f1c054ab41a9c72398a0462e9f8f79a91be9182a6293b49f8a5c2b57e210d4be

Analysis

max time kernel
149s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1c054ab41a9c72398a0462e9f8f79a91be9182a6293b49f8a5c2b57e210d4be.exe
Size

2.1MB
MD5

13a17bfd387df6950d7b4e859853f71d
SHA1

0422a085f84795185a04a23d96f5ce2f3dee484d
SHA256

f1c054ab41a9c72398a0462e9f8f79a91be9182a6293b49f8a5c2b57e210d4be
SHA512

de423a06ef1070594242dba0ec22349bbf44341b7391edd66c5d4bb28f011658e772447da3e4316b68c71dac89e5d0438884d84b85009459ea1bff55f1cc68f5
SSDEEP

49152:h1OsUFo42dYDe4NCS039DyklmfqyFSFsAuz:h1O7Dp6NykzON

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1056	QMU35kDgsiXP90y.exe

Loads dropped DLL 3 IoCs

pid	Process
1056	QMU35kDgsiXP90y.exe
4348	regsvr32.exe
5108	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\efbpeingkhbncbdeembehnckeiidhibi\2.0\manifest.json	QMU35kDgsiXP90y.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\efbpeingkhbncbdeembehnckeiidhibi\2.0\manifest.json	QMU35kDgsiXP90y.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\efbpeingkhbncbdeembehnckeiidhibi\2.0\manifest.json	QMU35kDgsiXP90y.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\efbpeingkhbncbdeembehnckeiidhibi\2.0\manifest.json	QMU35kDgsiXP90y.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\efbpeingkhbncbdeembehnckeiidhibi\2.0\manifest.json	QMU35kDgsiXP90y.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	QMU35kDgsiXP90y.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	QMU35kDgsiXP90y.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	QMU35kDgsiXP90y.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	QMU35kDgsiXP90y.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.dat	QMU35kDgsiXP90y.exe
File created	C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.x64.dll	QMU35kDgsiXP90y.exe
File opened for modification	C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.x64.dll	QMU35kDgsiXP90y.exe
File created	C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.dll	QMU35kDgsiXP90y.exe
File opened for modification	C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.dll	QMU35kDgsiXP90y.exe
File created	C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.tlb	QMU35kDgsiXP90y.exe
File opened for modification	C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.tlb	QMU35kDgsiXP90y.exe
File created	C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.dat	QMU35kDgsiXP90y.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1056	4676	f1c054ab41a9c72398a0462e9f8f79a91be9182a6293b49f8a5c2b57e210d4be.exe	81
PID 4676 wrote to memory of 1056	4676	f1c054ab41a9c72398a0462e9f8f79a91be9182a6293b49f8a5c2b57e210d4be.exe	81
PID 4676 wrote to memory of 1056	4676	f1c054ab41a9c72398a0462e9f8f79a91be9182a6293b49f8a5c2b57e210d4be.exe	81
PID 1056 wrote to memory of 4348	1056	QMU35kDgsiXP90y.exe	83
PID 1056 wrote to memory of 4348	1056	QMU35kDgsiXP90y.exe	83
PID 1056 wrote to memory of 4348	1056	QMU35kDgsiXP90y.exe	83
PID 4348 wrote to memory of 5108	4348	regsvr32.exe	84
PID 4348 wrote to memory of 5108	4348	regsvr32.exe	84

C:\Users\Admin\AppData\Local\Temp\f1c054ab41a9c72398a0462e9f8f79a91be9182a6293b49f8a5c2b57e210d4be.exe
"C:\Users\Admin\AppData\Local\Temp\f1c054ab41a9c72398a0462e9f8f79a91be9182a6293b49f8a5c2b57e210d4be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\QMU35kDgsiXP90y.exe
  .\QMU35kDgsiXP90y.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.dat

Filesize
6KB

MD5
b3586221d91385ee83cbb29b64536f29

SHA1
f70d5c5a3764835e14856c98f331787858d565c8

SHA256
a7082773800987426362b2d955b45fe7e54b4676d4451bbf39f8c9fd440af193

SHA512
8fe387e47d41d76258fe7601530c6685fd5db123d4505cab6a00387d9c9eaee85517327f6e0459f2a28bc36b5f4a8309f1ea84a434465c0ebb95ca215511276c

