3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7

Analysis

max time kernel
25s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 06:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7.exe
Size

2.0MB
MD5

d2b0ace41dfe8fd91ff66787aad93577
SHA1

1408237160d1c78fa12f37b5faa4a49ebb7467fb
SHA256

3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7
SHA512

c6b218a7aa88a70fff2912d3da584be981593d73ff5ffe1f6ae86b27c25644a04c5d03f19f3a77e10fa31cad707757d0b68a6c775bc9138057fdc4939908a9c1
SSDEEP

49152:h1OsINQToNVxbNrInKtDSwSm7CXH9e7B6cr7J30Ct40pT+:h1OtNQUNVxNpSmGXMvxdti

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2004	hmoFuL34To09wUI.exe

Loads dropped DLL 4 IoCs

pid	Process
1700	3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7.exe
2004	hmoFuL34To09wUI.exe
660	regsvr32.exe
1164	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfpmdnpgclbidnkbgpjmlbmomfkhefjh\2.0\manifest.json	hmoFuL34To09wUI.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfpmdnpgclbidnkbgpjmlbmomfkhefjh\2.0\manifest.json	hmoFuL34To09wUI.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\dfpmdnpgclbidnkbgpjmlbmomfkhefjh\2.0\manifest.json	hmoFuL34To09wUI.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	hmoFuL34To09wUI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	hmoFuL34To09wUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	hmoFuL34To09wUI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	hmoFuL34To09wUI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	hmoFuL34To09wUI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.dat	hmoFuL34To09wUI.exe
File opened for modification	C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.dat	hmoFuL34To09wUI.exe
File created	C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.x64.dll	hmoFuL34To09wUI.exe
File opened for modification	C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.x64.dll	hmoFuL34To09wUI.exe
File created	C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.dll	hmoFuL34To09wUI.exe
File opened for modification	C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.dll	hmoFuL34To09wUI.exe
File created	C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.tlb	hmoFuL34To09wUI.exe
File opened for modification	C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.tlb	hmoFuL34To09wUI.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2004	hmoFuL34To09wUI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2004	1700	3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7.exe	28
PID 1700 wrote to memory of 2004	1700	3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7.exe	28
PID 1700 wrote to memory of 2004	1700	3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7.exe	28
PID 1700 wrote to memory of 2004	1700	3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7.exe	28
PID 2004 wrote to memory of 660	2004	hmoFuL34To09wUI.exe	29
PID 2004 wrote to memory of 660	2004	hmoFuL34To09wUI.exe	29
PID 2004 wrote to memory of 660	2004	hmoFuL34To09wUI.exe	29
PID 2004 wrote to memory of 660	2004	hmoFuL34To09wUI.exe	29
PID 2004 wrote to memory of 660	2004	hmoFuL34To09wUI.exe	29
PID 2004 wrote to memory of 660	2004	hmoFuL34To09wUI.exe	29
PID 2004 wrote to memory of 660	2004	hmoFuL34To09wUI.exe	29
PID 660 wrote to memory of 1164	660	regsvr32.exe	30
PID 660 wrote to memory of 1164	660	regsvr32.exe	30
PID 660 wrote to memory of 1164	660	regsvr32.exe	30
PID 660 wrote to memory of 1164	660	regsvr32.exe	30
PID 660 wrote to memory of 1164	660	regsvr32.exe	30
PID 660 wrote to memory of 1164	660	regsvr32.exe	30
PID 660 wrote to memory of 1164	660	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7.exe
"C:\Users\Admin\AppData\Local\Temp\3ff4271f35c8e9aff12a921e5af16b6d37360ce8443f5e1509d0f059355f07b7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\hmoFuL34To09wUI.exe
  .\hmoFuL34To09wUI.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.dat

Filesize
6KB

MD5
2031dab88be4218d2ad4f6c5c33bc6f9

SHA1
1a47410bd0a95ab271bd7b5e98b74dad3df8cb53

SHA256
caa2ae479fda10d74a603a593912698b9db44d488c40da2533d7fd04b3ec731f

SHA512
4a062c6d657700d2004fc554633da85a036725628a2eb2a08a868c79603b5a8e38a20cd5486e8bc951f0be95c77f414095d0668145fb1ae56a4fa5eddb7f584c

Download Submit
C:\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\dfpmdnpgclbidnkbgpjmlbmomfkhefjh\background.html

