c3723a583aba3ca9705a2ae5f14310b089fef4abca9a00bcd063270979a1fa40

Analysis

max time kernel
188s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3723a583aba3ca9705a2ae5f14310b089fef4abca9a00bcd063270979a1fa40.exe
Size

2.5MB
MD5

65fd5a38215e7c915717a504cda537d3
SHA1

ab6f2621d5dcd568cb5ccc18327c1b89b68a2249
SHA256

c3723a583aba3ca9705a2ae5f14310b089fef4abca9a00bcd063270979a1fa40
SHA512

a481fe81ffe79ea1f49af8b1096d17883894cecc14438a25da1c64706ce5e833351ea0e2d3329ddbda993497e86b55f6c5b8729b198b55b39f44be06131ef32a
SSDEEP

49152:h1OsRdKF7UldNUwSMQRcXL3Bp9y14pkO/MPQpVPaytn5hbdTf3:h1OMQc/PXVp9yqIod3

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

LiiEWfkMXHJrvzd.exe

pid process

3328 LiiEWfkMXHJrvzd.exe
Loads dropped DLL 3 IoCs

Processes:

LiiEWfkMXHJrvzd.exeregsvr32.exeregsvr32.exe

pid process

3328 LiiEWfkMXHJrvzd.exe
4928 regsvr32.exe
372 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3328	LiiEWfkMXHJrvzd.exe

pid	process
3328	LiiEWfkMXHJrvzd.exe
4928	regsvr32.exe
372	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

LiiEWfkMXHJrvzd.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bamlcnkflhfdkjhpmiehciomhpoekjgg\2.0\manifest.json	LiiEWfkMXHJrvzd.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bamlcnkflhfdkjhpmiehciomhpoekjgg\2.0\manifest.json	LiiEWfkMXHJrvzd.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bamlcnkflhfdkjhpmiehciomhpoekjgg\2.0\manifest.json	LiiEWfkMXHJrvzd.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bamlcnkflhfdkjhpmiehciomhpoekjgg\2.0\manifest.json	LiiEWfkMXHJrvzd.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bamlcnkflhfdkjhpmiehciomhpoekjgg\2.0\manifest.json	LiiEWfkMXHJrvzd.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeLiiEWfkMXHJrvzd.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	LiiEWfkMXHJrvzd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	LiiEWfkMXHJrvzd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	LiiEWfkMXHJrvzd.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	LiiEWfkMXHJrvzd.exe

Drops file in Program Files directory 8 IoCs

Processes:

LiiEWfkMXHJrvzd.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.dll	LiiEWfkMXHJrvzd.exe
File opened for modification	C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.dll	LiiEWfkMXHJrvzd.exe
File created	C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.tlb	LiiEWfkMXHJrvzd.exe
File opened for modification	C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.tlb	LiiEWfkMXHJrvzd.exe
File created	C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.dat	LiiEWfkMXHJrvzd.exe
File opened for modification	C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.dat	LiiEWfkMXHJrvzd.exe
File created	C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.x64.dll	LiiEWfkMXHJrvzd.exe
File opened for modification	C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.x64.dll	LiiEWfkMXHJrvzd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

LiiEWfkMXHJrvzd.exe

pid process

3328 LiiEWfkMXHJrvzd.exe
3328 LiiEWfkMXHJrvzd.exe

pid	process
3328	LiiEWfkMXHJrvzd.exe
3328	LiiEWfkMXHJrvzd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c3723a583aba3ca9705a2ae5f14310b089fef4abca9a00bcd063270979a1fa40.exeLiiEWfkMXHJrvzd.exeregsvr32.exe

description	pid	process	target process
PID 1376 wrote to memory of 3328	1376	c3723a583aba3ca9705a2ae5f14310b089fef4abca9a00bcd063270979a1fa40.exe	LiiEWfkMXHJrvzd.exe
PID 1376 wrote to memory of 3328	1376	c3723a583aba3ca9705a2ae5f14310b089fef4abca9a00bcd063270979a1fa40.exe	LiiEWfkMXHJrvzd.exe
PID 1376 wrote to memory of 3328	1376	c3723a583aba3ca9705a2ae5f14310b089fef4abca9a00bcd063270979a1fa40.exe	LiiEWfkMXHJrvzd.exe
PID 3328 wrote to memory of 4928	3328	LiiEWfkMXHJrvzd.exe	regsvr32.exe
PID 3328 wrote to memory of 4928	3328	LiiEWfkMXHJrvzd.exe	regsvr32.exe
PID 3328 wrote to memory of 4928	3328	LiiEWfkMXHJrvzd.exe	regsvr32.exe
PID 4928 wrote to memory of 372	4928	regsvr32.exe	regsvr32.exe
PID 4928 wrote to memory of 372	4928	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\c3723a583aba3ca9705a2ae5f14310b089fef4abca9a00bcd063270979a1fa40.exe
"C:\Users\Admin\AppData\Local\Temp\c3723a583aba3ca9705a2ae5f14310b089fef4abca9a00bcd063270979a1fa40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\LiiEWfkMXHJrvzd.exe
.\LiiEWfkMXHJrvzd.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.dat
Filesize
6KB

