe	29
PID 1760 wrote to memory of 1348	1760	0OGQBKkVXgl5hNR.exe	29
PID 1760 wrote to memory of 1348	1760	0OGQBKkVXgl5hNR.exe	29
PID 1348 wrote to memory of 1744	1348	regsvr32.exe	30
PID 1348 wrote to memory of 1744	1348	regsvr32.exe	30
PID 1348 wrote to memory of 1744	1348	regsvr32.exe	30
PID 1348 wrote to memory of 1744	1348	regsvr32.exe	30
PID 1348 wrote to memory of 1744	1348	regsvr32.exe	30
PID 1348 wrote to memory of 1744	1348	regsvr32.exe	30
PID 1348 wrote to memory of 1744	1348	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9.exe
"C:\Users\Admin\AppData\Local\Temp\33477316e7d6dcf620b90296fd5710480c82dfd1445afb3029737b68c9a37da9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\0OGQBKkVXgl5hNR.exe
  .\0OGQBKkVXgl5hNR.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.dat

Filesize
5KB

MD5
5c28c200c0db5f9e7718750177a1afb3

SHA1
ea2836b55eba8253cc9d7ecad5b8f4dad2245f32

SHA256
9e14f77a2eac2782dd8bde7bb2ff491c0bebdd0124be9f7b326788708de13517

SHA512
3fa284f6bfd3804fcdcaa464e96605dff400b6cce1ab4949cf76882f681a10c475e1fbfd358cbd57a86c9db2496ccbc7ea14e57130c1c0df3d0c90c76bf678b9

Download Submit
C:\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.x64.dll

Filesize
711KB

MD5
8029d3733e6148ef569ae3fb2f27a205

SHA1
61b763a7ee5893f8a0a8e0a0c291453361c31702

SHA256
6cedfeedf3965d9c9f4a9abf117cde7021368f3dba113d5caddc888d2bc090d6

SHA512
535fd23dd28be5a7d99d9269f3344dbf3e47ff2f4c47778ff9db196ade92bdcb28efd8a463603b82332e5f7c6938eaabd2a3dae5258b5c61fa7fa283bc074456

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\0OGQBKkVXgl5hNR.dat

Filesize
5KB

MD5
5c28c200c0db5f9e7718750177a1afb3

SHA1
ea2836b55eba8253cc9d7ecad5b8f4dad2245f32

SHA256
9e14f77a2eac2782dd8bde7bb2ff491c0bebdd0124be9f7b326788708de13517

SHA512
3fa284f6bfd3804fcdcaa464e96605dff400b6cce1ab4949cf76882f681a10c475e1fbfd358cbd57a86c9db2496ccbc7ea14e57130c1c0df3d0c90c76bf678b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\0OGQBKkVXgl5hNR.exe

Filesize
627KB

MD5
f172b0682fca8eb1e5c8dde6b837e387

SHA1
06561c1d33f425af65373cfd7752681edd356890

SHA256
ca605e3f7654066bb6023bdaba995345e78ff8e25b3c5948ade4e37b8c57500e

SHA512
0d5b3c18c412d9c4372b1e404ed2fe6b4a03a93cc8f21eae7b7596463d44cd8eec8dea8146c9727011063a8a31bc08b158604dedc9a728643330b08aaa9b6012

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\0OGQBKkVXgl5hNR.exe

Filesize
627KB

MD5
f172b0682fca8eb1e5c8dde6b837e387

SHA1
06561c1d33f425af65373cfd7752681edd356890

SHA256
ca605e3f7654066bb6023bdaba995345e78ff8e25b3c5948ade4e37b8c57500e

SHA512
0d5b3c18c412d9c4372b1e404ed2fe6b4a03a93cc8f21eae7b7596463d44cd8eec8dea8146c9727011063a8a31bc08b158604dedc9a728643330b08aaa9b6012

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\6WGLPVXpA3mDpP.dll

Filesize
627KB

MD5
ef0e781558e928c2959189bfd10fb730

SHA1
48231fa33eeb062e3e610c442bd5065a2f452ca6

SHA256
b9e3d582ec3ff1cdb0bca396cfa19a66469a8b05576bf6af51b12d91b2b64586

SHA512
679f07f56c98c800336ed312672dde579c3c17c6ae78e5a3df1b160d872ce2234426bbc3f144a2c0336c1e95cc6de6da466b5f579229748a39b7a3a0e4a6e802

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\6WGLPVXpA3mDpP.tlb

Filesize
3KB

MD5
ca7a16e39808f225fbd1abd72fdf15b2

SHA1
a256de866b7b53a8124c487a496bfc5c31d83998

SHA256
b85b955b7f1a0de04289a427bc1fef945c9c203a1c5715b1fdd7b2703b424260

SHA512
b534df49d91f5e68961d3aecd44a0ef404244b7e7ff7bca5a9cb910f1de366272ba34a4a11bf4c691ee4d8f0f155a6f4f2b57781ecbea6cc4646d32907a1afcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\6WGLPVXpA3mDpP.x64.dll

Filesize
711KB

MD5
8029d3733e6148ef569ae3fb2f27a205

SHA1
61b763a7ee5893f8a0a8e0a0c291453361c31702

SHA256
6cedfeedf3965d9c9f4a9abf117cde7021368f3dba113d5caddc888d2bc090d6

SHA512
535fd23dd28be5a7d99d9269f3344dbf3e47ff2f4c47778ff9db196ade92bdcb28efd8a463603b82332e5f7c6938eaabd2a3dae5258b5c61fa7fa283bc074456

