8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962

Analysis

max time kernel
58s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962.exe
Size

2.0MB
MD5

904bfb465258dac1d363a169e5c3c5dd
SHA1

a5bc20e57d020870c903428b6524757a14458976
SHA256

8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962
SHA512

92a5e5136f4fdf92369f7598510f2ff3e4897b0a79b7715909ecd7b08d5d6d1d72678cbec8736719bce21360c0890f1539137100da89b5efe20bbfcb38bbdbb5
SSDEEP

24576:h1OYdaOxjfen1Y6KIc8dPc3Mp6CzcJcB1TE1VyDGxQQYxMfyylmCHxxyJGb8tK:h1OsPZIdJc346K1TcAGb8tK

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
436	MoeIPPynbcED62q.exe

Loads dropped DLL 4 IoCs

pid	Process
888	8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962.exe
436	MoeIPPynbcED62q.exe
1444	regsvr32.exe
1536	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfiaicmhmaenincboamignlldohohpmk\2.0\manifest.json	MoeIPPynbcED62q.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfiaicmhmaenincboamignlldohohpmk\2.0\manifest.json	MoeIPPynbcED62q.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfiaicmhmaenincboamignlldohohpmk\2.0\manifest.json	MoeIPPynbcED62q.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	MoeIPPynbcED62q.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	MoeIPPynbcED62q.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	MoeIPPynbcED62q.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	MoeIPPynbcED62q.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	MoeIPPynbcED62q.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.x64.dll	MoeIPPynbcED62q.exe
File opened for modification	C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.x64.dll	MoeIPPynbcED62q.exe
File created	C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.dll	MoeIPPynbcED62q.exe
File opened for modification	C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.dll	MoeIPPynbcED62q.exe
File created	C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.tlb	MoeIPPynbcED62q.exe
File opened for modification	C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.tlb	MoeIPPynbcED62q.exe
File created	C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.dat	MoeIPPynbcED62q.exe
File opened for modification	C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.dat	MoeIPPynbcED62q.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 436	888	8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962.exe	28
PID 888 wrote to memory of 436	888	8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962.exe	28
PID 888 wrote to memory of 436	888	8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962.exe	28
PID 888 wrote to memory of 436	888	8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962.exe	28
PID 436 wrote to memory of 1444	436	MoeIPPynbcED62q.exe	29
PID 436 wrote to memory of 1444	436	MoeIPPynbcED62q.exe	29
PID 436 wrote to memory of 1444	436	MoeIPPynbcED62q.exe	29
PID 436 wrote to memory of 1444	436	MoeIPPynbcED62q.exe	29
PID 436 wrote to memory of 1444	436	MoeIPPynbcED62q.exe	29
PID 436 wrote to memory of 1444	436	MoeIPPynbcED62q.exe	29
PID 436 wrote to memory of 1444	436	MoeIPPynbcED62q.exe	29
PID 1444 wrote to memory of 1536	1444	regsvr32.exe	30
PID 1444 wrote to memory of 1536	1444	regsvr32.exe	30
PID 1444 wrote to memory of 1536	1444	regsvr32.exe	30
PID 1444 wrote to memory of 1536	1444	regsvr32.exe	30
PID 1444 wrote to memory of 1536	1444	regsvr32.exe	30
PID 1444 wrote to memory of 1536	1444	regsvr32.exe	30
PID 1444 wrote to memory of 1536	1444	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962.exe
"C:\Users\Admin\AppData\Local\Temp\8b2130c7048a7e694d87a8b92deee27c9883c2dcbaa5c74b9cb8ffc4d3d14962.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\MoeIPPynbcED62q.exe
  .\MoeIPPynbcED62q.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.dat

Filesize
6KB

MD5
e45a04076544e033582269401de7f6a6

SHA1
3d0a170ed0afe9eedd69dc7dae7d71fba47809d8

SHA256
346feca1faef944a5eb182aa2d49a6da40c1fcb6cb28e4556811c20f1c9cee86

SHA512
a02f5a02f33ba2e6733e422115ad3ae52f585c962a50cd41c6ac95601073d369cba17dbe0b66495c90cf46050d0ce024268485c046fad85d323a62c108e33d2f

Download Submit
C:\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\MoeIPPynbcED62q.dat

Filesize
6KB

MD5
e45a04076544e033582269401de7f6a6

SHA1
3d0a170ed0afe9eedd69dc7dae7d71fba47809d8

SHA256
346feca1faef944a5eb182aa2d49a6da40c1fcb6cb28e4556811c20f1c9cee86

SHA512
a02f5a02f33ba2e6733e422115ad3ae52f585c962a50cd41c6ac95601073d369cba17dbe0b66495c90cf46050d0ce024268485c046fad85d323a62c108e33d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\MoeIPPynbcED62q.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\MoeIPPynbcED62q.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
124f0e3137fef78699338fd406621b84

