be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1

Analysis

max time kernel
167s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1.exe
Size

2.1MB
MD5

21aaa787f39330d9aee082d86b01491b
SHA1

1946d2aae041e99ec1b55c4b2469d9f6a6605373
SHA256

be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1
SHA512

f111a566c417c03f0094cc14e50a24176b6db011af1ac45e17f32ac731a76d69dd2c81f767b959b1ea18f6c9aed799e6f1d786cdec88638fcd87fbf923fffe0d
SSDEEP

49152:h1Osbl9RJLu6vcW6hGkaVR7QSiN/tObJmZcqYUuRTG:h1OmrVOhGRkSixtKDE

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
620	tRyVPCSrsxsDrV6.exe

Loads dropped DLL 4 IoCs

pid	Process
268	be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1.exe
620	tRyVPCSrsxsDrV6.exe
1684	regsvr32.exe
968	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcidbbaaffnjehefmidagnglehhbmepk\2.0\manifest.json	tRyVPCSrsxsDrV6.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcidbbaaffnjehefmidagnglehhbmepk\2.0\manifest.json	tRyVPCSrsxsDrV6.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcidbbaaffnjehefmidagnglehhbmepk\2.0\manifest.json	tRyVPCSrsxsDrV6.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	tRyVPCSrsxsDrV6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	tRyVPCSrsxsDrV6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	tRyVPCSrsxsDrV6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	tRyVPCSrsxsDrV6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	tRyVPCSrsxsDrV6.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.tlb	tRyVPCSrsxsDrV6.exe
File opened for modification	C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.tlb	tRyVPCSrsxsDrV6.exe
File created	C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.dat	tRyVPCSrsxsDrV6.exe
File opened for modification	C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.dat	tRyVPCSrsxsDrV6.exe
File created	C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.x64.dll	tRyVPCSrsxsDrV6.exe
File opened for modification	C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.x64.dll	tRyVPCSrsxsDrV6.exe
File created	C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.dll	tRyVPCSrsxsDrV6.exe
File opened for modification	C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.dll	tRyVPCSrsxsDrV6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
620	tRyVPCSrsxsDrV6.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 620	268	be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1.exe	28
PID 268 wrote to memory of 620	268	be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1.exe	28
PID 268 wrote to memory of 620	268	be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1.exe	28
PID 268 wrote to memory of 620	268	be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1.exe	28
PID 620 wrote to memory of 1684	620	tRyVPCSrsxsDrV6.exe	29
PID 620 wrote to memory of 1684	620	tRyVPCSrsxsDrV6.exe	29
PID 620 wrote to memory of 1684	620	tRyVPCSrsxsDrV6.exe	29
PID 620 wrote to memory of 1684	620	tRyVPCSrsxsDrV6.exe	29
PID 620 wrote to memory of 1684	620	tRyVPCSrsxsDrV6.exe	29
PID 620 wrote to memory of 1684	620	tRyVPCSrsxsDrV6.exe	29
PID 620 wrote to memory of 1684	620	tRyVPCSrsxsDrV6.exe	29
PID 1684 wrote to memory of 968	1684	regsvr32.exe	30
PID 1684 wrote to memory of 968	1684	regsvr32.exe	30
PID 1684 wrote to memory of 968	1684	regsvr32.exe	30
PID 1684 wrote to memory of 968	1684	regsvr32.exe	30
PID 1684 wrote to memory of 968	1684	regsvr32.exe	30
PID 1684 wrote to memory of 968	1684	regsvr32.exe	30
PID 1684 wrote to memory of 968	1684	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1.exe
"C:\Users\Admin\AppData\Local\Temp\be49ecffe80942a396186d0e9b3022b9fd0cf55593e9eaa774bc39219e6c46e1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268
- C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\tRyVPCSrsxsDrV6.exe
  .\tRyVPCSrsxsDrV6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.dat

Filesize
6KB

MD5
3f5696af4661ddd93a8bf9a7cba18d6b

SHA1
037bd7abe10d15759516754ff54c2413c895665e

SHA256
2df174e8dc7662f2055f997ffff301ecc303c4872a6edabab73ccd4b8c5cd013

SHA512
0e56a2dab86f529d64024c036d8b8a50959e59e7e9e02a3cf410a26a11b1347d5082e32fdfbe5cfdf34ee8e323b36f2bea08321d6d508c0060dc4a3b63b83d50

Download Submit
C:\Program Files (x86)\GoSave\gRB0aibLAfHq0E.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\bcidbbaaffnjehefmidagnglehhbmepk\background.html

