33565131251139999301abf25fcc46f9e3d4e316d98981793e607511d3454b15

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33565131251139999301abf25fcc46f9e3d4e316d98981793e607511d3454b15.exe
Size

2.0MB
MD5

bb12a4064ceaedc74e422f14cae97af7
SHA1

794f38d9b3d427066f1d0906b98860fd72c196bd
SHA256

33565131251139999301abf25fcc46f9e3d4e316d98981793e607511d3454b15
SHA512

204726f06ff42c6af398ffe9f3dc33cf1ef2d1363e52389c913b6f447f1bc6ac8340c1e08e2bc988bf5accbd8f4e725df820cae6cf5e37e89a58250c97ac2d3d
SSDEEP

49152:h1OsGNQToNVxbNrInKtDSwSm7CXH9e7B6cr7J30Ct40pTV:h1OFNQUNVxNpSmGXMvxdtZ

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Hx2YlZDaRJTkovw.exe

pid process

4252 Hx2YlZDaRJTkovw.exe
Loads dropped DLL 3 IoCs

Processes:

Hx2YlZDaRJTkovw.exeregsvr32.exeregsvr32.exe

pid process

4252 Hx2YlZDaRJTkovw.exe
4704 regsvr32.exe
4324 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4252	Hx2YlZDaRJTkovw.exe

pid	process
4252	Hx2YlZDaRJTkovw.exe
4704	regsvr32.exe
4324	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

Hx2YlZDaRJTkovw.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdjcoogbjhmaijkkpjfekcpilkffmoa\2.0\manifest.json	Hx2YlZDaRJTkovw.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdjcoogbjhmaijkkpjfekcpilkffmoa\2.0\manifest.json	Hx2YlZDaRJTkovw.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdjcoogbjhmaijkkpjfekcpilkffmoa\2.0\manifest.json	Hx2YlZDaRJTkovw.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdjcoogbjhmaijkkpjfekcpilkffmoa\2.0\manifest.json	Hx2YlZDaRJTkovw.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgdjcoogbjhmaijkkpjfekcpilkffmoa\2.0\manifest.json	Hx2YlZDaRJTkovw.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

Hx2YlZDaRJTkovw.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	Hx2YlZDaRJTkovw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	Hx2YlZDaRJTkovw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	Hx2YlZDaRJTkovw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	Hx2YlZDaRJTkovw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

Hx2YlZDaRJTkovw.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.x64.dll	Hx2YlZDaRJTkovw.exe
File created	C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.dll	Hx2YlZDaRJTkovw.exe
File opened for modification	C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.dll	Hx2YlZDaRJTkovw.exe
File created	C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.tlb	Hx2YlZDaRJTkovw.exe
File opened for modification	C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.tlb	Hx2YlZDaRJTkovw.exe
File created	C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.dat	Hx2YlZDaRJTkovw.exe
File opened for modification	C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.dat	Hx2YlZDaRJTkovw.exe
File created	C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.x64.dll	Hx2YlZDaRJTkovw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Hx2YlZDaRJTkovw.exe

pid process

4252 Hx2YlZDaRJTkovw.exe
4252 Hx2YlZDaRJTkovw.exe

pid	process
4252	Hx2YlZDaRJTkovw.exe
4252	Hx2YlZDaRJTkovw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

33565131251139999301abf25fcc46f9e3d4e316d98981793e607511d3454b15.exeHx2YlZDaRJTkovw.exeregsvr32.exe