SHA1
9ae9c130ae11a9228e8a926736d7ca3f5f0481a3

SHA256
3b7e00716246b475ca3bb672da3cc2f392cd513f837ff285de2fc0d60b5a19a1

SHA512
5588d22a8c108c1492989e27e13f1b624ce332aade7d5581c3fd08bcc7ba2928199e69c7a9ab7f76c4bebbe758ae342285b0d525e403bd70a626a0b6a508ba38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
cc27079be7759d427e840450d893e5d9

SHA1
dc159f6013da8c1653a8a34022c2baccab951347

SHA256
9821718097eedaa0f205d2ef0549fa746bba5e0addbcd0988418189df8adde04

SHA512
1aefbfcdd5cb8e98dbd5c90b9bead3a9d70be6d6a7933f3ff9c0e04116dcf3f5ea3406c9443d6e21f0408fe9a56316deeba561ddec32dcc5797bf2bb77baabf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\[email protected]\install.rdf

Filesize
597B

MD5
320f6c898ca41c0411c73e0bd68e5b5a

SHA1
0f41e3943f3acacc49ffcde4deb4934ecec82377

SHA256
58f40ab1cb4aa7543f0cc330e91beafee54e63f103a6ea94a51b9258c529619d

SHA512
57cfee6b899ed4bafce153a88e3fe1d6731292efef76eb514b9f64f0f13b82b439873cc8d944cce9d3e50125455bb4db225f82cec989666e0255609f9eb95e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\dEfBKDZ6iOEDMo.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\dEfBKDZ6iOEDMo.tlb

Filesize
3KB

MD5
ab50bfd160f5251c1c06947ba8523db0

SHA1
7940cc61ab4e0bb82afc03dd141eaf8bd963c091

SHA256
a23c9c376478404d8f90d1d984935f7b5e5f2e5674fd8a7642dc89f2b1b2c4a8

SHA512
506baa3f8ca880eeb4d26e9744babef326d2b5b1fb0971c712072c4aeeaaaff702847c045fe0270d45cc71a0b7fb53ba0af60aeaa34f5154f9617c85a06c3334

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\dEfBKDZ6iOEDMo.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\lfiaicmhmaenincboamignlldohohpmk\PLzW.js

Filesize
5KB

MD5
6e924a15b84c469686c077cf2f116291

SHA1
b36cea461ad4c11eeddd8f6e5e39c2ae537f30be

SHA256
6d18cda0462078c73d9fdb9f7484cb6f707391a001f0370519b2e47ac3007dbd

SHA512
a675e1866406ef387a5f0664ca299b0c697808a7128b0a81d7057a877cd1a40401d74fd4395dedd16b465dc5a7f2c994d8e6d3638011903c571ed84aa2e76895

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\lfiaicmhmaenincboamignlldohohpmk\background.html

Filesize
141B

MD5
eabe9788663cf1d0df931e117e85e39b

SHA1
062760dd4452b30d6b8c11bedb63a8c05c03f4c3

SHA256
c442aa4dd4e07dffa2f6b0fd3dccd9d3d693209f6901d52d626360796713f48d

SHA512
906f73e46c42b08633bcd2f1c760675214cfede5434200a8791b2d22c8a32519e75037bcc9c9c234afed1e97be681d700935eaca139611b71fb3aa557bed59af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\lfiaicmhmaenincboamignlldohohpmk\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\lfiaicmhmaenincboamignlldohohpmk\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\lfiaicmhmaenincboamignlldohohpmk\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.dll

Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Program Files (x86)\GoSave\dEfBKDZ6iOEDMo.x64.dll

Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC39E.tmp\MoeIPPynbcED62q.exe

Filesize
625KB

MD5
ca04c0f764aa0797cbe40913d3d8d17f

SHA1
7358d68ace7d7e6213726433c41dd7b781762d74

SHA256
a018bdb7e28a4e0dd07da454e8192045f5994c66f95c47defaa0ce40661fc90f

SHA512
fae69fd13b4b9308973ff713fe7c6ee10525b76e9c70106dbe08673d86b6ecc3ebf5d90f6c3a461d64352726de28fbb5903c89db28916423766810c62686f0c0

Download Submit
memory/888-54-0x0000000075EC1000-0x0000000075EC3000-memory.dmp

Filesize
8KB

Download
memory/1536-78-0x000007FEFC381000-0x000007FEFC383000-memory.dmp

Filesize
8KB

Download