2f4a4e2c231c1b50fc944e9d13e5f4c19a7dec67dcee2fd179b0cc8efc1e0daa

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f4a4e2c231c1b50fc944e9d13e5f4c19a7dec67dcee2fd179b0cc8efc1e0daa.exe
Size

2.1MB
MD5

898c9ced50abda7b0b25505c6d5e3c18
SHA1

58e3b03b9f32c83255001c4effd471654b33ce7e
SHA256

2f4a4e2c231c1b50fc944e9d13e5f4c19a7dec67dcee2fd179b0cc8efc1e0daa
SHA512

a429de9203779cdadb7decf71a181428f4d843c50ab558c9066c9f85188126b22b0e689b98bb8ff15fd0a5b30ff81ff2601ebf6d6c6f179f2e74eb2b73e6a0a8
SSDEEP

49152:h1OscvUmc2nkh6GiQFD/Qh/4k9p1nqkVhkr:h1O3a6GJ/QxDO

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2068	b7SbvP8NDDEfSpI.exe

Loads dropped DLL 3 IoCs

pid	Process
2068	b7SbvP8NDDEfSpI.exe
1784	regsvr32.exe
2964	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbecoljhniddldichfkcdadfafidopel\2.0\manifest.json	b7SbvP8NDDEfSpI.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbecoljhniddldichfkcdadfafidopel\2.0\manifest.json	b7SbvP8NDDEfSpI.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbecoljhniddldichfkcdadfafidopel\2.0\manifest.json	b7SbvP8NDDEfSpI.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbecoljhniddldichfkcdadfafidopel\2.0\manifest.json	b7SbvP8NDDEfSpI.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbecoljhniddldichfkcdadfafidopel\2.0\manifest.json	b7SbvP8NDDEfSpI.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	b7SbvP8NDDEfSpI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	b7SbvP8NDDEfSpI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	b7SbvP8NDDEfSpI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	b7SbvP8NDDEfSpI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.x64.dll	b7SbvP8NDDEfSpI.exe
File opened for modification	C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.x64.dll	b7SbvP8NDDEfSpI.exe
File created	C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.dll	b7SbvP8NDDEfSpI.exe
File opened for modification	C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.dll	b7SbvP8NDDEfSpI.exe
File created	C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.tlb	b7SbvP8NDDEfSpI.exe
File opened for modification	C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.tlb	b7SbvP8NDDEfSpI.exe
File created	C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.dat	b7SbvP8NDDEfSpI.exe
File opened for modification	C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.dat	b7SbvP8NDDEfSpI.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2068	4928	2f4a4e2c231c1b50fc944e9d13e5f4c19a7dec67dcee2fd179b0cc8efc1e0daa.exe	85
PID 4928 wrote to memory of 2068	4928	2f4a4e2c231c1b50fc944e9d13e5f4c19a7dec67dcee2fd179b0cc8efc1e0daa.exe	85
PID 4928 wrote to memory of 2068	4928	2f4a4e2c231c1b50fc944e9d13e5f4c19a7dec67dcee2fd179b0cc8efc1e0daa.exe	85
PID 2068 wrote to memory of 1784	2068	b7SbvP8NDDEfSpI.exe	86
PID 2068 wrote to memory of 1784	2068	b7SbvP8NDDEfSpI.exe	86
PID 2068 wrote to memory of 1784	2068	b7SbvP8NDDEfSpI.exe	86
PID 1784 wrote to memory of 2964	1784	regsvr32.exe	87
PID 1784 wrote to memory of 2964	1784	regsvr32.exe	87

C:\Users\Admin\AppData\Local\Temp\2f4a4e2c231c1b50fc944e9d13e5f4c19a7dec67dcee2fd179b0cc8efc1e0daa.exe
"C:\Users\Admin\AppData\Local\Temp\2f4a4e2c231c1b50fc944e9d13e5f4c19a7dec67dcee2fd179b0cc8efc1e0daa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\b7SbvP8NDDEfSpI.exe
  .\b7SbvP8NDDEfSpI.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.dat

Filesize
6KB

MD5
f47d4cc7984f96f11f12d8055bc94eb7

SHA1
ffa0fd818baf987d885e5582cee9805b7385cbdc

SHA256
5edf7ea88c0cd9780c7e3d204df6cb8a708d28e942daa59b40cb1587ad4bd5ca

SHA512
58284bc52ea0377aa2efd76b76fd76286a1fc77d00173a7f8b044b81cd316e2d4c285ace6f7d0b6220b931e5da27ef0892f47c207b2560063daaadbb6c78b6f1

