852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86

Analysis

max time kernel
43s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86.exe
Size

2.1MB
MD5

00ca39071eb02bbb6d9088e86fc70a37
SHA1

9e76e9c4dd9af1609f527874e5c4f19aff537ef5
SHA256

852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86
SHA512

90b6478953fd3346cbacabe0f0a8658dff8f4b0a213e34fd3ab5198866c5ce01e998b57c2a2cbb94736c67216c2947ba98bbf3d8ebdaf3bf8b898ea855479a9c
SSDEEP

49152:h1OsJBNPM6n5oHCZdw3CyvHht6wqM7M1cHv:h1OaBjn5oHCZMDvHhrqMMs

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
980	mTVdw9SyiUtFTv8.exe

Loads dropped DLL 4 IoCs

pid	Process
1696	852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86.exe
980	mTVdw9SyiUtFTv8.exe
1880	regsvr32.exe
456	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmggfogalfkcbdgmepidnjcbkfdljoek\2.0\manifest.json	mTVdw9SyiUtFTv8.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmggfogalfkcbdgmepidnjcbkfdljoek\2.0\manifest.json	mTVdw9SyiUtFTv8.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmggfogalfkcbdgmepidnjcbkfdljoek\2.0\manifest.json	mTVdw9SyiUtFTv8.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	mTVdw9SyiUtFTv8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	mTVdw9SyiUtFTv8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	mTVdw9SyiUtFTv8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	mTVdw9SyiUtFTv8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	mTVdw9SyiUtFTv8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.dat	mTVdw9SyiUtFTv8.exe
File created	C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.x64.dll	mTVdw9SyiUtFTv8.exe
File opened for modification	C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.x64.dll	mTVdw9SyiUtFTv8.exe
File created	C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.dll	mTVdw9SyiUtFTv8.exe
File opened for modification	C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.dll	mTVdw9SyiUtFTv8.exe
File created	C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.tlb	mTVdw9SyiUtFTv8.exe
File opened for modification	C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.tlb	mTVdw9SyiUtFTv8.exe
File created	C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.dat	mTVdw9SyiUtFTv8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
980	mTVdw9SyiUtFTv8.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 980	1696	852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86.exe	27
PID 1696 wrote to memory of 980	1696	852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86.exe	27
PID 1696 wrote to memory of 980	1696	852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86.exe	27
PID 1696 wrote to memory of 980	1696	852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86.exe	27
PID 980 wrote to memory of 1880	980	mTVdw9SyiUtFTv8.exe	28
PID 980 wrote to memory of 1880	980	mTVdw9SyiUtFTv8.exe	28
PID 980 wrote to memory of 1880	980	mTVdw9SyiUtFTv8.exe	28
PID 980 wrote to memory of 1880	980	mTVdw9SyiUtFTv8.exe	28
PID 980 wrote to memory of 1880	980	mTVdw9SyiUtFTv8.exe	28
PID 980 wrote to memory of 1880	980	mTVdw9SyiUtFTv8.exe	28
PID 980 wrote to memory of 1880	980	mTVdw9SyiUtFTv8.exe	28
PID 1880 wrote to memory of 456	1880	regsvr32.exe	29
PID 1880 wrote to memory of 456	1880	regsvr32.exe	29
PID 1880 wrote to memory of 456	1880	regsvr32.exe	29
PID 1880 wrote to memory of 456	1880	regsvr32.exe	29
PID 1880 wrote to memory of 456	1880	regsvr32.exe	29
PID 1880 wrote to memory of 456	1880	regsvr32.exe	29
PID 1880 wrote to memory of 456	1880	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86.exe
"C:\Users\Admin\AppData\Local\Temp\852c3d14b37826db86218f60376993214df58b86b45f2582fd39fd21f6079d86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\mTVdw9SyiUtFTv8.exe
  .\mTVdw9SyiUtFTv8.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.dat

Filesize
6KB

MD5
46f97af39bae3e80c67a510664b3583b

SHA1
1aec28e87af4cc3e59f0f0775cff9a97d9661df5

SHA256
9354872b9df98c810673a91f91bb8421983c0e97a49a42acdb3f48d806a81515

SHA512
ae7bb4c0af66d2e7be5ff0d47c8790e5b57baad2bb4a15bbe4727c2c67f3e71baa1ff5a3a184cd6152d4bf31c9b0bfa49cd5f909ea2c412714816f97dbef869d

