49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af.exe
Size

2.0MB
MD5

188bc7fa42cd843513cf50553e73b942
SHA1

ab20746f61949c3cd9b9362326272cfeae7a2f88
SHA256

49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af
SHA512

19c1bbbf93d406a27895863a58ed3009388e23ed97e7329de6d6c8ff2b68bcf9c362e271f22cf5cdc7a01b28903868e13a8f63bdae61a09ca42cf732c21c6b84
SSDEEP

49152:h1OslNQToNVxbNrInKtDSwSm7CXH9e7B6cr7J30Ct40pTK:h1OUNQUNVxNpSmGXMvxdt2

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	ocTiHNyArJ5xt2k.exe

Loads dropped DLL 4 IoCs

pid	Process
704	49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af.exe
1724	ocTiHNyArJ5xt2k.exe
1324	regsvr32.exe
1344	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhadcgbpbhinnkmmdinjpphglfgingbn\2.0\manifest.json	ocTiHNyArJ5xt2k.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhadcgbpbhinnkmmdinjpphglfgingbn\2.0\manifest.json	ocTiHNyArJ5xt2k.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhadcgbpbhinnkmmdinjpphglfgingbn\2.0\manifest.json	ocTiHNyArJ5xt2k.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	ocTiHNyArJ5xt2k.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	ocTiHNyArJ5xt2k.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	ocTiHNyArJ5xt2k.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	ocTiHNyArJ5xt2k.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	ocTiHNyArJ5xt2k.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.tlb	ocTiHNyArJ5xt2k.exe
File created	C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.dat	ocTiHNyArJ5xt2k.exe
File opened for modification	C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.dat	ocTiHNyArJ5xt2k.exe
File created	C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.x64.dll	ocTiHNyArJ5xt2k.exe
File opened for modification	C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.x64.dll	ocTiHNyArJ5xt2k.exe
File created	C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.dll	ocTiHNyArJ5xt2k.exe
File opened for modification	C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.dll	ocTiHNyArJ5xt2k.exe
File created	C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.tlb	ocTiHNyArJ5xt2k.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1724	ocTiHNyArJ5xt2k.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 704 wrote to memory of 1724	704	49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af.exe	27
PID 704 wrote to memory of 1724	704	49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af.exe	27
PID 704 wrote to memory of 1724	704	49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af.exe	27
PID 704 wrote to memory of 1724	704	49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af.exe	27
PID 1724 wrote to memory of 1324	1724	ocTiHNyArJ5xt2k.exe	28
PID 1724 wrote to memory of 1324	1724	ocTiHNyArJ5xt2k.exe	28
PID 1724 wrote to memory of 1324	1724	ocTiHNyArJ5xt2k.exe	28
PID 1724 wrote to memory of 1324	1724	ocTiHNyArJ5xt2k.exe	28
PID 1724 wrote to memory of 1324	1724	ocTiHNyArJ5xt2k.exe	28
PID 1724 wrote to memory of 1324	1724	ocTiHNyArJ5xt2k.exe	28
PID 1724 wrote to memory of 1324	1724	ocTiHNyArJ5xt2k.exe	28
PID 1324 wrote to memory of 1344	1324	regsvr32.exe	29
PID 1324 wrote to memory of 1344	1324	regsvr32.exe	29
PID 1324 wrote to memory of 1344	1324	regsvr32.exe	29
PID 1324 wrote to memory of 1344	1324	regsvr32.exe	29
PID 1324 wrote to memory of 1344	1324	regsvr32.exe	29
PID 1324 wrote to memory of 1344	1324	regsvr32.exe	29
PID 1324 wrote to memory of 1344	1324	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af.exe
"C:\Users\Admin\AppData\Local\Temp\49805622746096f1bae1a082117dab1eaec663d96ca6544516ed2f97e68821af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:704
- C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\ocTiHNyArJ5xt2k.exe
  .\ocTiHNyArJ5xt2k.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.dat

Filesize
6KB

MD5
b70b76b4cf4eb806caa78b5dfa38ae42

SHA1
8752bf3783a974590fefb7de12d93da0319299ef

SHA256
d8c9b0dfbc2cb085e95477c1db56e85b172ab5cec084f9df334385d4ad66dd49

SHA512
621d833356c0bcfccdf7b2151f57a7fdb1567b7cc77c2697373f4b2c6b77fa15ea462d261fae80c77f1c332858ac58dbc5754d530226cd945955f659e87e2000

Download Submit
C:\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
b33eca6ad8be1b6513f87adb27daf45f

