16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1

Analysis

max time kernel
44s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1.exe
Size

2.1MB
MD5

4be82de54cb869021802c36b90336308
SHA1

5349b2738b15568bb40d6308fcb2667ddf773ab4
SHA256

16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1
SHA512

73267b9a7d2781704b7db473dc163ad2525711341fbf9574ba2281d339acf434b230198c2a770ade6189bf2c3ea585211a749eb92f6f8d8d95d332ba984bb527
SSDEEP

49152:h1Os4PtqGqK2M8f3h4UO2sEYYQvLZwQE5m4o2:h1OpHoxLYYaK

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1180	2YX7xuqxdFBYW4T.exe

Loads dropped DLL 4 IoCs

pid	Process
1972	16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1.exe
1180	2YX7xuqxdFBYW4T.exe
1512	regsvr32.exe
1740	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecloecmnaabbhphkjbfdjaabppcnmhac\2.0\manifest.json	2YX7xuqxdFBYW4T.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecloecmnaabbhphkjbfdjaabppcnmhac\2.0\manifest.json	2YX7xuqxdFBYW4T.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecloecmnaabbhphkjbfdjaabppcnmhac\2.0\manifest.json	2YX7xuqxdFBYW4T.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	2YX7xuqxdFBYW4T.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	2YX7xuqxdFBYW4T.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	2YX7xuqxdFBYW4T.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	2YX7xuqxdFBYW4T.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	2YX7xuqxdFBYW4T.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.dat	2YX7xuqxdFBYW4T.exe
File opened for modification	C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.dat	2YX7xuqxdFBYW4T.exe
File created	C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.x64.dll	2YX7xuqxdFBYW4T.exe
File opened for modification	C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.x64.dll	2YX7xuqxdFBYW4T.exe
File created	C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.dll	2YX7xuqxdFBYW4T.exe
File opened for modification	C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.dll	2YX7xuqxdFBYW4T.exe
File created	C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.tlb	2YX7xuqxdFBYW4T.exe
File opened for modification	C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.tlb	2YX7xuqxdFBYW4T.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1180	1972	16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1.exe	28
PID 1972 wrote to memory of 1180	1972	16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1.exe	28
PID 1972 wrote to memory of 1180	1972	16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1.exe	28
PID 1972 wrote to memory of 1180	1972	16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1.exe	28
PID 1180 wrote to memory of 1512	1180	2YX7xuqxdFBYW4T.exe	29
PID 1180 wrote to memory of 1512	1180	2YX7xuqxdFBYW4T.exe	29
PID 1180 wrote to memory of 1512	1180	2YX7xuqxdFBYW4T.exe	29
PID 1180 wrote to memory of 1512	1180	2YX7xuqxdFBYW4T.exe	29
PID 1180 wrote to memory of 1512	1180	2YX7xuqxdFBYW4T.exe	29
PID 1180 wrote to memory of 1512	1180	2YX7xuqxdFBYW4T.exe	29
PID 1180 wrote to memory of 1512	1180	2YX7xuqxdFBYW4T.exe	29
PID 1512 wrote to memory of 1740	1512	regsvr32.exe	30
PID 1512 wrote to memory of 1740	1512	regsvr32.exe	30
PID 1512 wrote to memory of 1740	1512	regsvr32.exe	30
PID 1512 wrote to memory of 1740	1512	regsvr32.exe	30
PID 1512 wrote to memory of 1740	1512	regsvr32.exe	30
PID 1512 wrote to memory of 1740	1512	regsvr32.exe	30
PID 1512 wrote to memory of 1740	1512	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1.exe
"C:\Users\Admin\AppData\Local\Temp\16366f55e2da7c93789b38c643c5c2e4a1aa327b84956ddfd59e817225cf63d1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\2YX7xuqxdFBYW4T.exe
  .\2YX7xuqxdFBYW4T.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.dat

Filesize
6KB

MD5
b15a7e30eeec13879e81e095266d99a1

SHA1
06b324a2f86a144f8c472752ff84d0919d7fa44f

SHA256
ac684dea2db145f492071b821ef3a426224c0fa2a4f252d54b1201b012c302fb

SHA512
dc34141c906628462ed3c3a2feeabe76dbaf16cc3fc1d81ee42aa2c4003b8af8fbbff0738d4b6565a0cddfdcb39bfbd00b76511874ceee60a2f7e4e86af57afa

Download Submit
C:\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\2YX7xuqxdFBYW4T.dat

