9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507

Analysis

max time kernel
39s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507.exe
Size

2.1MB
MD5

ba2d42ac1ff0e1ed4b572d047a5b451e
SHA1

9a921c3fc0e652e7f2f137e067c7987b132b5bfa
SHA256

9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507
SHA512

4ce986e7e2372aba352a71e16f65eb147b5583b1f9fa1d4b3dcd3a8ba58cd3a5a61da708c1caf3b4036787bd2d4c22fdcd5a2e5f75c3400c5907f0dce68ed5a0
SSDEEP

24576:h1OYdaO7zoi5Fm2qmA+L4zKWQt0moNdqNFSj8y0j9jtaJB5ZuUUr2YGnEQ/VfVO:h1OslmLmVJWQt0mozqW78bSVfVO

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
892	1HYTYELvkUTIkbO.exe

Loads dropped DLL 4 IoCs

pid	Process
864	9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507.exe
892	1HYTYELvkUTIkbO.exe
1116	regsvr32.exe
1232	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnlffekkioomemghnkohlkmekekfbaa\2.0\manifest.json	1HYTYELvkUTIkbO.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnlffekkioomemghnkohlkmekekfbaa\2.0\manifest.json	1HYTYELvkUTIkbO.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlnlffekkioomemghnkohlkmekekfbaa\2.0\manifest.json	1HYTYELvkUTIkbO.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	1HYTYELvkUTIkbO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	1HYTYELvkUTIkbO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	1HYTYELvkUTIkbO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	1HYTYELvkUTIkbO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	1HYTYELvkUTIkbO.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.tlb	1HYTYELvkUTIkbO.exe
File created	C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.dat	1HYTYELvkUTIkbO.exe
File opened for modification	C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.dat	1HYTYELvkUTIkbO.exe
File created	C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.x64.dll	1HYTYELvkUTIkbO.exe
File opened for modification	C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.x64.dll	1HYTYELvkUTIkbO.exe
File created	C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.dll	1HYTYELvkUTIkbO.exe
File opened for modification	C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.dll	1HYTYELvkUTIkbO.exe
File created	C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.tlb	1HYTYELvkUTIkbO.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
892	1HYTYELvkUTIkbO.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 892	864	9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507.exe	27
PID 864 wrote to memory of 892	864	9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507.exe	27
PID 864 wrote to memory of 892	864	9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507.exe	27
PID 864 wrote to memory of 892	864	9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507.exe	27
PID 892 wrote to memory of 1116	892	1HYTYELvkUTIkbO.exe	28
PID 892 wrote to memory of 1116	892	1HYTYELvkUTIkbO.exe	28
PID 892 wrote to memory of 1116	892	1HYTYELvkUTIkbO.exe	28
PID 892 wrote to memory of 1116	892	1HYTYELvkUTIkbO.exe	28
PID 892 wrote to memory of 1116	892	1HYTYELvkUTIkbO.exe	28
PID 892 wrote to memory of 1116	892	1HYTYELvkUTIkbO.exe	28
PID 892 wrote to memory of 1116	892	1HYTYELvkUTIkbO.exe	28
PID 1116 wrote to memory of 1232	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1232	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1232	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1232	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1232	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1232	1116	regsvr32.exe	29
PID 1116 wrote to memory of 1232	1116	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507.exe
"C:\Users\Admin\AppData\Local\Temp\9267df7ee3ac9e7aed3290f22538ff7d9d399614134fbcf335f5e6252a990507.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\1HYTYELvkUTIkbO.exe
  .\1HYTYELvkUTIkbO.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.dat

Filesize
5KB

MD5
3bf310485183da11f61b9b4647e871cf

SHA1
e5ea913a116fc3e3fa0dd9fe02ccd5d493e3eaab

SHA256
bba2941d90e6412df3cbf62474759f3cd714ad1f202bef510120ae54cbfafed9

SHA512
98a40ac6fd71049e3621b2e1e755d7b0c57bbb3febc4f8bf80a1b4941d6a79704515b772936027066f7310bc36c04b869758753418c2ab9e62d543d9f84f86d8

Download Submit
C:\Program Files (x86)\GoSave\7K95qxAcWFXQRp.x64.dll

Filesize
711KB

MD5
8029d3733e6148ef569ae3fb2f27a205

SHA1
61b763a7ee5893f8a0a8e0a0c291453361c31702

SHA256
6cedfeedf3965d9c9f4a9abf117cde7021368f3dba113d5caddc888d2bc090d6

SHA512
535fd23dd28be5a7d99d9269f3344dbf3e47ff2f4c47778ff9db196ade92bdcb28efd8a463603b82332e5f7c6938eaabd2a3dae5258b5c61fa7fa283bc074456