Download Submit
C:\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.x64.dll

Filesize
710KB

MD5
2d9b84b8a433eff58888a3240a3a4ff5

SHA1
a59f591168b33de4f42b680fb66c7c7f78b11056

SHA256
4df3323f9cfeb84add405bf9bf36445a22b368c1efb70e109200d94d880bfbb3

SHA512
1cdc6571ae7a8708aaef77f566222aa7cad9da7a77e3e904a56fcfa9238bb6c9993bd455c7f336e4b14e63e61ec8cf4f710567b4b9f420c3133da6dddd10d23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\EfS4ZQp16FcdXb.dll

Filesize
629KB

MD5
8f0476d4c7ef0c04523efe17f95ffff8

SHA1
a7605f6101031e5eec2ae964b6ed9d8775434e9e

SHA256
7277b7268f48043af02c5a6793e8c17cf815080bebef610fac956b3cb581d909

SHA512
21a8056c7a7f1d14240f28543bcda3a19fceeebf5dff24da51f71f97a2d4a2c6bdb1e308051eff62b52efe25af5b5de0f88130f9dad2dc440697b7997de36429

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\EfS4ZQp16FcdXb.tlb

Filesize
3KB

MD5
ad50e349afc1c3ffb845262f7fc97603

SHA1
b0cc07253796476f702227739c5050247ca2b279

SHA256
8f8d4fc042feb74d414a3a5a761dc5394a4b96f1e5bd818bd01208d0b3e1bcb0

SHA512
6a11d1bab64ba21c5ce51faf209beb9d6a49e488a27a21e20e51f1d0216c8034be0442ceb351a942d3be4d2883c79495afffa776752dce0fd727a0a32e2740a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\EfS4ZQp16FcdXb.x64.dll

Filesize
710KB

MD5
2d9b84b8a433eff58888a3240a3a4ff5

SHA1
a59f591168b33de4f42b680fb66c7c7f78b11056

SHA256
4df3323f9cfeb84add405bf9bf36445a22b368c1efb70e109200d94d880bfbb3

SHA512
1cdc6571ae7a8708aaef77f566222aa7cad9da7a77e3e904a56fcfa9238bb6c9993bd455c7f336e4b14e63e61ec8cf4f710567b4b9f420c3133da6dddd10d23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\cmggfogalfkcbdgmepidnjcbkfdljoek\EU.js

Filesize
5KB

MD5
af8d74d13413583dcbc42ca41cdff2a7

SHA1
eb9c0e9aa415a015ab13dd4a5d42ed2a0ddd7f48

SHA256
0a6c8fba916e5adc52232c0cd5d136d1791e3fd919f83fa53606e25072f0dce9

SHA512
9be5ca59f21720398a904c98dee656bdb183a678a141f5b9bc91a366cc0724568f4965ff8ef2643983725e4b1fd92afe920cac00c7b9fc0132799fd105d263cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\cmggfogalfkcbdgmepidnjcbkfdljoek\background.html

Filesize
139B

MD5
6f311fae6c83fd28da49de6306f4f638

SHA1
f83c92d410e44b83462a4b2ce8432026a938dac5

SHA256
5dae1f648341f14078b270cc93ad6f625f8369eb62154cbd45c9b02658690772

SHA512
8fccf15d58c060cd771c9d3f4d5be0ba48e64a2387f2537ed1d75a851eee6accfbdcc237f6adbf99e89837c329376a2490fff8b6f9c2d555ed5d96ff13f641f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\cmggfogalfkcbdgmepidnjcbkfdljoek\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\cmggfogalfkcbdgmepidnjcbkfdljoek\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\cmggfogalfkcbdgmepidnjcbkfdljoek\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\mTVdw9SyiUtFTv8.dat

Filesize
6KB

MD5
46f97af39bae3e80c67a510664b3583b

SHA1
1aec28e87af4cc3e59f0f0775cff9a97d9661df5

SHA256
9354872b9df98c810673a91f91bb8421983c0e97a49a42acdb3f48d806a81515

SHA512
ae7bb4c0af66d2e7be5ff0d47c8790e5b57baad2bb4a15bbe4727c2c67f3e71baa1ff5a3a184cd6152d4bf31c9b0bfa49cd5f909ea2c412714816f97dbef869d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\mTVdw9SyiUtFTv8.exe

Filesize
657KB

MD5
b831a4edee2ceadc357e0165ea586f14

SHA1
4bd2c00d1331f52acafd077cb358905bcc40a40b

SHA256
917f3a961b2105519fa358adac37496671751a49a215922ddba8dd3f047c8627

SHA512
805bb79c277be66d0ac821de3f5fe5fbdc2bedfcc5201868d354b63520cccd252b965f2e9c608cb678fc5f391050d42c466c9f79670bd591ea865912517cd6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\mTVdw9SyiUtFTv8.exe