Download Submit
C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.dll

Filesize
622KB

MD5
76deb7dec4a615399ba9a1262e674bb3

SHA1
e7ff08fdae617738fd2517f4056ef1075fa9a336

SHA256
2faa672dee58c448d2dbe85c9a785b4791047964b297697847f3711f9c1a90d6

SHA512
6e51859656add39b720ff7ea44f7b16b73f80d73740897e198a657d6ce88a1615ea1405920a5f8dba6c3f0c130ae26e95d9de83171bed9781184cf5a0a101a09

Download Submit
C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.x64.dll

Filesize
701KB

MD5
90c1f871f4890f39667e7b149f297b2b

SHA1
e99fe2ffb087bf78272d0d5fe4f5501f42504c05

SHA256
e8a6bfc67352fa598e9ee363bd099b3d51191dc6bd536dbb096ed43986edec46

SHA512
fc3230c5f406313d89c36d5119f2db178ca2cf3d209c26df80571b084fe156d4e9c69f71a5ff7183d0fddfc2a42b3af9b97c6803f312598bc3a90b4d89868d44

Download Submit
C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.x64.dll

Filesize
701KB

MD5
90c1f871f4890f39667e7b149f297b2b

SHA1
e99fe2ffb087bf78272d0d5fe4f5501f42504c05

SHA256
e8a6bfc67352fa598e9ee363bd099b3d51191dc6bd536dbb096ed43986edec46

SHA512
fc3230c5f406313d89c36d5119f2db178ca2cf3d209c26df80571b084fe156d4e9c69f71a5ff7183d0fddfc2a42b3af9b97c6803f312598bc3a90b4d89868d44

Download Submit
C:\Program Files (x86)\GoSave\vq6fCn7tEEYlAm.x64.dll

Filesize
701KB

MD5
90c1f871f4890f39667e7b149f297b2b

SHA1
e99fe2ffb087bf78272d0d5fe4f5501f42504c05

SHA256
e8a6bfc67352fa598e9ee363bd099b3d51191dc6bd536dbb096ed43986edec46

SHA512
fc3230c5f406313d89c36d5119f2db178ca2cf3d209c26df80571b084fe156d4e9c69f71a5ff7183d0fddfc2a42b3af9b97c6803f312598bc3a90b4d89868d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\QMU35kDgsiXP90y.dat

Filesize
6KB

MD5
b3586221d91385ee83cbb29b64536f29

SHA1
f70d5c5a3764835e14856c98f331787858d565c8

SHA256
a7082773800987426362b2d955b45fe7e54b4676d4451bbf39f8c9fd440af193

SHA512
8fe387e47d41d76258fe7601530c6685fd5db123d4505cab6a00387d9c9eaee85517327f6e0459f2a28bc36b5f4a8309f1ea84a434465c0ebb95ca215511276c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\QMU35kDgsiXP90y.exe

Filesize
641KB

MD5
1d450f8118ecfa3379fc5dcfa2c41b4a

SHA1
2f07e678ef051ba34aacc387b9aedf019d06aa12

SHA256
1d3dea1457f9ec4d083007b487ff94106ff562be4a4ed3e2ba41b8541d0037a5

SHA512
08e81e8fc03eaeb0f5635994ca05be57ac87b8d80a5be2781a95c96fae513559f940d89d23465f57064f31260969c74431108dfc87d86788b0c7b4a053914d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\QMU35kDgsiXP90y.exe

Filesize
641KB

MD5
1d450f8118ecfa3379fc5dcfa2c41b4a

SHA1
2f07e678ef051ba34aacc387b9aedf019d06aa12

SHA256
1d3dea1457f9ec4d083007b487ff94106ff562be4a4ed3e2ba41b8541d0037a5

SHA512
08e81e8fc03eaeb0f5635994ca05be57ac87b8d80a5be2781a95c96fae513559f940d89d23465f57064f31260969c74431108dfc87d86788b0c7b4a053914d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
cf167691e064ffee3fc50c155808e87e

SHA1
b723f25a795fe2883985df5a99dbe9475439c229

SHA256
5047b16935aea9760d1d607ba3272126ca924ba0bcd4a2ca6959dbebaab5214c

SHA512
c7edc0928492e29f40be54e8f4734394796fb93d10a14c07e4e3233c4c40d6478e0d92f45f1cdeded89a88f9c61d9df88432bc9ef4d98ce451b409f7ac14406e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
67690ea4bce8844f3bce2bb5841dde9b

