c4f3b516683726b5e519093e8211d5d33b3c443ef1efe23e116a3dc102f2161f

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4f3b516683726b5e519093e8211d5d33b3c443ef1efe23e116a3dc102f2161f.exe
Size

2.0MB
MD5

7ed3b7c13b6cc279102ea2d7feb2f80c
SHA1

6cee13b5b375e1774248b8764381e613a0b487d9
SHA256

c4f3b516683726b5e519093e8211d5d33b3c443ef1efe23e116a3dc102f2161f
SHA512

9d08374e90e9311ef9f5d3374be47e71fcb52c1468fad4ba07ffd8d0f4c319ca613b6715e8dca6d34b392e273fa00ae102e24efa1c4901947b0c833bbf26c3da
SSDEEP

49152:h1Os5Upag+Qk/+ouXBVm/KLp0f5fR6Tu3PHYwxzILQJsa77:h1OOUpAWouXBVm/KLp0+Tu3j7

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3548	0JhPOuxmatYLKjQ.exe

Loads dropped DLL 3 IoCs

pid	Process
3548	0JhPOuxmatYLKjQ.exe
3144	regsvr32.exe
1696	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnohiafhkcjbmobabojnebinilhjmkle\2.0\manifest.json	0JhPOuxmatYLKjQ.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnohiafhkcjbmobabojnebinilhjmkle\2.0\manifest.json	0JhPOuxmatYLKjQ.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnohiafhkcjbmobabojnebinilhjmkle\2.0\manifest.json	0JhPOuxmatYLKjQ.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnohiafhkcjbmobabojnebinilhjmkle\2.0\manifest.json	0JhPOuxmatYLKjQ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnohiafhkcjbmobabojnebinilhjmkle\2.0\manifest.json	0JhPOuxmatYLKjQ.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	0JhPOuxmatYLKjQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	0JhPOuxmatYLKjQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	0JhPOuxmatYLKjQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	0JhPOuxmatYLKjQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.tlb	0JhPOuxmatYLKjQ.exe
File created	C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.dat	0JhPOuxmatYLKjQ.exe
File opened for modification	C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.dat	0JhPOuxmatYLKjQ.exe
File created	C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.x64.dll	0JhPOuxmatYLKjQ.exe
File opened for modification	C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.x64.dll	0JhPOuxmatYLKjQ.exe
File created	C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.dll	0JhPOuxmatYLKjQ.exe
File opened for modification	C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.dll	0JhPOuxmatYLKjQ.exe
File created	C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.tlb	0JhPOuxmatYLKjQ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 3548	3460	c4f3b516683726b5e519093e8211d5d33b3c443ef1efe23e116a3dc102f2161f.exe	80
PID 3460 wrote to memory of 3548	3460	c4f3b516683726b5e519093e8211d5d33b3c443ef1efe23e116a3dc102f2161f.exe	80
PID 3460 wrote to memory of 3548	3460	c4f3b516683726b5e519093e8211d5d33b3c443ef1efe23e116a3dc102f2161f.exe	80
PID 3548 wrote to memory of 3144	3548	0JhPOuxmatYLKjQ.exe	81
PID 3548 wrote to memory of 3144	3548	0JhPOuxmatYLKjQ.exe	81
PID 3548 wrote to memory of 3144	3548	0JhPOuxmatYLKjQ.exe	81
PID 3144 wrote to memory of 1696	3144	regsvr32.exe	82
PID 3144 wrote to memory of 1696	3144	regsvr32.exe	82

C:\Users\Admin\AppData\Local\Temp\c4f3b516683726b5e519093e8211d5d33b3c443ef1efe23e116a3dc102f2161f.exe
"C:\Users\Admin\AppData\Local\Temp\c4f3b516683726b5e519093e8211d5d33b3c443ef1efe23e116a3dc102f2161f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\0JhPOuxmatYLKjQ.exe
  .\0JhPOuxmatYLKjQ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.dat

Filesize
6KB

MD5
a1c000fa0426f4d30d10a300f9efb7bc

SHA1
a1d621a5baaab25f82f6cec5e060bdb5cd04471e

SHA256
fdbdc0936dfc06b2fedfccafb63f8bb0b251c3f95be55c9e9434a33cdf95c82f

SHA512
204731f3eb2d975c3014e6e2ac4371a0648dc7aa1640ffc824e27a2a57ee2f9a97073a12f231e0314e6cf0cd1c3b8bb3942699b0f3330d12d0e62b260d97b6b1

Download Submit
C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Program Files (x86)\GoSaave\D2IauvWE8wzSPU.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\0JhPOuxmatYLKjQ.dat

Filesize
6KB

MD5
a1c000fa0426f4d30d10a300f9efb7bc

SHA1
a1d621a5baaab25f82f6cec5e060bdb5cd04471e

SHA256
fdbdc0936dfc06b2fedfccafb63f8bb0b251c3f95be55c9e9434a33cdf95c82f

SHA512
204731f3eb2d975c3014e6e2ac4371a0648dc7aa1640ffc824e27a2a57ee2f9a97073a12f231e0314e6cf0cd1c3b8bb3942699b0f3330d12d0e62b260d97b6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\0JhPOuxmatYLKjQ.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\0JhPOuxmatYLKjQ.exe