Filesize
657KB

MD5
b831a4edee2ceadc357e0165ea586f14

SHA1
4bd2c00d1331f52acafd077cb358905bcc40a40b

SHA256
917f3a961b2105519fa358adac37496671751a49a215922ddba8dd3f047c8627

SHA512
805bb79c277be66d0ac821de3f5fe5fbdc2bedfcc5201868d354b63520cccd252b965f2e9c608cb678fc5f391050d42c466c9f79670bd591ea865912517cd6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
c8493c82cc5904cb82c510ce8a35d04a

SHA1
9e9692cb627a1aec9346c5c8655ce512ad83da1e

SHA256
31d44a2b5266fecd95a68b5e9081964a4bb1793a3fd4893fbc752adb78afc8d9

SHA512
656d29663e43c293c59c9ef0e007c703fab234c2e47e3ad7a2a59c1931a9fe0bad7e996563be83b76d09c7af4d68c165393b4cdee0100c081e02e1f28efe91ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
df7d89a1038527ed0542e5d3634b718b

SHA1
b51453209f25d788ea1bfbd5a6c2d21c3cc9f536

SHA256
d4cd1bcc5359bfb89d940ac2ae463c78567d6d5ce07004ea132fe17fcb06ef43

SHA512
376c866fc2d8ae6846426ead699aa86ccc742c5cf88ed754dae28a04e849929826af7ddbbf9dff3f411dd8aa66bc200b7d1b64efae05efbf1302f80af42ed8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\[email protected]\install.rdf

Filesize
592B

MD5
852d3871a76d266b49d5a4041d703811

SHA1
a05d8de7339bc125d9209e842fc1848750d958e7

SHA256
395c187f3daf7c37fc773774b48f45f60f71bc25242ae18f7600219c85f22eb7

SHA512
4c6d421938e51cf0cafc60d5e69c4232a759e1fd38c6a52d9c3ea98c06c68c99a3a2885d17e18de4ea21fa872bc95bdc1e59150c3ca42204242f56cc1ae3743c

Download Submit
\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.dll

Filesize
629KB

MD5
8f0476d4c7ef0c04523efe17f95ffff8

SHA1
a7605f6101031e5eec2ae964b6ed9d8775434e9e

SHA256
7277b7268f48043af02c5a6793e8c17cf815080bebef610fac956b3cb581d909

SHA512
21a8056c7a7f1d14240f28543bcda3a19fceeebf5dff24da51f71f97a2d4a2c6bdb1e308051eff62b52efe25af5b5de0f88130f9dad2dc440697b7997de36429

Download Submit
\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.x64.dll

Filesize
710KB

MD5
2d9b84b8a433eff58888a3240a3a4ff5

SHA1
a59f591168b33de4f42b680fb66c7c7f78b11056

SHA256
4df3323f9cfeb84add405bf9bf36445a22b368c1efb70e109200d94d880bfbb3

SHA512
1cdc6571ae7a8708aaef77f566222aa7cad9da7a77e3e904a56fcfa9238bb6c9993bd455c7f336e4b14e63e61ec8cf4f710567b4b9f420c3133da6dddd10d23e

Download Submit
\Program Files (x86)\GoSave\EfS4ZQp16FcdXb.x64.dll

Filesize
710KB

MD5
2d9b84b8a433eff58888a3240a3a4ff5

SHA1
a59f591168b33de4f42b680fb66c7c7f78b11056

SHA256
4df3323f9cfeb84add405bf9bf36445a22b368c1efb70e109200d94d880bfbb3

SHA512
1cdc6571ae7a8708aaef77f566222aa7cad9da7a77e3e904a56fcfa9238bb6c9993bd455c7f336e4b14e63e61ec8cf4f710567b4b9f420c3133da6dddd10d23e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF5D.tmp\mTVdw9SyiUtFTv8.exe

Filesize
657KB

MD5
b831a4edee2ceadc357e0165ea586f14

SHA1
4bd2c00d1331f52acafd077cb358905bcc40a40b

SHA256
917f3a961b2105519fa358adac37496671751a49a215922ddba8dd3f047c8627

SHA512
805bb79c277be66d0ac821de3f5fe5fbdc2bedfcc5201868d354b63520cccd252b965f2e9c608cb678fc5f391050d42c466c9f79670bd591ea865912517cd6dd

Download Submit
memory/456-78-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download