1b3c00699c368d74f2973645cd2f1e4e37c37347cb51c119140bab1633446071

Analysis

max time kernel
186s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b3c00699c368d74f2973645cd2f1e4e37c37347cb51c119140bab1633446071.exe
Size

2.1MB
MD5

f0170bded582098f6948faba7e3fb1da
SHA1

6a1fc14b29682e519dc7df41e7f7608146e1af54
SHA256

1b3c00699c368d74f2973645cd2f1e4e37c37347cb51c119140bab1633446071
SHA512

c57dc08e0feba5e14278de49f8c812dc880f5ae8cde0a28192ac26fedff8d35e4c266dfa6fd779228ff54c7f4b8ce6a69056d1ce568516f342634b9666274000
SSDEEP

49152:h1Os1YIGWkf6jd9YMhKKumq+4oAczj/i6jgvb7GvKSI:h1OIdd9YMhKgq+4fV

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

8ibZSWVUJjyCl2l.exe

pid process

4900 8ibZSWVUJjyCl2l.exe
Loads dropped DLL 3 IoCs

Processes:

8ibZSWVUJjyCl2l.exeregsvr32.exeregsvr32.exe

pid process

4900 8ibZSWVUJjyCl2l.exe
1280 regsvr32.exe
1108 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4900	8ibZSWVUJjyCl2l.exe

pid	process
4900	8ibZSWVUJjyCl2l.exe
1280	regsvr32.exe
1108	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

8ibZSWVUJjyCl2l.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcngogebcopecfjebnmdflkhlodhddki\2.0\manifest.json	8ibZSWVUJjyCl2l.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcngogebcopecfjebnmdflkhlodhddki\2.0\manifest.json	8ibZSWVUJjyCl2l.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcngogebcopecfjebnmdflkhlodhddki\2.0\manifest.json	8ibZSWVUJjyCl2l.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcngogebcopecfjebnmdflkhlodhddki\2.0\manifest.json	8ibZSWVUJjyCl2l.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcngogebcopecfjebnmdflkhlodhddki\2.0\manifest.json	8ibZSWVUJjyCl2l.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

8ibZSWVUJjyCl2l.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	8ibZSWVUJjyCl2l.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	8ibZSWVUJjyCl2l.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	8ibZSWVUJjyCl2l.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	8ibZSWVUJjyCl2l.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

8ibZSWVUJjyCl2l.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	8ibZSWVUJjyCl2l.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	8ibZSWVUJjyCl2l.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	8ibZSWVUJjyCl2l.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	8ibZSWVUJjyCl2l.exe

Drops file in Program Files directory 8 IoCs

Processes:

8ibZSWVUJjyCl2l.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.dll	8ibZSWVUJjyCl2l.exe
File created	C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.tlb	8ibZSWVUJjyCl2l.exe
File opened for modification	C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.tlb	8ibZSWVUJjyCl2l.exe
File created	C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.dat	8ibZSWVUJjyCl2l.exe
File opened for modification	C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.dat	8ibZSWVUJjyCl2l.exe
File created	C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.x64.dll	8ibZSWVUJjyCl2l.exe
File opened for modification	C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.x64.dll	8ibZSWVUJjyCl2l.exe
File created	C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.dll	8ibZSWVUJjyCl2l.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8ibZSWVUJjyCl2l.exe

pid process

4900 8ibZSWVUJjyCl2l.exe
4900 8ibZSWVUJjyCl2l.exe
4900 8ibZSWVUJjyCl2l.exe
4900 8ibZSWVUJjyCl2l.exe

pid	process
4900	8ibZSWVUJjyCl2l.exe
4900	8ibZSWVUJjyCl2l.exe
4900	8ibZSWVUJjyCl2l.exe
4900	8ibZSWVUJjyCl2l.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1b3c00699c368d74f2973645cd2f1e4e37c37347cb51c119140bab1633446071.exe8ibZSWVUJjyCl2l.exeregsvr32.exe