Download Submit
C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.dll

Filesize
614KB

MD5
57a98d53c7a19558850c8ba3b427d837

SHA1
ffff0d9e6a1a7c8404b3138cd45ae0632acb5454

SHA256
fcf93772590062ea64a3fde503a04eb0863c34dfcd9b79f9f107e416188897ce

SHA512
5c6ed8942174f8948d2dd5008545fa4c6473e3252579987f9ae279332ab6185b149fc730f33cce41f6d9052f8abae3791f50b7199e03fe38419801ff4b5b3e8b

Download Submit
C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.x64.dll

Filesize
695KB

MD5
04fb344faa7d54ef787ded9135ee0d76

SHA1
d126aa0c600830e677fefca5fdc4a9cf19ad5633

SHA256
9dcb9dd3320981707d6ec1a7744ce68faf612a5c4d8734927ff67d78bc32870e

SHA512
6396e28dfac19e9dcedf777340f8681316e6af3f08080242c9408b4de7196cbc5d2c5e32228c67a096a017f59a8e62011c051b321b17547a8664c7121414f31d

Download Submit
C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.x64.dll

Filesize
695KB

MD5
04fb344faa7d54ef787ded9135ee0d76

SHA1
d126aa0c600830e677fefca5fdc4a9cf19ad5633

SHA256
9dcb9dd3320981707d6ec1a7744ce68faf612a5c4d8734927ff67d78bc32870e

SHA512
6396e28dfac19e9dcedf777340f8681316e6af3f08080242c9408b4de7196cbc5d2c5e32228c67a096a017f59a8e62011c051b321b17547a8664c7121414f31d

Download Submit
C:\Program Files (x86)\GoSavE\NAw37Of0WvBXyB.x64.dll

Filesize
695KB

MD5
04fb344faa7d54ef787ded9135ee0d76

SHA1
d126aa0c600830e677fefca5fdc4a9cf19ad5633

SHA256
9dcb9dd3320981707d6ec1a7744ce68faf612a5c4d8734927ff67d78bc32870e

SHA512
6396e28dfac19e9dcedf777340f8681316e6af3f08080242c9408b4de7196cbc5d2c5e32228c67a096a017f59a8e62011c051b321b17547a8664c7121414f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
c0d7476c29669d30f4ee4aea88f2bb6c

SHA1
531a61ddef7529e0c9d4c3fe18b362c81c806b7d

SHA256
da46e04ca0e376f7f0316fd76e6e70bae3d1f7a76f7ca755979a54f24c88d555

SHA512
ea046921bf45a2d1757a9b4cafef8371e27aad0ce809b54d6081d5e5be3af519c0eaeaeab57050abbb4ead3d415458f49b8887982a47f0acccc48435c7b482d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
5fd29dc407ab23dc7074f77701b81fba

SHA1
32f64d097b9f2c9566fc4533d9981aa43f874f00

SHA256
68b768fddc1f85e5b92c47dd036096d47d414db5a387721c27d89ef7c7a6b3dd

SHA512
7ced5b2555d0fb63e995536c814cadddf7a5759d4bef81e563ac501439d96c592fbd2bc465bcf5ef0a17b6cd1d082d7dc44c519056d154548e785889ee445170

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\[email protected]\install.rdf

Filesize
597B

MD5
536aab70206b79ecf5f0c3ddc73f4655

SHA1
aeae1bcb6fe9c3324889997b6aac126180a58aa2

SHA256
e2e142ce16aa313b6a3d3ba1f722627d6dfdccbe4a7ef7f4e754f84aaab80ff9

SHA512
e1362acbb77c9d8167919106b344e9e272b2471baea388099129ec558c6c0070bcc4101442b24ca5361f4a2f04a0b0409236aab3a0d6dbf0d1320b53ba6f27ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\NAw37Of0WvBXyB.dll

Filesize
614KB

MD5
57a98d53c7a19558850c8ba3b427d837

SHA1
ffff0d9e6a1a7c8404b3138cd45ae0632acb5454

SHA256
fcf93772590062ea64a3fde503a04eb0863c34dfcd9b79f9f107e416188897ce

SHA512
5c6ed8942174f8948d2dd5008545fa4c6473e3252579987f9ae279332ab6185b149fc730f33cce41f6d9052f8abae3791f50b7199e03fe38419801ff4b5b3e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\NAw37Of0WvBXyB.tlb

