18e39df7487e556ead962801a6a5d3e03149a7ac7f6cfbd33b2902ce298d8b53

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e39df7487e556ead962801a6a5d3e03149a7ac7f6cfbd33b2902ce298d8b53.exe
Size

2.1MB
MD5

844b15e58e948af7134d325d9938d5fe
SHA1

775025207b42cfdf817d2ad25986d79c3aa266e6
SHA256

18e39df7487e556ead962801a6a5d3e03149a7ac7f6cfbd33b2902ce298d8b53
SHA512

17ac2915a75761171338eed5cb631b11e3488bd52dde52b1fceb8da3c32699520a3437a8fcdb87f66aa437e3a585d7b8c99713354e9f969ac870b13d70605d5b
SSDEEP

24576:h1OYdaOITwLleYkTVug2PiL0jHM8WK5z6Sh19BUfOD4XRt1otyBNvJvMXzGK5Ihy:h1OsTLARTQ9PimJWtShQnvQsrut

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lgAn4piSSGxcfGI.exe

pid process

4832 lgAn4piSSGxcfGI.exe
Loads dropped DLL 3 IoCs

Processes:

lgAn4piSSGxcfGI.exeregsvr32.exeregsvr32.exe

pid process

4832 lgAn4piSSGxcfGI.exe
2628 regsvr32.exe
2040 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4832	lgAn4piSSGxcfGI.exe

pid	process
4832	lgAn4piSSGxcfGI.exe
2628	regsvr32.exe
2040	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

lgAn4piSSGxcfGI.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmiopmiiafhimooljbdakbkdgjdgjoan\2.0\manifest.json	lgAn4piSSGxcfGI.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmiopmiiafhimooljbdakbkdgjdgjoan\2.0\manifest.json	lgAn4piSSGxcfGI.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmiopmiiafhimooljbdakbkdgjdgjoan\2.0\manifest.json	lgAn4piSSGxcfGI.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmiopmiiafhimooljbdakbkdgjdgjoan\2.0\manifest.json	lgAn4piSSGxcfGI.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmiopmiiafhimooljbdakbkdgjdgjoan\2.0\manifest.json	lgAn4piSSGxcfGI.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

lgAn4piSSGxcfGI.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	lgAn4piSSGxcfGI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	lgAn4piSSGxcfGI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	lgAn4piSSGxcfGI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	lgAn4piSSGxcfGI.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

lgAn4piSSGxcfGI.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.tlb	lgAn4piSSGxcfGI.exe
File created	C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.dat	lgAn4piSSGxcfGI.exe
File opened for modification	C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.dat	lgAn4piSSGxcfGI.exe
File created	C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.x64.dll	lgAn4piSSGxcfGI.exe
File opened for modification	C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.x64.dll	lgAn4piSSGxcfGI.exe
File created	C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.dll	lgAn4piSSGxcfGI.exe
File opened for modification	C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.dll	lgAn4piSSGxcfGI.exe
File created	C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.tlb	lgAn4piSSGxcfGI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

lgAn4piSSGxcfGI.exe

pid process

4832 lgAn4piSSGxcfGI.exe
4832 lgAn4piSSGxcfGI.exe

pid	process
4832	lgAn4piSSGxcfGI.exe
4832	lgAn4piSSGxcfGI.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18e39df7487e556ead962801a6a5d3e03149a7ac7f6cfbd33b2902ce298d8b53.exelgAn4piSSGxcfGI.exeregsvr32.exe

description	pid	process	target process
PID 4844 wrote to memory of 4832	4844	18e39df7487e556ead962801a6a5d3e03149a7ac7f6cfbd33b2902ce298d8b53.exe	lgAn4piSSGxcfGI.exe
PID 4844 wrote to memory of 4832	4844	18e39df7487e556ead962801a6a5d3e03149a7ac7f6cfbd33b2902ce298d8b53.exe	lgAn4piSSGxcfGI.exe
PID 4844 wrote to memory of 4832	4844	18e39df7487e556ead962801a6a5d3e03149a7ac7f6cfbd33b2902ce298d8b53.exe	lgAn4piSSGxcfGI.exe
PID 4832 wrote to memory of 2628	4832	lgAn4piSSGxcfGI.exe	regsvr32.exe
PID 4832 wrote to memory of 2628	4832	lgAn4piSSGxcfGI.exe	regsvr32.exe
PID 4832 wrote to memory of 2628	4832	lgAn4piSSGxcfGI.exe	regsvr32.exe
PID 2628 wrote to memory of 2040	2628	regsvr32.exe	regsvr32.exe
PID 2628 wrote to memory of 2040	2628	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\18e39df7487e556ead962801a6a5d3e03149a7ac7f6cfbd33b2902ce298d8b53.exe
"C:\Users\Admin\AppData\Local\Temp\18e39df7487e556ead962801a6a5d3e03149a7ac7f6cfbd33b2902ce298d8b53.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\lgAn4piSSGxcfGI.exe
.\lgAn4piSSGxcfGI.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.dat

Filesize
5KB

MD5
1ce5dbdb8b21cfdde26e02dcfff06b85

SHA1
081ebc294b1af81c012e54b385c25674cd5f3d8f

SHA256
a25d72946e55ed106339e18d18b69167e54b42b16fd3ca5e9268f6716fa43265

SHA512
8661234f31043aac65f99dd080a315728877f01b8ba5f323a6bd6322718d9fd024f85c18b264da90323e31dab51ff64e4d9e361d017f8879241f1d4db2ee75c1

Download Submit
C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Program Files (x86)\GoSave\PumwJGUMLkeJSN.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\PumwJGUMLkeJSN.dll