SHA1
49d4897c2631b98a1676a3fd7ed835cfb79256ef

SHA256
516d43371ea6361e6c8f309ce18a96722e01e703a3a02146a183a52264510167

SHA512
bf87a56e20c66a22a09503b0e9f825872d2bbbc50b1771457f766a53047a05c531e2322ae1d201068081fa0b5e2f59392e55f28d58d36aa34cfb3d120c674f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\[email protected]\install.rdf

Filesize
598B

MD5
4c419a572591c9b7d595226ee05af2c8

SHA1
8fdc81600b4ae206e6917ccf302e35a3e4e1ccc8

SHA256
c59159ba15b82b8e998fe460e49c24747b69ea8416298df7c7233c34535ae525

SHA512
f3f5095f251689431bce9c0e8ba13d0b1fe64558bdf2f38b4a7f8e0aa0a6322ed44823386a2ee2307fec4404b9e7ccf4c27bca1ec54faac6aa3775e9d1cc221e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\efbpeingkhbncbdeembehnckeiidhibi\OQcAMS.js

Filesize
5KB

MD5
5bdfbae0794dca58c264d702a0fd3e10

SHA1
c7db4b9f3c7ab7f1bcf574eca6b4f0e18a80d8d2

SHA256
47de567694801d87e688d42e40927e903be38d9663114d5506f9a5ee13ab65ab

SHA512
a6cc364bd09cfd198da11d9bf4e721205063eade55c9e066143fde4af03ae9890c9c683f38cc399047698fa13c32ce23eec3aa385b2e3b6fffdd04c80e3a2f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\efbpeingkhbncbdeembehnckeiidhibi\background.html

Filesize
143B

MD5
dde9f49cbfbaf85fac27fe17b01751ce

SHA1
6dbdbf6aef2b0e8980d5552d96380f73572ef067

SHA256
9fabf8beada89542a05bbdb53bc06bc0cc351ad322447d479a8abf1f9dce7b6f

SHA512
b96e2aa2d7427b22013d14abbb0cd2c4316266b5e2fcae02c5adb17bd2ea78b4703deff549381354bcc00ecd307f3608eea6372b377a7810f3bf1c03c4fc9c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\efbpeingkhbncbdeembehnckeiidhibi\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\efbpeingkhbncbdeembehnckeiidhibi\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\efbpeingkhbncbdeembehnckeiidhibi\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\vq6fCn7tEEYlAm.dll

Filesize
622KB

MD5
76deb7dec4a615399ba9a1262e674bb3

SHA1
e7ff08fdae617738fd2517f4056ef1075fa9a336

SHA256
2faa672dee58c448d2dbe85c9a785b4791047964b297697847f3711f9c1a90d6

SHA512
6e51859656add39b720ff7ea44f7b16b73f80d73740897e198a657d6ce88a1615ea1405920a5f8dba6c3f0c130ae26e95d9de83171bed9781184cf5a0a101a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\vq6fCn7tEEYlAm.tlb

Filesize
3KB

MD5
7602225625cdd47f748f0656ea2bbfde

SHA1
686147caee96271092cd882c341fa3a37a5ebc70

SHA256
7191c986561d571c37d74ede50fc158c7cb037e9d50aa7056eb65ae264e63465

SHA512
5dda72246676c852cfd83fe71a9f08a1388714fd39e7d618b75dfb2de848b2104c2040e544cc8ad4db0055960b0dfb8dd333b2d279784414955ee2aafc4a0bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F93.tmp\vq6fCn7tEEYlAm.x64.dll

Filesize
701KB

MD5
90c1f871f4890f39667e7b149f297b2b

SHA1
e99fe2ffb087bf78272d0d5fe4f5501f42504c05

SHA256
e8a6bfc67352fa598e9ee363bd099b3d51191dc6bd536dbb096ed43986edec46

SHA512
fc3230c5f406313d89c36d5119f2db178ca2cf3d209c26df80571b084fe156d4e9c69f71a5ff7183d0fddfc2a42b3af9b97c6803f312598bc3a90b4d89868d44

Download Submit