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
29a1141ec7b40859235e07bf8be7784e

SHA1
bc39f084a47f434833f3ee05b8b0fc55d28fa282

SHA256
e50d2b6f888aaade21de5d816326057181c7f762787e57aa0d9802356e82e1f8

SHA512
2c83ce022ae0f213b9cbbb025a9468eac69919c5dea6fac041e2ae515ba5f563e404fe6d483cac21130868093d1b751a35af69fc4736ad970e2a99842e1a0e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
145eaa747f03e3e65a03065ee9c7c478

SHA1
bfd303ddbcc15e5e817d3627ee6679839afc985a

SHA256
b86a5b8dbe07a0c1e8eb599b0f7bd4c58a916fcc733af788392e1024c0bce72d

SHA512
eebf07c38b5deb6147088770c0f4295263eddc9c621ae85198458e5bec11524ca6876c9731663ec5ee71771ebbe3bf9cf19a28bea7bc2c351c06a87da670d267

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\[email protected]\install.rdf

Filesize
592B

MD5
c72f59460184916e954aea801898842b

SHA1
fe8bd63bdd417072442bf1d563a73efbafd1ae27

SHA256
bbe7fd4af4c401fc167b76f0e8592faf1c9332dada0cb9cbc252f8d45c0809a4

SHA512
493dc5421c47584b29984ada02f7904ecabf4d5950f4e601db0b82fedbc7b341108d176f89217619de46bc2ea63737f207a9c462d322b04cc30fadb4f4483a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\cflbfhffdophdkeghdjkojibhibedelm\background.html

Filesize
144B

MD5
f074342c20212083eef6e9d4a00331eb

SHA1
101eeac63955be86010e5db48051e71833ccb671

SHA256
38a686eadec853b198164fad5ceaed81da868b6dd49002ad670d3ba499d2e1cc

SHA512
a022f68563d4c565ba2ac2f37865d48d1c68a74e1fb28a92f9b3140cf4538d312ab55a8876fcfbd3a12ed0592da1509c601c4d17d1327792e69e3061a8f4c82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\cflbfhffdophdkeghdjkojibhibedelm\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\cflbfhffdophdkeghdjkojibhibedelm\fKADB29.js

Filesize
5KB

MD5
eaa63235820c5ea7f17438d56638dfc6

SHA1
c2805ad537bcbeea2f3f5ad894d43bd0b7e220d9

SHA256
1c8ecc977d43f8ca49a4bcd0ce496709c95d1c1a75156ab9acaf3a5539c03bab

SHA512
a4ec9ecfbd079bbca8ccc689cd002cfc00c62c89cfc76189ce83f1216b899c1bc6ebe808bef3670945cb091422eeb4fdad3c6ed8f3c61212d9bf715d4cbcd78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\cflbfhffdophdkeghdjkojibhibedelm\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\cflbfhffdophdkeghdjkojibhibedelm\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.dll

Filesize
627KB

MD5
ef0e781558e928c2959189bfd10fb730

SHA1
48231fa33eeb062e3e610c442bd5065a2f452ca6

SHA256
b9e3d582ec3ff1cdb0bca396cfa19a66469a8b05576bf6af51b12d91b2b64586

SHA512
679f07f56c98c800336ed312672dde579c3c17c6ae78e5a3df1b160d872ce2234426bbc3f144a2c0336c1e95cc6de6da466b5f579229748a39b7a3a0e4a6e802

Download Submit
\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.x64.dll

Filesize
711KB

MD5
8029d3733e6148ef569ae3fb2f27a205

SHA1
61b763a7ee5893f8a0a8e0a0c291453361c31702

SHA256
6cedfeedf3965d9c9f4a9abf117cde7021368f3dba113d5caddc888d2bc090d6

SHA512
535fd23dd28be5a7d99d9269f3344dbf3e47ff2f4c47778ff9db196ade92bdcb28efd8a463603b82332e5f7c6938eaabd2a3dae5258b5c61fa7fa283bc074456

Download Submit
\Program Files (x86)\GoSave\6WGLPVXpA3mDpP.x64.dll

Filesize
711KB

MD5
8029d3733e6148ef569ae3fb2f27a205

SHA1
61b763a7ee5893f8a0a8e0a0c291453361c31702

SHA256
6cedfeedf3965d9c9f4a9abf117cde7021368f3dba113d5caddc888d2bc090d6

SHA512
535fd23dd28be5a7d99d9269f3344dbf3e47ff2f4c47778ff9db196ade92bdcb28efd8a463603b82332e5f7c6938eaabd2a3dae5258b5c61fa7fa283bc074456

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF00A.tmp\0OGQBKkVXgl5hNR.exe

Filesize
627KB

MD5
f172b0682fca8eb1e5c8dde6b837e387

SHA1
06561c1d33f425af65373cfd7752681edd356890

SHA256
ca605e3f7654066bb6023bdaba995345e78ff8e25b3c5948ade4e37b8c57500e

SHA512
0d5b3c18c412d9c4372b1e404ed2fe6b4a03a93cc8f21eae7b7596463d44cd8eec8dea8146c9727011063a8a31bc08b158604dedc9a728643330b08aaa9b6012

Download Submit
memory/1744-78-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

Filesize
8KB

Download
memory/1896-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download