Filesize
611KB

MD5
123fde8f1a45be2f971b36a8ae5457ef

SHA1
78f77c976bec0b388407f986e7866818512eec97

SHA256
12869f73fb78fcbb8876e10772d081890b19fd1e228dd83ca012416cf26e931e

SHA512
4ae3708e45e15a49e7ba1d338a9186ed47f41abe57727d57833a33be887043dcb950d02bc52f79ee414df0df56c3e87f213995fa222a6f0e1c659393860231d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\PumwJGUMLkeJSN.tlb

Filesize
3KB

MD5
d5c4233a6c3de331b459f5f6a35ae3dd

SHA1
b5f1bf145f4e0896d7ae500abecbfaca715c18ab

SHA256
f3fca93b2a2848af13dcd30cad6305d20319d0a96f622f96753c1aebb91c885c

SHA512
4af48daa80dcd76cf45018d7edef74f35c5917457dd598f5a2071bba8875d75280326e41f3f5885d5301a596c22a3833cb062e2f4c97e0d83a01ad2644056e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\PumwJGUMLkeJSN.x64.dll

Filesize
693KB

MD5
c59945c3f5074d51077f2d598680aa11

SHA1
7d2ab4599f476d9da677283bdfcff5164a30b2e7

SHA256
10658a9b7ad99f84d73c77bde58761c89f37b1318f90197710d63824ae894b5b

SHA512
d3ccea87caba7d10776c0d4726b26cad81e85562270a1c873a59ab59a0d73336bae0af6cb6a242fb8f1b4cb4278636ed9995bd03f4f0b32d84a705e19a7b7e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\gmiopmiiafhimooljbdakbkdgjdgjoan\background.html

Filesize
141B

MD5
a3407dfdc67bf8be8cf7f6b38e94d0f8

SHA1
69c704e9b760839ccbab7f73ef6ea211549334cd

SHA256
9a43948afbe5a184fe598f64e0ce774a873db49e87f541f22d0a4b2e0a4ff840

SHA512
ed8294a62f28672c347b7f2fe5c7b06981f3f302f58dfc52de547ee7435ddc485fca14a4c181081f71d1118bb162a21616f58ad016927017abac0bbff5c79b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\gmiopmiiafhimooljbdakbkdgjdgjoan\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\gmiopmiiafhimooljbdakbkdgjdgjoan\hDGZ.js

Filesize
5KB

MD5
45d8c63fcbb458639199a2f6a6cb0f49

SHA1
f7bf27cfaf9da32d7f91b504e3fec36a0eb4e4c0

SHA256
49fc54473b771b28f5361cd4c13c728b024b8b2eb96a0ea184741e0cdf37bf00

SHA512
06de6f635618be290fc9ac985b85a0444503342e6b1b446021af03cdc83ce4e1bfe3e5f8ab8ca7a188989ae2e9b8bdfe7e524e677eb5b6c6889f22c079fc93b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\gmiopmiiafhimooljbdakbkdgjdgjoan\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\gmiopmiiafhimooljbdakbkdgjdgjoan\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\lgAn4piSSGxcfGI.dat

Filesize
5KB

MD5
1ce5dbdb8b21cfdde26e02dcfff06b85

SHA1
081ebc294b1af81c012e54b385c25674cd5f3d8f

SHA256
a25d72946e55ed106339e18d18b69167e54b42b16fd3ca5e9268f6716fa43265

SHA512
8661234f31043aac65f99dd080a315728877f01b8ba5f323a6bd6322718d9fd024f85c18b264da90323e31dab51ff64e4d9e361d017f8879241f1d4db2ee75c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\lgAn4piSSGxcfGI.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\lgAn4piSSGxcfGI.exe

Filesize
634KB

MD5
8b3b2e0c8e5f6fdefb32e82daf230175

SHA1
4ddeb5ed636661376b8e1ef41e5162387724ed44

SHA256
e7be2ab45ff78525377a8da7205bbc29f871c907ddf30879d29aa0c219f65e99

SHA512
8aeb49852cb6a1335df799e8e30b34d83303a225c1a7b2e029368246d81463d653109a4454a3f9196fa050c2a5e9ba4dc8372900c55ce989c821c954cb850038

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
0c5df674fac37d01940017012475cbfd

SHA1
d9b2da7540c29e855ade869765c75e5817b8a2bc

SHA256
3d0103446d61e68ff0f813299352308b6b5aedda270e637af06bf48ca3d65e6d

SHA512
248b9e8e0f04818fe586fac64ab0f2a94c0f55736b99725866a102fc93b755929f05fdf4507f979cbdec4991b60045fc03e00ee4887d298a33bdd389430fd316

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
7db2c84a21d32623b08c4cb88ebf26dd

SHA1
d65328cd0a2be92812b66e1fe24e4494283aaa29

SHA256
3117364529cd1d50efcff0173522824ba99c8437998878b2d16ba4952b05076a

SHA512
322148dd68764c7468dff34d23089f3cbf0f0108da932ed328de3117c72fcfe9e386b98a42f6af25ceddeeea0af9eafeb610e5ce1e49ccf25ee36d3f1b29a8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E9B.tmp\[email protected]\install.rdf

Filesize
597B

MD5
076cc8bfc8420b946b687e283d6ea213

SHA1
d25de75223db5f4a8e839c83d64a69ba1c4dc48c

SHA256
61b3dc1c46adadd224ab74526d06263e0e5e84c5936f1e250ebe5ab442472031

SHA512
d9521a0c128a64832f8d7d936e12955e5b8c2e6338f83104332ead8d73b4ab17dccdad08bd62d60e9ecc061f5e82380ee555e6c454a149070efab74ffa503225

Download Submit
memory/2040-152-0x0000000000000000-mapping.dmp

Download
memory/2628-149-0x0000000000000000-mapping.dmp

Download
memory/4832-132-0x0000000000000000-mapping.dmp

Download