Filesize
144B

MD5
8b3fefce7663ba1cab44f35f02a6744c

SHA1
d6934804be05d1e542179e6e360c97e82f700c26

SHA256
2023581ab69372defc99a1aadcc8a5b8c1b51e5016415ac0f4ee29ce815ed667

SHA512
e2e415b0a7dc38955cd2da0f0880b60ee0096f699f98e71109fb6df40a1623e0eb467703764ca831f9e8c8d9a1ce62fbaa7146a24e55a768aade5275adbb98d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\bcidbbaaffnjehefmidagnglehhbmepk\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\bcidbbaaffnjehefmidagnglehhbmepk\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\bcidbbaaffnjehefmidagnglehhbmepk\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\bcidbbaaffnjehefmidagnglehhbmepk\y62eUDG.js

Filesize
5KB

MD5
d805978903b089fb9f92cdb8b987004d

SHA1
ebd93e6c071dd9a3199cbb2452104733ec4f2749

SHA256
cea9fffe149bc90006a7e130aef5fe1b223df806ba43aeec6aa95a0fd6fdf9f6

SHA512
8a7f97d15005002f3066c1d1e31c02e8e9df8b2d34f2a326a6908e36f4b09124a65661025d68fb27e0278c68dd1298af85fa7a4427e11c57c96fea528ffe8439

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\gRB0aibLAfHq0E.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\gRB0aibLAfHq0E.tlb

Filesize
3KB

MD5
38dcedc06ce882652b73038799f369c1

SHA1
09985c74e62920963791808be0765222d2a517d3

SHA256
37996a9f383f824002a73026332578b823bacad0a736f2f4c25401f6e2da307c

SHA512
78b7ab8fc102a0f874d24bb40e7b399befe3eb8788c08b059487770dd83a390daf0011c34d6cd29dd78e3436bfd6587fff2f50bde0c3bed49e6ffe27ef0b4c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\gRB0aibLAfHq0E.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
e344bdd0fb6bbb1c690aa6a0520cde34

SHA1
37a916dd6b5898decac9e440a9a0c40afaee8261

SHA256
7037879a8e6338f1e618d3436ce5d1d77eb2ac883afc40e4d5268c5a687c8714

SHA512
8c21c191a5497a78523ad1dc4e6f61c96e855fd94d859a9f381b33e07ecb84aac591f455433c574421eadce0fa1faa29be581ba13adddc788625b3787799ac5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
b5be13e7489d0cb7b5fc5743e946893a

SHA1
0f6a6f5bfa8bc841713b2e7c1464f54c4f970e2f

SHA256
388f26226c336ba51d8aa6b6ec4b70fed4ae4cdf6bab370d371f0130f796e1ce

SHA512
2b926b0fe3a5ce567254e90029fd1739437533725373aad005dd72fa760036b1846cb8b1b5b052ec3288d55847d9c1df3d02f8b091b4355c830f65c5739b9940

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\[email protected]\install.rdf

Filesize
594B

MD5
e753fcc99005af1be6ae12d71bb877eb

SHA1
4cd0927608f63a8f5cc7cc9dd1b377362e0638c8

SHA256
617982b87768985abbd78268f5f16355377d9eb7f3e0db8d00c7d566213628db

SHA512
2a54dd07473c3a3ac04b6ae3d8195375a5696059f0fe115e2d2baa96fe7ad8cb39d79f5730e93fc2a458f8f82051e4e11886cc6d2cce2ad2f65d9d92fc2732e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\tRyVPCSrsxsDrV6.dat

Filesize
6KB

MD5
3f5696af4661ddd93a8bf9a7cba18d6b

SHA1
037bd7abe10d15759516754ff54c2413c895665e

SHA256
2df174e8dc7662f2055f997ffff301ecc303c4872a6edabab73ccd4b8c5cd013

SHA512
0e56a2dab86f529d64024c036d8b8a50959e59e7e9e02a3cf410a26a11b1347d5082e32fdfbe5cfdf34ee8e323b36f2bea08321d6d508c0060dc4a3b63b83d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\tRyVPCSrsxsDrV6.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\tRyVPCSrsxsDrV6.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
\Program Files (x86)\GoSave\gRB0aibLAfHq0E.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
\Program Files (x86)\GoSave\gRB0aibLAfHq0E.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
\Program Files (x86)\GoSave\gRB0aibLAfHq0E.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC0B1.tmp\tRyVPCSrsxsDrV6.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
memory/268-54-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/620-56-0x0000000000000000-mapping.dmp

Download
memory/968-77-0x0000000000000000-mapping.dmp

Download
memory/968-78-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp

Filesize
8KB

Download
memory/1684-73-0x0000000000000000-mapping.dmp

Download