description	pid	process	target process
PID 2140 wrote to memory of 4252	2140	33565131251139999301abf25fcc46f9e3d4e316d98981793e607511d3454b15.exe	Hx2YlZDaRJTkovw.exe
PID 2140 wrote to memory of 4252	2140	33565131251139999301abf25fcc46f9e3d4e316d98981793e607511d3454b15.exe	Hx2YlZDaRJTkovw.exe
PID 2140 wrote to memory of 4252	2140	33565131251139999301abf25fcc46f9e3d4e316d98981793e607511d3454b15.exe	Hx2YlZDaRJTkovw.exe
PID 4252 wrote to memory of 4704	4252	Hx2YlZDaRJTkovw.exe	regsvr32.exe
PID 4252 wrote to memory of 4704	4252	Hx2YlZDaRJTkovw.exe	regsvr32.exe
PID 4252 wrote to memory of 4704	4252	Hx2YlZDaRJTkovw.exe	regsvr32.exe
PID 4704 wrote to memory of 4324	4704	regsvr32.exe	regsvr32.exe
PID 4704 wrote to memory of 4324	4704	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\33565131251139999301abf25fcc46f9e3d4e316d98981793e607511d3454b15.exe
"C:\Users\Admin\AppData\Local\Temp\33565131251139999301abf25fcc46f9e3d4e316d98981793e607511d3454b15.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\Hx2YlZDaRJTkovw.exe
.\Hx2YlZDaRJTkovw.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.dat
Filesize
6KB

MD5
acc3570fc4322ead0a2db68505f8cd86

SHA1
899ab16fadda3bdb2c07bb147a7c359e862fcc84

SHA256
6428adec9d60575c3d42fe548cf69aff8f15eda4081040f567fadd151ca4d71f

SHA512
9732c59133debc40f70d41f38bd973caddde4a4ca5e60019b9029bb34e4d7c807de6cc63e94655b02cfd4c4c74a7658607c01f43c8ca749c0b28419c7a3bbf43

Download Submit
C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.dll
Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.x64.dll
Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.x64.dll
Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Program Files (x86)\GouSave\Fv4XF8ycLgWPo7.x64.dll
Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\Fv4XF8ycLgWPo7.dll
Filesize
500KB

MD5
7e61fef6948fc1aa1cb31d42b274cefb

SHA1
bff9450ed225c31548426c98ebcf6055ba7a2bb9

SHA256
05166d95acb90a6b9a539ef9aa864b86affc1099249dd1fda6e19ff88496ced9

SHA512
e48341eefdee739038faef21d1534d107635835540615f703f3f043ce7fc53f3c799f05edfe10571f2f0fd4174783007e57b47294b267224a42ea8c7fae61c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\Fv4XF8ycLgWPo7.tlb
Filesize
3KB

MD5
cf57859d4870e1907e52503d4ffcbb7c

SHA1
fb0b87195347f8274e3fa046e0a34c3e57ff1e35

SHA256
273641220fdd65602a2c7034d5365af6fae6fdf5dd78a3f9a0d7c773f4ee7e40

SHA512
955523e6e85438857bddcb7be29f675643855f28ef3600e8b93e6dbb94c5ae961c0dd0f68cb2ae351df52843ccdf919aeb2b62be711180379617fa9b9463f394

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\Fv4XF8ycLgWPo7.x64.dll
Filesize
639KB

MD5
388feac0c3abaf35d451edd34e89b2d4

SHA1
564e5f05143e29e5de4f202dd9c6f36b05b3bcb3

SHA256
80df3798ceffbe51714b7c4ff96ea22847e9c1f1d4f278ec56396635cde59acd

SHA512
59c4fb9c41dbbeb824778e8f65da39a84d80c9eeab96be5d0255f6d0a53a4eb94901335fb263d2ee38ab764fcd95def701c398603d5aba2e52337795af1cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\Hx2YlZDaRJTkovw.dat
Filesize
6KB

MD5
acc3570fc4322ead0a2db68505f8cd86

SHA1
899ab16fadda3bdb2c07bb147a7c359e862fcc84

SHA256
6428adec9d60575c3d42fe548cf69aff8f15eda4081040f567fadd151ca4d71f

SHA512
9732c59133debc40f70d41f38bd973caddde4a4ca5e60019b9029bb34e4d7c807de6cc63e94655b02cfd4c4c74a7658607c01f43c8ca749c0b28419c7a3bbf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\Hx2YlZDaRJTkovw.exe
Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\Hx2YlZDaRJTkovw.exe
Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\IV@k0bm.edu\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\IV@k0bm.edu\chrome.manifest
Filesize
35B