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\1HYTYELvkUTIkbO.dat

Filesize
5KB

MD5
3bf310485183da11f61b9b4647e871cf

SHA1
e5ea913a116fc3e3fa0dd9fe02ccd5d493e3eaab

SHA256
bba2941d90e6412df3cbf62474759f3cd714ad1f202bef510120ae54cbfafed9

SHA512
98a40ac6fd71049e3621b2e1e755d7b0c57bbb3febc4f8bf80a1b4941d6a79704515b772936027066f7310bc36c04b869758753418c2ab9e62d543d9f84f86d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\1HYTYELvkUTIkbO.exe

Filesize
627KB

MD5
f172b0682fca8eb1e5c8dde6b837e387

SHA1
06561c1d33f425af65373cfd7752681edd356890

SHA256
ca605e3f7654066bb6023bdaba995345e78ff8e25b3c5948ade4e37b8c57500e

SHA512
0d5b3c18c412d9c4372b1e404ed2fe6b4a03a93cc8f21eae7b7596463d44cd8eec8dea8146c9727011063a8a31bc08b158604dedc9a728643330b08aaa9b6012

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\1HYTYELvkUTIkbO.exe

Filesize
627KB

MD5
f172b0682fca8eb1e5c8dde6b837e387

SHA1
06561c1d33f425af65373cfd7752681edd356890

SHA256
ca605e3f7654066bb6023bdaba995345e78ff8e25b3c5948ade4e37b8c57500e

SHA512
0d5b3c18c412d9c4372b1e404ed2fe6b4a03a93cc8f21eae7b7596463d44cd8eec8dea8146c9727011063a8a31bc08b158604dedc9a728643330b08aaa9b6012

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\7K95qxAcWFXQRp.dll

Filesize
627KB

MD5
ef0e781558e928c2959189bfd10fb730

SHA1
48231fa33eeb062e3e610c442bd5065a2f452ca6

SHA256
b9e3d582ec3ff1cdb0bca396cfa19a66469a8b05576bf6af51b12d91b2b64586

SHA512
679f07f56c98c800336ed312672dde579c3c17c6ae78e5a3df1b160d872ce2234426bbc3f144a2c0336c1e95cc6de6da466b5f579229748a39b7a3a0e4a6e802

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\7K95qxAcWFXQRp.tlb

Filesize
3KB

MD5
ca7a16e39808f225fbd1abd72fdf15b2

SHA1
a256de866b7b53a8124c487a496bfc5c31d83998

SHA256
b85b955b7f1a0de04289a427bc1fef945c9c203a1c5715b1fdd7b2703b424260

SHA512
b534df49d91f5e68961d3aecd44a0ef404244b7e7ff7bca5a9cb910f1de366272ba34a4a11bf4c691ee4d8f0f155a6f4f2b57781ecbea6cc4646d32907a1afcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\7K95qxAcWFXQRp.x64.dll

Filesize
711KB

MD5
8029d3733e6148ef569ae3fb2f27a205

SHA1
61b763a7ee5893f8a0a8e0a0c291453361c31702

SHA256
6cedfeedf3965d9c9f4a9abf117cde7021368f3dba113d5caddc888d2bc090d6

SHA512
535fd23dd28be5a7d99d9269f3344dbf3e47ff2f4c47778ff9db196ade92bdcb28efd8a463603b82332e5f7c6938eaabd2a3dae5258b5c61fa7fa283bc074456

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
979b87a1d8f949c82bbbcc19979803ef

SHA1
06688824644ac257bf565b7ec29e4f30e2723c49

SHA256
5839f7b4ed4b909fc9d7c2cb9283adba4fbee7edceb849fc3d30b477f5f8c255

SHA512
1090ecb3db96ae68ee7864bb59fed9c6d24f268cbe1c3371acaa0106269883547d66a3a65926a3cc9eb24ac31d159ff23c03556c13502049f6d0423846a189a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
b4363be46c34e5419de1bce7afb6e0cb

SHA1
b8b0a930b7576960726462544293e10870cccbad

SHA256
90a5fb8bb03ecb87d0db9aedd1f38eebd8e187e290e38b916269ce80ad861c2c

SHA512
05665e07feb12cb3e02eda2357447940470400248dc4b3f5015e7425bf1e56dc19a3a097196232215db5189a6d69685e335aef46595004675975aa68af071967

