920a101cf22f5e1af0a74ad17004b21b53ee1aef4a45c02678c66d4d6c4f2bc6

Analysis

max time kernel
91s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920a101cf22f5e1af0a74ad17004b21b53ee1aef4a45c02678c66d4d6c4f2bc6.exe
Size

2.1MB
MD5

0672159bda6ea73c81836ec93376e537
SHA1

87acd832c943624a2577e7065a7d5cec9787c2a1
SHA256

920a101cf22f5e1af0a74ad17004b21b53ee1aef4a45c02678c66d4d6c4f2bc6
SHA512

1245c196392db284ae12d86ce3cd78b6d94a04bc54d8fea37c7bf22dbca4fb9021537ce389b6c4ca9b0ba83d4dad77094a71fce3c5f948aaef3534ff2c7d6be4
SSDEEP

49152:h1OskPtqGqK2M8f3h4UO2sEYYQvLZwQE5m4o2:h1OBHoxLYYaa

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5004	C6qwmKIejI1qjRV.exe

Loads dropped DLL 3 IoCs

pid	Process
5004	C6qwmKIejI1qjRV.exe
3772	regsvr32.exe
2092	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\egeglndkocgkiimfjijbefieiookfcdc\2.0\manifest.json	C6qwmKIejI1qjRV.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\egeglndkocgkiimfjijbefieiookfcdc\2.0\manifest.json	C6qwmKIejI1qjRV.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\egeglndkocgkiimfjijbefieiookfcdc\2.0\manifest.json	C6qwmKIejI1qjRV.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\egeglndkocgkiimfjijbefieiookfcdc\2.0\manifest.json	C6qwmKIejI1qjRV.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\egeglndkocgkiimfjijbefieiookfcdc\2.0\manifest.json	C6qwmKIejI1qjRV.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	C6qwmKIejI1qjRV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	C6qwmKIejI1qjRV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	C6qwmKIejI1qjRV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	C6qwmKIejI1qjRV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.dll	C6qwmKIejI1qjRV.exe
File opened for modification	C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.dll	C6qwmKIejI1qjRV.exe
File created	C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.tlb	C6qwmKIejI1qjRV.exe
File opened for modification	C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.tlb	C6qwmKIejI1qjRV.exe
File created	C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.dat	C6qwmKIejI1qjRV.exe
File opened for modification	C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.dat	C6qwmKIejI1qjRV.exe
File created	C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.x64.dll	C6qwmKIejI1qjRV.exe
File opened for modification	C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.x64.dll	C6qwmKIejI1qjRV.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 5004	2300	920a101cf22f5e1af0a74ad17004b21b53ee1aef4a45c02678c66d4d6c4f2bc6.exe	84
PID 2300 wrote to memory of 5004	2300	920a101cf22f5e1af0a74ad17004b21b53ee1aef4a45c02678c66d4d6c4f2bc6.exe	84
PID 2300 wrote to memory of 5004	2300	920a101cf22f5e1af0a74ad17004b21b53ee1aef4a45c02678c66d4d6c4f2bc6.exe	84
PID 5004 wrote to memory of 3772	5004	C6qwmKIejI1qjRV.exe	85
PID 5004 wrote to memory of 3772	5004	C6qwmKIejI1qjRV.exe	85
PID 5004 wrote to memory of 3772	5004	C6qwmKIejI1qjRV.exe	85
PID 3772 wrote to memory of 2092	3772	regsvr32.exe	86
PID 3772 wrote to memory of 2092	3772	regsvr32.exe	86

C:\Users\Admin\AppData\Local\Temp\920a101cf22f5e1af0a74ad17004b21b53ee1aef4a45c02678c66d4d6c4f2bc6.exe
"C:\Users\Admin\AppData\Local\Temp\920a101cf22f5e1af0a74ad17004b21b53ee1aef4a45c02678c66d4d6c4f2bc6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\C6qwmKIejI1qjRV.exe
  .\C6qwmKIejI1qjRV.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.dat

Filesize
6KB

MD5
77ca727ae484a7231d09536c9a729a87

SHA1
a91e571944591dfd4e34ff9721d21d1d7ddc020b

SHA256
2e7e0c7b57b5d94a197ce7a76f2a472ab26c9f05c7772b8c89163aaafb176638

SHA512
2500ff1bff909b938ff571fe33a5cccfa4286f547218b317a7d0aadd3fabdb9d20fefe16408e474545e172b78525107544bde3ceefc3a3501b5e72e1f1777a6a

Download Submit
C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Program Files (x86)\GoSiave\IGCHhmQWqCtrqn.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
663de6032ea4cf36a715066664b602ff

SHA1
904569111fb1907c0138e76b05c1d9d852a07dbf

SHA256
c8e03a760cc16b65318795537d991cc80a298f3a4a175cc4d68591bbe45a710b

SHA512
7c25e7072fa731c2e5a1a29de60b3b766d58a509d00b7040ec59c55e50033feb02c61e4a3752b10c1352282caa75bc2757673f43f23abfc53a29c2c12727181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
2a0c3169f8dc201aae45793daeace727

SHA1
4ce2927929ea33248003a6e69f5523a7817108dc

SHA256
9d5e9763f9a0b315bee244db6c250c83fac6afc1052f8d8d933492921d67aea0

SHA512
0290208ca2acb57b9e29eb67505c795a90dd3336c8e8fbd0fd4d68f3278c6f30e5b2b9cb19107ae45bedae2aec6a4c5a5249ded6d4018d9b0e5a25d0a8ef7c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\[email protected]\install.rdf