SHA1
e9563404c2962b81af97d19b90c6e6a33957a4e5

SHA256
7968bc12b969a63eda49287c72f2035cd13e733e1cbdf23d8ce26d0d3955757b

SHA512
d51dcea7fb94b7b073e2a6e654243b26dc8a01493c5d6c2153f4b89a6c2f32824c4edac27468bbfe8db103e91ece4ed965b92146406c016ae2978768c80aa116

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
a5ac14230d23f04824f903f8e89d4ab4

SHA1
1fbb6989fdc96e742ca5f9fd35d6d1bb700fb15d

SHA256
400fa2061b7bb7db732041dfc7dc9ae37606c13d0b42a834f11f29ff2080684c

SHA512
f376f1a63100f1fd873d103b3e75297330fa79de2ad02b6cc18deb0d7cf3cc4b4ded7ec7c6d8692a0d04e190edd28fb54020e9b617319cfe19df612f2e5ca6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\[email protected]\install.rdf

Filesize
593B

MD5
266ac80e48a2604e5d3a77a9232303eb

SHA1
7124644a122d47dc77d68368ba9aa4cba7f0fd68

SHA256
786fcbbbcb399b374e047eb8973c1b36e01fb69a9bf1eaafd4ccf7def24ef595

SHA512
150a8cd73bb25f8a7c6617737bcf5f73291afecfde32e9a6a23aa3201dea3a1b705893095f7664a72f6a7e26ab06a2e75e962a5b967a489ce8c9d24d973d7f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\RMA36NeCxst2vv.dll

Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\RMA36NeCxst2vv.tlb

Filesize
3KB

MD5
cf57859d4870e1907e52503d4ffcbb7c

SHA1
fb0b87195347f8274e3fa046e0a34c3e57ff1e35

SHA256
273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40

SHA512
955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\RMA36NeCxst2vv.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\dhadcgbpbhinnkmmdinjpphglfgingbn\background.html

Filesize
142B

MD5
c8772098a85bc57d6d4c8c640cfa2491

SHA1
98501449b2bce1b8a6c97b200e35e1e85bbcc147

SHA256
8c31e6b2bed69d71c3d48eb1c3beb3ce3f40084d5faf47adda7dea15b39aadd9

SHA512
8957b9bb7be682e952a1c9d31064b0129aa5bbf89665e2b54c59333f1a4c48e32222fbbacfff4301bd82126a2af44ad5ca045e01a09f247eb44d652b9528ece0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\dhadcgbpbhinnkmmdinjpphglfgingbn\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\dhadcgbpbhinnkmmdinjpphglfgingbn\lmP1z.js

Filesize
5KB

MD5
e45a9d848f8311cbef20cdbd70d264b2

SHA1
e0ff4c6a5ddc82b1c2f84573120bc2a64ffee40b

SHA256
f5a54a047be0e1a7e2b0d7795b1bae5ef94c7e4ecfb77c4f8815e2838c757db4

SHA512
8487e5d67b43e4895d9be9796b7895563579af8f12c8095217145642c9f4b790da2219261b12d89003d6a490e02f7d7db3a1a41835e999af5eb3100e939f129a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\dhadcgbpbhinnkmmdinjpphglfgingbn\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\dhadcgbpbhinnkmmdinjpphglfgingbn\manifest.json

Filesize
500B

MD5
d2ca6fa7499bd32ac5b203875b832666

SHA1
078cc1680f84a30df771a4becedf4d2867617c18

SHA256
baef72b7e6de2fbae21f7128fd39379848c53752485ae76d86c0acba1ecb8cec

SHA512
782cb43bdd858a8f137a3650b904c4f0da264aed59c72af10947e0371527df848ac3cded8bba5e7cd2bd12c4d030804c77726082fe8502d443f9305e13736c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\ocTiHNyArJ5xt2k.dat

Filesize
6KB

MD5
b70b76b4cf4eb806caa78b5dfa38ae42

SHA1
8752bf3783a974590fefb7de12d93da0319299ef

SHA256
d8c9b0dfbc2cb085e95477c1db56e85b172ab5cec084f9df334385d4ad66dd49

SHA512
621d833356c0bcfccdf7b2151f57a7fdb1567b7cc77c2697373f4b2c6b77fa15ea462d261fae80c77f1c332858ac58dbc5754d530226cd945955f659e87e2000

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\ocTiHNyArJ5xt2k.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS899.tmp\ocTiHNyArJ5xt2k.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.dll

Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
\Program Files (x86)\GuOSaavE\RMA36NeCxst2vv.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
\Users\Admin\AppData\Local\Temp\7zS899.tmp\ocTiHNyArJ5xt2k.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/704-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1344-78-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download