Filesize
6KB

MD5
b15a7e30eeec13879e81e095266d99a1

SHA1
06b324a2f86a144f8c472752ff84d0919d7fa44f

SHA256
ac684dea2db145f492071b821ef3a426224c0fa2a4f252d54b1201b012c302fb

SHA512
dc34141c906628462ed3c3a2feeabe76dbaf16cc3fc1d81ee42aa2c4003b8af8fbbff0738d4b6565a0cddfdcb39bfbd00b76511874ceee60a2f7e4e86af57afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\2YX7xuqxdFBYW4T.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\2YX7xuqxdFBYW4T.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\ecloecmnaabbhphkjbfdjaabppcnmhac\UxiTC4cjbA.js

Filesize
5KB

MD5
6becfec2f165059621c841079c684101

SHA1
b438a63f47d4fb840876ec2c1cf4f7e968f12ff0

SHA256
a30fea3236995c78be79e172fda94618127fea3bf5142a576efda68567475579

SHA512
28ffcc97c6ff70d2b2d9cca901ba4013a850610b34b3da537b6e92114b46037d5b8691ed4e6e0fec725e2eff6d4db2bcefa0fee45822646fd24421ba2097a7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\ecloecmnaabbhphkjbfdjaabppcnmhac\background.html

Filesize
147B

MD5
5fb2a57454c1002d7c98822f1a5d2963

SHA1
7873e624b4bfb2f4460c03727e45d4b3256ac8a1

SHA256
bcb9a6310bc2378ef966c1f3bc36781819dd8a48dc6a09bd58deded5215ff205

SHA512
f056ee5beacc6d043eebaf2fa800d1379a6059827912c440057ca4e793d99e514482ff2170c44129b89a20410e0cd1e85d6e9f64447759db3842c70848ead3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\ecloecmnaabbhphkjbfdjaabppcnmhac\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\ecloecmnaabbhphkjbfdjaabppcnmhac\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\ecloecmnaabbhphkjbfdjaabppcnmhac\manifest.json

Filesize
499B

MD5
67776d886186b1fc340e96ed6071f827

SHA1
c09e71c208f15898df7c942ca70b8e1f1ee10fd3

SHA256
4c1189852559fbfcfc04aef6684e616f40582b5bbce6c05dc9be0383c57f8059

SHA512
dca1c3708ac2f3533c9b8abe6543c48006750054345cec5f4f936a3c27924c92bd3a11e4dc254bd67054d8350ba7ce1c65007c5a005c5ab6c3aca36a19cef4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
ebbd097f6fd48a8bc074dd5e60a10c54

SHA1
472011e3a7d68caca344ae4991ac845f01f32462

SHA256
4c6e8d865e5435228f1a853e63fcf0cffa26c66ebc7f6a6642b306cf63bdfbdb

SHA512
6e56fd6c4910278a03638063730ac8b22384230002f187ab39a2105e5bac6fced41653baf7d52a6a44d5cfb78c6996b6691269a7df7131db1d2626d6b536029a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
0316007a5ac1ff4e878b6d0d40217fe0

SHA1
54600cb17d76b5ecd522060c1d07f7ab93aa7b05

SHA256
c03696e4aca1d6b340e9eef85d8ccf8b29f6a3c65080e58fca1dc798f8654c55

SHA512
6eb4c72f72d88d77212a317d3b8aa3d2d0644d6e7f818c0d1d518121fbc666a09c77a15e3e080756c622d80b78690eaddd111ce029b3382d80e9814b1bb991e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\[email protected]\install.rdf

Filesize
591B

MD5
6357b21bde24d491738e61c5fb358fab

SHA1
0ae2759f2bfe230ac1b75845a5a4b653c64a05db

SHA256
66a0ddfd714ffa0fcd5d0ad887ca7b65db6a11e422769160e216178bb9343a9a

SHA512
17f098afd2a031281ad7e69b47bf68b87a755c6a4a5bbc4c557f1d692f76873736909ca755d5c305e2bd0c6366307d2a50da5191a1da1cc23bf6c4510d31bb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\qAh8UCYhQgajOp.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\qAh8UCYhQgajOp.tlb

Filesize
3KB

MD5
713ab144897857b45ce9515c2a1e2d52

SHA1
607a46adbfe1892276898fb6b00e7c62dbf82772

SHA256
3ec756ec9b8c4b03cc723127bc372b67c406a4915fa0a82597b0fb29685096e6

SHA512
b54c6eaf989d9e51ba66278a0991daa14bde0f56e86c8c2fce67f2118e9557307b409fbc9ae48921c37c1869634b2801028d728f4cf3b871ad8971965e3004b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\qAh8UCYhQgajOp.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
\Program Files (x86)\GoSAvee\qAh8UCYhQgajOp.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC7F2.tmp\2YX7xuqxdFBYW4T.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
memory/1740-78-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/1972-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download