Filesize
595B

MD5
f5c51603ff4c4cf015745f0935d3ce8d

SHA1
fc45dc4a296c6052329c31336b0c6764e5fb0102

SHA256
1b7cf9d58a332ba413f6175e378e132f760ff7d8f92a6581669be7ee2cd31814

SHA512
de0692e2d6e65787effadb65af6f6e269aef771efdf0c8f26787b55b99bd5183ad48c4e6e28404334a886155bf2e78844051eade86888a7f7eaac15b5c4ca90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\C6qwmKIejI1qjRV.dat

Filesize
6KB

MD5
77ca727ae484a7231d09536c9a729a87

SHA1
a91e571944591dfd4e34ff9721d21d1d7ddc020b

SHA256
2e7e0c7b57b5d94a197ce7a76f2a472ab26c9f05c7772b8c89163aaafb176638

SHA512
2500ff1bff909b938ff571fe33a5cccfa4286f547218b317a7d0aadd3fabdb9d20fefe16408e474545e172b78525107544bde3ceefc3a3501b5e72e1f1777a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\C6qwmKIejI1qjRV.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\C6qwmKIejI1qjRV.exe

Filesize
629KB

MD5
15dada567404c2049507d7098389e997

SHA1
508d8cc90c247e26ce5041c718825734079d841c

SHA256
888d66bccd07a163c4fcf59dca8fb4577fe6ecb7b11c427108b1e0aa45fccc58

SHA512
6fd82c0d06c43b309ce45c048c072c9696dfd6e9a81ec5149df64784f6428c6abe91b9be215b8a47dafc8859319be94bb13fbd2e4bc1795da61b970202a15261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\IGCHhmQWqCtrqn.dll

Filesize
618KB

MD5
9e56f8bd63dc95894be8b9e660696f1c

SHA1
2efcb8fc0ce33f2ada28fb2a6a17ec43813f80cb

SHA256
93186596d2312706d0623df3c9b9dfdea35546d5506b20216d2a7efeb1d8d79a

SHA512
e52fa89e7cf8ed7419a5f410f6bf46a19695727f19f8eebd714dee9d6f8a9036acc528cd6b0033f70f11a04e18746b814ee2dc494f2fc82db104a876b479d827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\IGCHhmQWqCtrqn.tlb

Filesize
3KB

MD5
713ab144897857b45ce9515c2a1e2d52

SHA1
607a46adbfe1892276898fb6b00e7c62dbf82772

SHA256
3ec756ec9b8c4b03cc723127bc372b67c406a4915fa0a82597b0fb29685096e6

SHA512
b54c6eaf989d9e51ba66278a0991daa14bde0f56e86c8c2fce67f2118e9557307b409fbc9ae48921c37c1869634b2801028d728f4cf3b871ad8971965e3004b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\IGCHhmQWqCtrqn.x64.dll

Filesize
698KB

MD5
4f474d78d3944242daf1069b024ba83c

SHA1
0ef8ee373b77bf05e3c0de0a66dd4d8589dff7d9

SHA256
935dfff0607280f142a69b4e109ac34ebabca578240d9c66c1561fc67ae4a1a8

SHA512
1da43bff1edf956a365200a4092a7647c0054bf6196155c5b2e2659c12d6d6adb43db6aed503cace12b8c97aba3343abddc34acdf1f663eef667eebc9153f6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\egeglndkocgkiimfjijbefieiookfcdc\AKChtEPa.js

Filesize
5KB

MD5
94a281354d312c95a28999f3cf187a0a

SHA1
655165d50b59ad2eaebd0f790c6285c166b38cad

SHA256
e7acd7cb19edaa72716de4a6bee842435910f5efb2041619db4e44cc241d9488

SHA512
26e8c38492c3e2a8e984c3ca537e2032ac8ad4063117c6e90b53e065bd5eb2328bbd2942e474be9611c39eeeb71b4a6122d2ae79b4a4fa0b845510297aac4e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\egeglndkocgkiimfjijbefieiookfcdc\background.html

Filesize
145B

MD5
c30fdfc791f75f9abd6bcbfb9d713668

SHA1
9a785835d4178104f9319f8d2fe77c8d565defc6

SHA256
539ac220e6f1dd3d72340c449769fd1e8fc43d61427d1eb42d887c4287b71ee6

SHA512
fddca978d13f0d365e839250096b6b1a7afef88c80d546d24f9b19d607be08acc6da69d4476d38fbf64498543668ad8532e4b8507996c7f381a7d25a31d379dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\egeglndkocgkiimfjijbefieiookfcdc\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\egeglndkocgkiimfjijbefieiookfcdc\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA25F.tmp\egeglndkocgkiimfjijbefieiookfcdc\manifest.json

Filesize
499B

MD5
866e59ce4292605efb1956f5f322e4f5

SHA1
916cd9818f80b63a11a39a6456a5a9c9b8b62473

SHA256
e3641913f13e083faf248b9d2aa98cef4ef2b47c3f3f402b9f8d20e1fcb35d59

SHA512
c2704e7378fa7f09aee17e2d3707b5f9e5145bfeb92ed2165a313a4b80d0016a84539008212daafae2b61f31d58c8b0407ba9f20d9eba80e6ecafeaaa0cc0868

Download Submit