description	pid	process	target process
PID 1068 wrote to memory of 4900	1068	1b3c00699c368d74f2973645cd2f1e4e37c37347cb51c119140bab1633446071.exe	8ibZSWVUJjyCl2l.exe
PID 1068 wrote to memory of 4900	1068	1b3c00699c368d74f2973645cd2f1e4e37c37347cb51c119140bab1633446071.exe	8ibZSWVUJjyCl2l.exe
PID 1068 wrote to memory of 4900	1068	1b3c00699c368d74f2973645cd2f1e4e37c37347cb51c119140bab1633446071.exe	8ibZSWVUJjyCl2l.exe
PID 4900 wrote to memory of 1280	4900	8ibZSWVUJjyCl2l.exe	regsvr32.exe
PID 4900 wrote to memory of 1280	4900	8ibZSWVUJjyCl2l.exe	regsvr32.exe
PID 4900 wrote to memory of 1280	4900	8ibZSWVUJjyCl2l.exe	regsvr32.exe
PID 1280 wrote to memory of 1108	1280	regsvr32.exe	regsvr32.exe
PID 1280 wrote to memory of 1108	1280	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\1b3c00699c368d74f2973645cd2f1e4e37c37347cb51c119140bab1633446071.exe
"C:\Users\Admin\AppData\Local\Temp\1b3c00699c368d74f2973645cd2f1e4e37c37347cb51c119140bab1633446071.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\8ibZSWVUJjyCl2l.exe
.\8ibZSWVUJjyCl2l.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.dat

Filesize
6KB

MD5
3f00450988021f67fa64291f56bb3c52

SHA1
e09baf56818c5b06562043b93e479aec0c88b867

SHA256
fd3e739854a2325d27ea0ead4358f0f5e730dce12bc0f61f15f1474763fc0dae

SHA512
eac61547970577db6ad4ff8a40680259cf443b4a4630db2002f18e8919529d3a79058c191779e82f0f2f8960197e429d72f703c74b813ad9fc88272405b7e85b

Download Submit
C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.dll

Filesize
623KB

MD5
103866fff4628ada4be6e5235b2ebf5d

SHA1
86ca018b33c7cdb953371ee1e290313b9a54a251

SHA256
963728f71b4ecee9380a18f5bbc6930256be6018a8087a9964f98ba3e17b7a7c

SHA512
2a8f9ce8854bab77b801eb146934e267de3cca83727a8a7c13885b41c75a0b563fdd0cb1683f78057fc6833b22d9d14c5ef0d3707753293d59d4b61f7a9744c3

Download Submit
C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Program Files (x86)\GooSave\d0r91tf0ILbUsy.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\8ibZSWVUJjyCl2l.dat

Filesize
6KB

MD5
3f00450988021f67fa64291f56bb3c52

SHA1
e09baf56818c5b06562043b93e479aec0c88b867

SHA256
fd3e739854a2325d27ea0ead4358f0f5e730dce12bc0f61f15f1474763fc0dae

SHA512
eac61547970577db6ad4ff8a40680259cf443b4a4630db2002f18e8919529d3a79058c191779e82f0f2f8960197e429d72f703c74b813ad9fc88272405b7e85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\8ibZSWVUJjyCl2l.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\8ibZSWVUJjyCl2l.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\d0r91tf0ILbUsy.dll

Filesize
623KB

MD5
103866fff4628ada4be6e5235b2ebf5d

SHA1
86ca018b33c7cdb953371ee1e290313b9a54a251

SHA256
963728f71b4ecee9380a18f5bbc6930256be6018a8087a9964f98ba3e17b7a7c

SHA512
2a8f9ce8854bab77b801eb146934e267de3cca83727a8a7c13885b41c75a0b563fdd0cb1683f78057fc6833b22d9d14c5ef0d3707753293d59d4b61f7a9744c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\d0r91tf0ILbUsy.tlb