Filesize
140B

MD5
db8b6658c6cd15e0faaa73c427a67c7c

SHA1
8dfa5f00d14dc57ec443aad9f5ff595c0e9a805e

SHA256
61bc363de9d9607a1e3c5b105ccd0dce70e65b31ecf3ea09d60f776727656a11

SHA512
c7ad986ce728696748bdbbc217e8c676c8b62c93d113af7b527311eb75cd8e07d0e4d78a3d72f4d9e8a4be890126ea1a67c2363179057f38de8efabab6eb99f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\dfpmdnpgclbidnkbgpjmlbmomfkhefjh\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\dfpmdnpgclbidnkbgpjmlbmomfkhefjh\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\dfpmdnpgclbidnkbgpjmlbmomfkhefjh\manifest.json

Filesize
499B

MD5
34cbb7a42a4d4fa7dc5e1f4eda753b3d

SHA1
dee13c6e73ce655be020d3b1ac71b592f5ee9802

SHA256
fee0fa4968e75c48d7e9147cc3f33baca5b2598a48c7d3b20b508605ab00ec66

SHA512
b4d725bd94b5c64c37324ad1ecc29d0ff365fd267c5bd8e9552dd98c3697905e484e1887eeb356c248dd94bddf08e9e780f4c84f49a55916a11b2c5158bc3d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\dfpmdnpgclbidnkbgpjmlbmomfkhefjh\sJd.js

Filesize
5KB

MD5
0b9e76e3c7d30ee6a78ce1815c49b4d9

SHA1
604a4f13140782d3fb4e05578d678849ce60c9ac

SHA256
8789c60ed3f4ff174474e5d43729bfde095774262ec908f6db86d1b9794335b7

SHA512
fb72cfa8d27c7deb4571bdb1e952638bdaf41a2579be777e0bb496ddf5cdc7e99ccd09639a0b56b4dd45ee6451f1586ce9b1ef616ca58e33a340cf0c2f232ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\hmoFuL34To09wUI.dat

Filesize
6KB

MD5
2031dab88be4218d2ad4f6c5c33bc6f9

SHA1
1a47410bd0a95ab271bd7b5e98b74dad3df8cb53

SHA256
caa2ae479fda10d74a603a593912698b9db44d488c40da2533d7fd04b3ec731f

SHA512
4a062c6d657700d2004fc554633da85a036725628a2eb2a08a868c79603b5a8e38a20cd5486e8bc951f0be95c77f414095d0668145fb1ae56a4fa5eddb7f584c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\hmoFuL34To09wUI.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\hmoFuL34To09wUI.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
94c9c2b90a5a7733036981e4d437f5d2

SHA1
74479fba8ccd31e8ea350b43422dbc117dd3744d

SHA256
0483db1507c0893684b20c5bdd7d3a9e6e868e786954fb300127f0a11427564d

SHA512
833284661c456edb85d3b53cef9f4c564ae8ba8efd66a285ab522d1fc88fb5c3433b48e90476267435486f08e555e542fe1b09866665df3cc7d9124ebef35e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
e2e0f096ed3f57931c6eabc3f3f1ead6

SHA1
ff9d03d9b0b49e358567fdc5f9d7a9c0cc997c7d

SHA256
d1de4862cd7b4ca3691daea0b5f061635688c0f1e371c71cd4b4a94051b2a280

SHA512
14c8e388d4ffaca93a473dbd992b9fff42505b712699472be91abe4550a0582b41edd2a10d45e09543ceb4bac88aa7f36b59aff8b1e9e307da2efa6dfb38da2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\[email protected]\install.rdf

Filesize
599B

MD5
942e50764cc552a7a30e0de54db7c383

SHA1
0acac74b8a096a094603f258ed554c508a59c5e8

SHA256
26acbed318f1706adaac66b7757a791db790fc8ecd120db683595edefa3e52ac

SHA512
994de7ae3e3bc37b15983675ae67ae48c4343e957b41f92a2f226c0c54985c509b7b640db882e5f6fb73e3301d26f757961a7cb7ff6b81b28a74d020a66a93a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\wyTETJxuIaJQZ5.dll

Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\wyTETJxuIaJQZ5.tlb

Filesize
3KB

MD5
cf57859d4870e1907e52503d4ffcbb7c

SHA1
fb0b87195347f8274e3fa046e0a34c3e57ff1e35

SHA256
273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40

SHA512
955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\wyTETJxuIaJQZ5.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.dll

Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
\Program Files (x86)\GoSavve\wyTETJxuIaJQZ5.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\hmoFuL34To09wUI.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/1164-78-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

Filesize
8KB

Download
memory/1700-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download