Filesize
3KB

MD5
45e2dba10261636a6860b41f6e2e8b56

SHA1
43b4ab21bc78c88a5a78c2836d72c8955cd41970

SHA256
85d8949eaccb7587a32ec59ee63a1f459866a9f62e3890ee0caf076adfecd65c

SHA512
72230081a59cc329f149376580f576ac54ac55db8d1fe8d79c07abd3517bf337fc0c9b181535de3ea9da2a466535b10d6b1521b845ff2f911c37eee42ef904e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\NAw37Of0WvBXyB.x64.dll

Filesize
695KB

MD5
04fb344faa7d54ef787ded9135ee0d76

SHA1
d126aa0c600830e677fefca5fdc4a9cf19ad5633

SHA256
9dcb9dd3320981707d6ec1a7744ce68faf612a5c4d8734927ff67d78bc32870e

SHA512
6396e28dfac19e9dcedf777340f8681316e6af3f08080242c9408b4de7196cbc5d2c5e32228c67a096a017f59a8e62011c051b321b17547a8664c7121414f31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\b7SbvP8NDDEfSpI.dat

Filesize
6KB

MD5
f47d4cc7984f96f11f12d8055bc94eb7

SHA1
ffa0fd818baf987d885e5582cee9805b7385cbdc

SHA256
5edf7ea88c0cd9780c7e3d204df6cb8a708d28e942daa59b40cb1587ad4bd5ca

SHA512
58284bc52ea0377aa2efd76b76fd76286a1fc77d00173a7f8b044b81cd316e2d4c285ace6f7d0b6220b931e5da27ef0892f47c207b2560063daaadbb6c78b6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\b7SbvP8NDDEfSpI.exe

Filesize
625KB

MD5
79a75688aec8754bb2e56259e2abd71e

SHA1
adb4fada167696b2a7572cbffcca35bf560b1464

SHA256
abf9a05fb54799df0f3ff311f62560eb1a7ec09fbe719d8a7b51015e8fa29ea7

SHA512
1542e105d3098195e4004b97aaeb523d8dd7b7ccbd64fc14ecce35192b889f0dbafe6e506aa3042c05f521feb1672cbe89eebd6459e23b770512ebb1842ad1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\b7SbvP8NDDEfSpI.exe

Filesize
625KB

MD5
79a75688aec8754bb2e56259e2abd71e

SHA1
adb4fada167696b2a7572cbffcca35bf560b1464

SHA256
abf9a05fb54799df0f3ff311f62560eb1a7ec09fbe719d8a7b51015e8fa29ea7

SHA512
1542e105d3098195e4004b97aaeb523d8dd7b7ccbd64fc14ecce35192b889f0dbafe6e506aa3042c05f521feb1672cbe89eebd6459e23b770512ebb1842ad1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\mbecoljhniddldichfkcdadfafidopel\L.js

Filesize
5KB

MD5
95c4cb942a9024b27d448b388c356cf6

SHA1
9446c68a2b6c63953d704630b8798bd23dcbe6ba

SHA256
d92cd04c00728b2d2aa8b0a08c6ca9398176aa446b6ea210614a7c0370e842a6

SHA512
c157b8aa4db9548011809c953935f0d369968ae7913c4ac22c314f9e532b34254095c4fdcf4c6d8a3e4fd5093fde89b9959b376e2a44273066edd8193436bd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\mbecoljhniddldichfkcdadfafidopel\background.html

Filesize
138B

MD5
c7ce0f401a7892a6e4e06d200c013f76

SHA1
23ab43e51d1c5f8c5652e6a88c1930a541c9f0a3

SHA256
9b96ff480eaa5d059d7857465da193f86735f4f13898596838657d2efc0e0b48

SHA512
9816cd01dcaf6c31088fdf9b812fc51fecf31d9af4d48d671982ef81056e5f2bd65b06d52887cb3f38cf6605ac3d736d7f2f362cca035b5a5feb092119f13bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\mbecoljhniddldichfkcdadfafidopel\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\mbecoljhniddldichfkcdadfafidopel\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5EFD.tmp\mbecoljhniddldichfkcdadfafidopel\manifest.json

Filesize
498B

MD5
9c063207e18b4be1aa2c9ba76ca4c114

SHA1
4aab780004676fc68f2cd767d295f0e1a4cec20d

SHA256
d79b9a4c151ffc381d8ee3b76e33bf41af5ae6d581b485be74158444617f946a

SHA512
7ed695c39c000253f53716ad422acd9e65dc0e65756668a2757473690104089640b564d71e09a9d9565d647ac7f84b8dc338ff6df0554b67ee0593e6b9002928

Download Submit