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\[email protected]\install.rdf

Filesize
597B

MD5
79a1ba8067e71c67281023e8b7e9e858

SHA1
24ebab4450d004fc7d8fb927a2bff78891425513

SHA256
f08c71a6e42b68c58a959966e7642b994d6ea443987869d19e850eb25c90da7c

SHA512
a4b9ca0813e85950bf42eaded2a3409e15fc780c5a99e9fb8dddc4ab2800016682f02589d8edcd833bf4a79425e9abe2f95386099dfdfba49b66d76288d9f816

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\jlnlffekkioomemghnkohlkmekekfbaa\P7vahz1UYR.js

Filesize
5KB

MD5
0a490239ca75a8a388eb94de7793568f

SHA1
79195868deb836c89a3ea354fd515893f98060c0

SHA256
94084d04c4a2d9224c501c9e5396b81c17407e4a02e74051c1711ec646e548b9

SHA512
5e40511a6233c15efbe9d84a5276b9c8fe975341d73b2a18582e46289bfa3fb5993e44f324a99d7da233bd37de2bd96380aefc2cd2bffb41861300930fbe2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\jlnlffekkioomemghnkohlkmekekfbaa\background.html

Filesize
147B

MD5
6b33e047f0f534a6fe572a4eeb838382

SHA1
92b2da1a81ec1d3a1317110fe3884709a27ec534

SHA256
db4ebd9f0a1e91566c01f832af1187c31b2e5171f0203b62e2da754f704d85ae

SHA512
c95ef43a392a178048903560b3dc42647b66c89a3fedeb98a58e9a0fd3ea25eefc6f4b6f49fad237349e2b1ce28c8c40fbce360f815a56560646bf79dee76ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\jlnlffekkioomemghnkohlkmekekfbaa\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\jlnlffekkioomemghnkohlkmekekfbaa\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\jlnlffekkioomemghnkohlkmekekfbaa\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
\Program Files (x86)\GoSave\7K95qxAcWFXQRp.dll

Filesize
627KB

MD5
ef0e781558e928c2959189bfd10fb730

SHA1
48231fa33eeb062e3e610c442bd5065a2f452ca6

SHA256
b9e3d582ec3ff1cdb0bca396cfa19a66469a8b05576bf6af51b12d91b2b64586

SHA512
679f07f56c98c800336ed312672dde579c3c17c6ae78e5a3df1b160d872ce2234426bbc3f144a2c0336c1e95cc6de6da466b5f579229748a39b7a3a0e4a6e802

Download Submit
\Program Files (x86)\GoSave\7K95qxAcWFXQRp.x64.dll

Filesize
711KB

MD5
8029d3733e6148ef569ae3fb2f27a205

SHA1
61b763a7ee5893f8a0a8e0a0c291453361c31702

SHA256
6cedfeedf3965d9c9f4a9abf117cde7021368f3dba113d5caddc888d2bc090d6

SHA512
535fd23dd28be5a7d99d9269f3344dbf3e47ff2f4c47778ff9db196ade92bdcb28efd8a463603b82332e5f7c6938eaabd2a3dae5258b5c61fa7fa283bc074456

Download Submit
\Program Files (x86)\GoSave\7K95qxAcWFXQRp.x64.dll

Filesize
711KB

MD5
8029d3733e6148ef569ae3fb2f27a205

SHA1
61b763a7ee5893f8a0a8e0a0c291453361c31702

SHA256
6cedfeedf3965d9c9f4a9abf117cde7021368f3dba113d5caddc888d2bc090d6

SHA512
535fd23dd28be5a7d99d9269f3344dbf3e47ff2f4c47778ff9db196ade92bdcb28efd8a463603b82332e5f7c6938eaabd2a3dae5258b5c61fa7fa283bc074456

Download Submit
\Users\Admin\AppData\Local\Temp\7zS15F2.tmp\1HYTYELvkUTIkbO.exe

Filesize
627KB

MD5
f172b0682fca8eb1e5c8dde6b837e387

SHA1
06561c1d33f425af65373cfd7752681edd356890

SHA256
ca605e3f7654066bb6023bdaba995345e78ff8e25b3c5948ade4e37b8c57500e

SHA512
0d5b3c18c412d9c4372b1e404ed2fe6b4a03a93cc8f21eae7b7596463d44cd8eec8dea8146c9727011063a8a31bc08b158604dedc9a728643330b08aaa9b6012

Download Submit
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1232-78-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download