MD5
c4e6b5038cf9b2192dcb8b9af52f90b3

SHA1
b76eb324ce35f3b725844887ee35f9a6f7d0c559

SHA256
70d871f100a21b37c73a9a9e5847a30c2ec2c601c9041d4313ecd9fa3ae3ee2d

SHA512
76bf99e7d4e912f1c2fabd088219c1b4c5dd4e7f12936927072e3dbeeea57d4660af04e1ee5aefb08b61fc6f1df25df5e1195da46075780239b6e5b55d51502f

Download Submit
C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.dll
Filesize
745KB

MD5
9b0bbae1c51f35af98a38950ad9b6902

SHA1
abaf6e0d4af36bc020b8948beb95c1d6dd6b4108

SHA256
bc3180830a01359e2a0533b58b505a89999861cc6649a597912424d4856404ef

SHA512
731cedc519324e24f6649e05678eeff9ed04be8a519a816179c254ad8e1d360037053104c2ab3ed03a50aa1bbe0d3a6562ed871d7943d241f2dbfe184ec6a14b

Download Submit
C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.x64.dll
Filesize
874KB

MD5
315ffb224983b4981895e20bc3a68f75

SHA1
75f25396fb15f5269198623b604bc456d05d623c

SHA256
e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e

SHA512
8255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8

Download Submit
C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.x64.dll
Filesize
874KB

MD5
315ffb224983b4981895e20bc3a68f75

SHA1
75f25396fb15f5269198623b604bc456d05d623c

SHA256
e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e

SHA512
8255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8

Download Submit
C:\Program Files (x86)\GoSave\gLVJAXNx8I22Lb.x64.dll
Filesize
874KB

MD5
315ffb224983b4981895e20bc3a68f75

SHA1
75f25396fb15f5269198623b604bc456d05d623c

SHA256
e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e

SHA512
8255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\LiiEWfkMXHJrvzd.dat
Filesize
6KB

MD5
c4e6b5038cf9b2192dcb8b9af52f90b3

SHA1
b76eb324ce35f3b725844887ee35f9a6f7d0c559

SHA256
70d871f100a21b37c73a9a9e5847a30c2ec2c601c9041d4313ecd9fa3ae3ee2d

SHA512
76bf99e7d4e912f1c2fabd088219c1b4c5dd4e7f12936927072e3dbeeea57d4660af04e1ee5aefb08b61fc6f1df25df5e1195da46075780239b6e5b55d51502f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\LiiEWfkMXHJrvzd.exe
Filesize
769KB

MD5
291319a3090dccd5eaa32056863ae03e

SHA1
af43bfec74b1b1266f52e03cd043dd26c69fd2e9

SHA256
093bbafecd0c59ac6495fdd821d8af0d02b167c545cc5d95aa198eeef091115a

SHA512
162a3e21247ec4457a9178dd06866e284093aaf6cf366b109e8d0a533be8e099beca9280783874968429f6718e13481c17385daa233a95b8bffe8fdb67094da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\LiiEWfkMXHJrvzd.exe
Filesize
769KB

MD5
291319a3090dccd5eaa32056863ae03e

SHA1
af43bfec74b1b1266f52e03cd043dd26c69fd2e9

SHA256
093bbafecd0c59ac6495fdd821d8af0d02b167c545cc5d95aa198eeef091115a

SHA512
162a3e21247ec4457a9178dd06866e284093aaf6cf366b109e8d0a533be8e099beca9280783874968429f6718e13481c17385daa233a95b8bffe8fdb67094da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\bamlcnkflhfdkjhpmiehciomhpoekjgg\background.html
Filesize
146B