Filesize
627KB

MD5
cd2adf3ef46ba68dacaddef767a60926

SHA1
2936664364c94dbe44343dd0aa7de243c82582b0

SHA256
7d37cc35dc3ae28943f203a0f8d62d0ffd838e9f63f667dc465fa0534fbc4cb1

SHA512
3b7785f0b8346d179bce0eb8253a54975e41c99089719d1bc95e1bcf501ab13813ef6392fc2392d4af7225245f9836ba652abfc9eeea4cd3e678e9b1850ed222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\D2IauvWE8wzSPU.dll

Filesize
611KB

MD5
63adb99739052e3d6c04c799f7d43edc

SHA1
f58f054cd6598ed22b70e4623312c2e8f1eba1d3

SHA256
8cda707d508ffb1c1ce6e6066e2b7b782702f8935c7a6a4219f97d2b340efd53

SHA512
232a9cd07a12918901fbea1b7e237cb6105b7c53dd00f0e7418cbc3dfbc462210b6f034db4e68eefbe671de62c43303c37ad67b802c8ad7a5ac2195ce527e673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\D2IauvWE8wzSPU.tlb

Filesize
3KB

MD5
08b4ac9069400749555355a5f1e6b8ad

SHA1
ec078fae45087bb2ab63497cd2b4b844c178ec3c

SHA256
f996571eef02335d08b6c073024cef3ea616bb39f9d9742ffa6783f4e22c3997

SHA512
5001f7ca20cca5e85f9c6c1d90ffc2f9a25606d877ee4e6d33a727b6f689989b0486dbea62c66d2d1097194a353566de9d8b6b2bff33613a7ab763c98ca1e1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\D2IauvWE8wzSPU.x64.dll

Filesize
692KB

MD5
102c2708ee5aa0517e6fa7f99c6053a1

SHA1
b10a0ebb2cb5f8a053676453276a592cff7b7162

SHA256
ff7241a27f9ac5f85457bd96e78a29dfe127a7a1471e4880a42267505784d69d

SHA512
ae9186f96b6ff1befa2c64260b74e2d0f47295828ded8b3148e1838611ad6461eab45caa37afb90c9bc3b363a655c226f7abe6a2b3bc21ef0514f5c5ab860f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
33d901a5ac7811a29d59f0ab2f02a251

SHA1
cca2b9b30c9c0e569d43805c2d015ee5da0a102b

SHA256
18af9f5a0d8bf75f93921a69d26e9c63ab1fd56208e5ecc10966b3c23a88cde7

SHA512
44d7b93293ba5774142c1f75836134a4007f9cc01b4b06303907d6f2ad125330e2817fadfba16d182ccb2ed161bb84d2d5e5538290b9ec8fafbdbd84ad1dde8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
337930e20463d09f810f0541f3ee032a

SHA1
c6d0753e34ce49df16da02d525f283eb2931213e

SHA256
ae049fde10ea9efb3e19f0716eb72315f882cbac005d56286b75a413643a1665

SHA512
a55cb2db443a94a73c8bd2e07cf1156c9c95febe9a79d3124ed118a91a77ba23937d3371997582c2884407c9debc2ecb5559805325b30bdaecdc03f9e52bc7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\[email protected]\install.rdf

Filesize
593B

MD5
dd5ecacf0359127ca759f79e40264e60

SHA1
aff8d089a3cec368741d9b3f2cf191f3112bd8a1

SHA256
0d4f52c729f2efadf49227c2b07b4227974f5cb983f05bac2d816e05995b7ecd

SHA512
a6923e3853dd231a2d66dcb37844cbf75a3f98ca74c7068be7e1167f017491fba11ef64d28c57668198bd0acd29e484a7e1942f3741790be6efd9b11a763a7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\nnohiafhkcjbmobabojnebinilhjmkle\background.html

Filesize
145B

MD5
d9eeb9ba72f9c5651aaf9e3650f27497

SHA1
84def7bfefc50ff364309e6c34bb0331029f6167

SHA256
43f4b7fb7088be98f5fe14bd5daf3ebde783e94ea335ccdc972402ae57fb2a9e

SHA512
82c757496be148c238e3e8186fb0ee38d3e94250175ee5fb23a9b124677cdec8b2c9b173f00250a31954adced57c3b4fe0f2391621ab321cd21de461383ce74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\nnohiafhkcjbmobabojnebinilhjmkle\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\nnohiafhkcjbmobabojnebinilhjmkle\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\nnohiafhkcjbmobabojnebinilhjmkle\manifest.json

Filesize
499B

MD5
8c7c8cb66c68d94aa916e3016f897ecb

SHA1
e6ea4adf43e4ec062d803b356d126e39d8841bda

SHA256
e79509976db316973ce4b643fa3a0212a415c170a48637c3a58bc1311211c3ab

SHA512
3903674cd23be16348c10aac4f0846f8bfcefa0f8cbc29da47b74981e1151f9003d9bc39e98d320d2340412559507533ffc96dd06817d6df2e088c51868ff410

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7880.tmp\nnohiafhkcjbmobabojnebinilhjmkle\neLWFnNY.js

Filesize
5KB

MD5
1c2472fc841a17be28e6993983f3cd3b

SHA1
c32782615f08221f1128f520a4708f47c3ca019b

SHA256
10aadd04dcf61ae927a593da06cb00927e9645c3974d6c43d689adf065222a7d

SHA512
e7d30200e2108b7ab143d00b2eeb706c8df2a94de91bbb27bcc93a49eb564aead8f1107acf3d13719f60f303b4b67158bf6f5d4bc542ff621db0856aa88cd3cb

Download Submit