84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a

Analysis

max time kernel
44s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a.exe
Size

2.0MB
MD5

aa20ad82ae207cc2a377014df63a9492
SHA1

e4fc7d7afaa3f825f8765ef790229ea380f95162
SHA256

84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a
SHA512

c855f6feda07fe71cea9c3fe91925f8f929fa3090fcb0122574b37c4f56cedb7858cbaea801caacfa80f27191b4b531dbed31933fe33bb99dcd67b5232a7bc5b
SSDEEP

49152:h1OsINQToNVxbNrInKtDSwSm7CXH9e7B6cr7J30Ct40pTF:h1OfNQUNVxNpSmGXMvxdtR

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1692	vjWHEqrc2dzQkCS.exe

Loads dropped DLL 4 IoCs

pid	Process
1372	84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a.exe
1692	vjWHEqrc2dzQkCS.exe
1704	regsvr32.exe
1988	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kindolkdmgdfonpgbihlkmcjglppdmfd\2.0\manifest.json	vjWHEqrc2dzQkCS.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kindolkdmgdfonpgbihlkmcjglppdmfd\2.0\manifest.json	vjWHEqrc2dzQkCS.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kindolkdmgdfonpgbihlkmcjglppdmfd\2.0\manifest.json	vjWHEqrc2dzQkCS.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	vjWHEqrc2dzQkCS.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	vjWHEqrc2dzQkCS.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	vjWHEqrc2dzQkCS.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	vjWHEqrc2dzQkCS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	vjWHEqrc2dzQkCS.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.tlb	vjWHEqrc2dzQkCS.exe
File created	C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.dat	vjWHEqrc2dzQkCS.exe
File opened for modification	C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.dat	vjWHEqrc2dzQkCS.exe
File created	C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.x64.dll	vjWHEqrc2dzQkCS.exe
File opened for modification	C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.x64.dll	vjWHEqrc2dzQkCS.exe
File created	C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.dll	vjWHEqrc2dzQkCS.exe
File opened for modification	C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.dll	vjWHEqrc2dzQkCS.exe
File created	C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.tlb	vjWHEqrc2dzQkCS.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1692	vjWHEqrc2dzQkCS.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1692	1372	84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a.exe	28
PID 1372 wrote to memory of 1692	1372	84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a.exe	28
PID 1372 wrote to memory of 1692	1372	84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a.exe	28
PID 1372 wrote to memory of 1692	1372	84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a.exe	28
PID 1692 wrote to memory of 1704	1692	vjWHEqrc2dzQkCS.exe	29
PID 1692 wrote to memory of 1704	1692	vjWHEqrc2dzQkCS.exe	29
PID 1692 wrote to memory of 1704	1692	vjWHEqrc2dzQkCS.exe	29
PID 1692 wrote to memory of 1704	1692	vjWHEqrc2dzQkCS.exe	29
PID 1692 wrote to memory of 1704	1692	vjWHEqrc2dzQkCS.exe	29
PID 1692 wrote to memory of 1704	1692	vjWHEqrc2dzQkCS.exe	29
PID 1692 wrote to memory of 1704	1692	vjWHEqrc2dzQkCS.exe	29
PID 1704 wrote to memory of 1988	1704	regsvr32.exe	30
PID 1704 wrote to memory of 1988	1704	regsvr32.exe	30
PID 1704 wrote to memory of 1988	1704	regsvr32.exe	30
PID 1704 wrote to memory of 1988	1704	regsvr32.exe	30
PID 1704 wrote to memory of 1988	1704	regsvr32.exe	30
PID 1704 wrote to memory of 1988	1704	regsvr32.exe	30
PID 1704 wrote to memory of 1988	1704	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a.exe
"C:\Users\Admin\AppData\Local\Temp\84f79269893d61ebe43c96ee9b498fa84985ca5f0b08e11becbca073d85d5c4a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\vjWHEqrc2dzQkCS.exe
  .\vjWHEqrc2dzQkCS.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.dat

Filesize
6KB

MD5
b872993bb42f92d1e1a58653f8bf26a2

SHA1
7a8a53a1d9ef7f4b4810be9f68cac88888e5d077

SHA256
5282f7c61391aba3f34c9b9138dc0b2d230af31af55268d5f63d4ccfbf6533fc

SHA512
667b3d44c5b8aeeaaeefa64f349e86eaad36dbe92771e9dddd1e16eb715e197b8fde91aff666d4a068e6f342afd313f630b1d643b9d74306839e2af125cc05dc

Download Submit
C:\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\2lualFQ94s8MDS.dll

Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\2lualFQ94s8MDS.tlb

Filesize
3KB

MD5
cf57859d4870e1907e52503d4ffcbb7c

SHA1
fb0b87195347f8274e3fa046e0a34c3e57ff1e35

SHA256
273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40

SHA512
955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\2lualFQ94s8MDS.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
e6b884fc2f782d517c90c8b2ed03468d

SHA1
ff456c8ddbe96636d3403589f85b2b57f5934e76

SHA256
f85ce813ee9592c5db72a009c42a1aa9b5127f3cabbf4a9f0d238b2d4c99a014

SHA512
eed5b4368abbdd68c7d6f936af2d0589e6a8126b6454dd817eeec821eb4f7042d5aeb02121685747ad1342563da33599fe4859b4a0e61ea10be2d51bde9724b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
8bc24372b18f6137ae01dd291e98947c

SHA1
f3538087794097dd73b204fc654b2f7e3b91b377

SHA256
c2af2afc606119ace929a4df21c106106a7526ec5174f66ce39a73c9db17fa08

SHA512
6132b28a7d54f4e1f87b0dc9f04af92bf56285b2d7981ab20a4859cfc1f676058191f7c19067fb24fa688a81ced4cf5542e472c6264313c369b262f8cab0da5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\[email protected]\install.rdf

Filesize
591B

MD5
fbee3d255b5c4d036b3a45a95299e357

SHA1
51709da71da179e97b0afca13aff5588a7d84431

SHA256
a2b3992d45c49d63a1adc6e5b71e44043821b22ace000775d0aaabc2511ac937

SHA512
14e3ecb99dda9784566ff3b34617ef058179b536b1559366be615616adeb2e32c70fb74f1745f4fcdb54e18a49f6dbb65558a85c55f12ee61b415f3928b9eb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\kindolkdmgdfonpgbihlkmcjglppdmfd\Uh.js

Filesize
5KB

MD5
f1608ba7e9ad6d4921e6e37457c99748

SHA1
fed3c6c36c27b1fae4e3397daa9bbc56abc821ec

SHA256
2bfbb01a97ea5a117123eb45e0ca3678d7fcb5f48d4a70a18eb447e21cfdf906

SHA512
2336b29c4381239285af61e080715eb3c0c1f5c2ffd414de1f22e91efdacb88ca74b1c0195dab11ba0a40ec130debdefa62d587cb4ccf04a4335a8fbdc1871a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\kindolkdmgdfonpgbihlkmcjglppdmfd\background.html

Filesize
139B

MD5
c36466611a361d2ffbfa3e7ef22800ef

SHA1
f33e8817a33f30ec2b3d545efe799d1e2adc81f7

SHA256
faee8fcca6e715a8ce0fe15e0990a2980a0847c2fdf4a3a26f1b414b8b3555a4

SHA512
34bdffe904d9117171f35db181f15f15baaa7724efbd6df1e37a6d30f90498bd95035b6ca646306b72e36f20535c1c8284f4028ec8ddc8627c5f640b2ef3371f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\kindolkdmgdfonpgbihlkmcjglppdmfd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\kindolkdmgdfonpgbihlkmcjglppdmfd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\kindolkdmgdfonpgbihlkmcjglppdmfd\manifest.json

Filesize
499B

MD5
7eb75ab4fc6467d0cfb4d6425e360817

SHA1
70fb1b8264e50ef8cfd97b5cdb98dabe4b938560

SHA256
03bc07a1f7c8f73867681c68f734e64acc1bead0ac3ba44e1196726995f88210

SHA512
56a1bbc8b84ffab39a8a0afe0a7ac2ea75fcd5ac870e5993b53038f90b2f796ff9bab353957c0880c39a3f822484f637aa12c431a20140bb80d4f97c0764fd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\vjWHEqrc2dzQkCS.dat

Filesize
6KB

MD5
b872993bb42f92d1e1a58653f8bf26a2

SHA1
7a8a53a1d9ef7f4b4810be9f68cac88888e5d077

SHA256
5282f7c61391aba3f34c9b9138dc0b2d230af31af55268d5f63d4ccfbf6533fc

SHA512
667b3d44c5b8aeeaaeefa64f349e86eaad36dbe92771e9dddd1e16eb715e197b8fde91aff666d4a068e6f342afd313f630b1d643b9d74306839e2af125cc05dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\vjWHEqrc2dzQkCS.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\vjWHEqrc2dzQkCS.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.dll

Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
\Program Files (x86)\GGoSAve\2lualFQ94s8MDS.x64.dll

Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEFFB.tmp\vjWHEqrc2dzQkCS.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1988-78-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download