MD5
160f28dbf3a3c61e25a41faaa5ee5f26

SHA1
007afc93541d1d5024b143485fe1d0a9d9a07265

SHA256
120a6c78ea9d2eedb36f9ac9907f94fc3a8bf2293b759763890b98b0291e5a3c

SHA512
a169b626b55e3d3c247723764e6f015f3f79d6373460b95fa98f9575cddafdfcc74b3066958d82f4ba709536c2e75536fcdeca969a07d1aaafd0d620cee7ed62

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\bamlcnkflhfdkjhpmiehciomhpoekjgg\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\bamlcnkflhfdkjhpmiehciomhpoekjgg\ehDVejpvs.js
Filesize
5KB

MD5
d217cde67a8f0accc58d8c49ce4785a8

SHA1
b07f20592c53c99d78d5ef156d3e4c9e2dc5979b

SHA256
572a34fa9204699288cea52e0a3ecef7ac013d60706c28ea40b501a7ffae9cd0

SHA512
c253eed71acdd53aadec5bf7bb4da55474339f086ae1f0a059f498f6baab422d32991f02fc464f946b725eb95edf5ffc3d342f9a11cbe125f34b4ddb76cc5ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\bamlcnkflhfdkjhpmiehciomhpoekjgg\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\bamlcnkflhfdkjhpmiehciomhpoekjgg\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\gLVJAXNx8I22Lb.dll
Filesize
745KB

MD5
9b0bbae1c51f35af98a38950ad9b6902

SHA1
abaf6e0d4af36bc020b8948beb95c1d6dd6b4108

SHA256
bc3180830a01359e2a0533b58b505a89999861cc6649a597912424d4856404ef

SHA512
731cedc519324e24f6649e05678eeff9ed04be8a519a816179c254ad8e1d360037053104c2ab3ed03a50aa1bbe0d3a6562ed871d7943d241f2dbfe184ec6a14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\gLVJAXNx8I22Lb.tlb
Filesize
3KB

MD5
e0d8c71eebc95cf3bd5cf6086938176f

SHA1
e24d47c63e459b2d0664b2a1709c8243d5d6ab39

SHA256
1c87908f309599a94b048c1571ab271342aee8092d6d3ac22db7a509e22a3779

SHA512
d5a9387933d788dbddcb9fcaa7fafef9232d289b287d5fb95666a2b7e0a9838664241a7c6021841f13d2f0b979dd61dcf361c8261b2e78510af298cedd05f92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\gLVJAXNx8I22Lb.x64.dll
Filesize
874KB

MD5
315ffb224983b4981895e20bc3a68f75

SHA1
75f25396fb15f5269198623b604bc456d05d623c

SHA256
e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e

SHA512
8255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\r@PjoNCEcU.edu\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\r@PjoNCEcU.edu\chrome.manifest
Filesize
35B

MD5
e97718a570fd2008d8f3cbbc361e99cd

SHA1
69c8be7ec921af7141486888e1f193a7e108ef82

SHA256
50147b7ff014d6ae802d6a2d1a4a9ebfb2f98ccb5c4af5bb91c7e7f247d65005

SHA512
826060e473c7f887c3eaff1b7193c3e8f3e6a968c5d8c71461e19d2b698570a40be050da110a7df7dea67f47e8b5e9e9c25f5e90e0350164c3461f5c4b809363

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\r@PjoNCEcU.edu\content\bg.js
Filesize
7KB

MD5
9571646dce587cd66afdc7088f1e27ec

SHA1
2fd9d86550e3e99e8a8a706f8182699a23127f19

SHA256
b1ab2de42db9fea3f016bf34d09c115cb0496cfed15bc73dc044d12c8752571d

SHA512
7a23473a46e6caa77880b2bcefce06ece4ee3b8bc941d839c5e5b841d149ef7ca6738b2333d36436e2fc94d7b6dbafd8a2108e962a137afc9600d38f7f7d2611

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFEC7.tmp\r@PjoNCEcU.edu\install.rdf
Filesize
596B

MD5
6237c4a8db9a0f4f168b2da591cda0a9

SHA1
c077d9b97a4542443b23dedce3de7226f1b9dfcd

SHA256
db2ffb753a3826e5d56d28ece2bc639b760db8cb6585c780ea92b36bce712251

SHA512
3665f80bfaf436f62b4202f0c846e3a963039b14676ad6de3e541f9e09b6217fa85162b42829659aed32747bf342fe15a6ac8940c6082b9d6e1572c62586c1b4

Download Submit
memory/372-152-0x0000000000000000-mapping.dmp

Download
memory/3328-132-0x0000000000000000-mapping.dmp

Download
memory/4928-149-0x0000000000000000-mapping.dmp

Download