MD5
d395f4fd0527fb966cfed04861a02607

SHA1
cf17234855e3fd5a2073d22fbeb816e5ffe9f2ad

SHA256
e87fc480e88796700781e4c1252204fb5bbe8e183e68bae4d172ba4de6c68cf4

SHA512
aa27c954397936f297f5fb79d3f248d3cf3167bd8b4f8797ee1d7313e16b26cb5180620eb82d44a7a3b686b6926ecfc576bb3914ac5fa4765247c45b88087299

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\IV@k0bm.edu\content\bg.js
Filesize
7KB

MD5
08dd3c9406571daba63fb8849534577e

SHA1
d64a845ae0f19839410505f34e7a1ef9d0bdc407

SHA256
7ad3e1fda14ba24075607120df33336b1d7f44166e78bdd9c8ab84c2fe51bed7

SHA512
2ea333e6246ba961d40e29615485ebe99c90daa08cc89428ddd87bd0772b6cc19626ae0ba0402b980550a587c324c694b98d588969dba0446a75c733bc47ce34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\IV@k0bm.edu\install.rdf
Filesize
594B

MD5
a5f0e89ed1ce61891beb61058e6e979c

SHA1
eb68e6d95023f91ebadaecca8967d8ef594f70d8

SHA256
ad1c771c807a29f0cb2c34a2848cd6f2ac97e1bf6e2f70852c1ed23e60e03fde

SHA512
c3ad98960e56f07ea8aefc4cca8a736352f5f2d390a6204202dc28765a224656225644dd5eb6ffd64d4fd9654a1bfec700fd1daa69a491f75a7f827e6ae57b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\cgdjcoogbjhmaijkkpjfekcpilkffmoa\POQuBbLvGs.js
Filesize
5KB

MD5
afd3a837c682542baf42288a079245bf

SHA1
7d7eda289a84d7562fcc8c9a1f2ca7f32967a34e

SHA256
34c0db65b2113a7b2665a455025085a380c956db11fe24c05c5afd9df6764719

SHA512
eb94c9f475efca8624abf58b783fc4f3cfde12c9a81584c1dd64898608a82cc770762c161ab78d1a78e0d2a64cd857bfe70e60fea66a70b0a28bbe47e55c15dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\cgdjcoogbjhmaijkkpjfekcpilkffmoa\background.html
Filesize
147B

MD5
5a4f2c05cf309b30ab9bd3fa30bf6abe

SHA1
5fb5d3429ab3470b6e640db99dcd3bb0c2349c5f

SHA256
7ffcf6917f2c5de5a58f92b9bdf0f308a9df67a37381c0a6c8d1aadb8cbacb47

SHA512
c905339b80856d9af7e467870fa1e9f2d502377736cf0178883d015e02cfc9045c8e968fec6e69f645d50c209a3bad17f43ea563623fb2a11e9a362014a0ebc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\cgdjcoogbjhmaijkkpjfekcpilkffmoa\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\cgdjcoogbjhmaijkkpjfekcpilkffmoa\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7331.tmp\cgdjcoogbjhmaijkkpjfekcpilkffmoa\manifest.json
Filesize
499B

MD5
8ff710e66ae41f8f188573d1f23fea43

SHA1
42a7d81a845ac640fb2737ef61310fb979009e4c

SHA256
ce71910ff2324d8823d6d04a40083f0114e3fd207731aa8e684b84576f4ea296

SHA512
543f856ef34d3086417c64da82b5560767144cd6e4db7bbaa26709713e7f8f1275ba0b048649cbb043e5dc885254ead23e85f3fe83a6d5d1dc57eecb7ba64713

Download Submit
memory/4252-132-0x0000000000000000-mapping.dmp

Download
memory/4324-152-0x0000000000000000-mapping.dmp

Download
memory/4704-149-0x0000000000000000-mapping.dmp

Download