Filesize
3KB

MD5
3c920faafd032eeda08e4166860d4318

SHA1
26451ee3659c4a217f42ebd07f254679ab452f3a

SHA256
3377d0af1044505271c64fc342e22a7a24b757e5471657f656ac743373e22857

SHA512
327668001f94842eee3ff1dc44c70ddca5da3a0bb49aeea6b3162608b07496456e78bcb3de0462e5e375b349e813f13fd02e61b9e389b1d954cea2628c3c4a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\d0r91tf0ILbUsy.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
1ea5dc06f2adc7d5d7c7bedcd11ef0e8

SHA1
e75807a2a167e0ba58029e36489c1d4d95f12cf1

SHA256
93ff764734966a0f6a4d2be1299711e0d6a6702d30811fd4ee3275a8e202f288

SHA512
d050fc65227d39a5b98936bb99daec297d5bb516b3e674fa54d2db7cf55fb8576abb9e0b21e03de40e8acb8442b4976e2d88bb001bbfff5842e824c657228a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
a4e8abd9c2109dc8023f6848feb61c95

SHA1
ee198d1b8324c522724b99ed97b2e247b57d4b4b

SHA256
da5df81f91cca191cc425619209fe8ad08a7cf4695a7c043ef595cd784e9452c

SHA512
0e2a17c257c34bcbbe66829e2ffebe32203ffac30927f2667a1b4a52ce977e540503c0cf603cc7dcfdc679b64fd7ec89a181a61ed6a5494d5006eb8b45dcbcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\[email protected]\install.rdf

Filesize
594B

MD5
ed1e4b1ede1d7df2a16989c95181c67e

SHA1
651a065a11e43b280ae47401b040e21b2e9c95f4

SHA256
586c46014b3e9dfd0d87701b4e3620131af85f9a2f13bc4caa13038c682f32fc

SHA512
286320890d581e42d8eddb8eb8d491d7040d147b302fe220fe342846d836c36bfd70898d7eec54489603280c337bd975075b01677c4acb758e12eda4e96f4690

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\pcngogebcopecfjebnmdflkhlodhddki\background.html

Filesize
141B

MD5
23f0ee40ec9a7682ec70b941bea3f15e

SHA1
c78cbb43aff9be4c8b369162d3f18cca58b8ccd6

SHA256
180a46bc96c5200f982e0862cfbe23946d798784101e3a26dafec984f07c32f8

SHA512
bce74c72690527ebde34e1779a329a4b09fd5c8263b6742bdd450c61d80d2fabe95774dac2ad5230214fb5d701079e88ed2ce1f720551f63174051b6586031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\pcngogebcopecfjebnmdflkhlodhddki\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\pcngogebcopecfjebnmdflkhlodhddki\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\pcngogebcopecfjebnmdflkhlodhddki\mL90.js

Filesize
6KB

MD5
81e6abe50a492f0bf73bf71f2ff27b85

SHA1
834f5bb4f1bc4ece1f1d7d355b60746930221bf9

SHA256
cf5b87c6d54f012c5bb78afdfb7d5606c75a505bcdba44cba8c4610e423892e1

SHA512
52977faab0306ac7c28407af6974aca33d3dc5b96a831bde28a907ae0089f0ba3288f6667e8c18d628a02451480cf94eab48af097c6bc1ad13aeb9c258b2ba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19C2.tmp\pcngogebcopecfjebnmdflkhlodhddki\manifest.json

Filesize
499B

MD5
2bafae0ea4ab5ac51958f72d544ef543

SHA1
4a4665d6b13fbba59d92c908b8fc30aac3bedd08

SHA256
9c47ef92b7f138a1487632f023fb3f9ff2c379b29c627b716707b162ae56f473

SHA512
1f76f2b5423a040f29ecbc58e257c336faade2f80fc41917d165d02989858057508ed0cf5c7eecd12b6238885331f27d4f05d61ec0334200f6c17f2e4974b72f

Download Submit
memory/1108-152-0x0000000000000000-mapping.dmp

Download
memory/1280-149-0x0000000000000000-mapping.dmp

Download
memory/4900-132-0x0000000000000000-mapping.dmp

Download