dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682

Analysis

max time kernel
27s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682.exe
Size

2.1MB
MD5

153d1142b4b30abf546bc234c80c4b81
SHA1

f5ed39b7a5601a5075d810ebf9b19ce39077d981
SHA256

dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682
SHA512

7bda5657bb82b254eea625c97868cb1d83de897c015410d33b70b5da1c9587e4db3e8c493c53b7e83871dbc386ea07df737a4654604055a5d56bad89a92c8f03
SSDEEP

49152:h1Os0IqRs6dLxUsBLmKxbjLHUgp1eR3JuX7:h1ONIwdOsBK2LH/OM

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	ruolYAXsGJC7T2S.exe

Loads dropped DLL 4 IoCs

pid	Process
876	dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682.exe
1724	ruolYAXsGJC7T2S.exe
1760	regsvr32.exe
1244	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\naodcemmbcficdpcapkpcgjkpbjcepkd\2.0\manifest.json	ruolYAXsGJC7T2S.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\naodcemmbcficdpcapkpcgjkpbjcepkd\2.0\manifest.json	ruolYAXsGJC7T2S.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\naodcemmbcficdpcapkpcgjkpbjcepkd\2.0\manifest.json	ruolYAXsGJC7T2S.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	ruolYAXsGJC7T2S.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	ruolYAXsGJC7T2S.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	ruolYAXsGJC7T2S.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	ruolYAXsGJC7T2S.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	ruolYAXsGJC7T2S.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.tlb	ruolYAXsGJC7T2S.exe
File created	C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.dat	ruolYAXsGJC7T2S.exe
File opened for modification	C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.dat	ruolYAXsGJC7T2S.exe
File created	C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.x64.dll	ruolYAXsGJC7T2S.exe
File opened for modification	C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.x64.dll	ruolYAXsGJC7T2S.exe
File created	C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.dll	ruolYAXsGJC7T2S.exe
File opened for modification	C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.dll	ruolYAXsGJC7T2S.exe
File created	C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.tlb	ruolYAXsGJC7T2S.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1724	876	dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682.exe	28
PID 876 wrote to memory of 1724	876	dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682.exe	28
PID 876 wrote to memory of 1724	876	dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682.exe	28
PID 876 wrote to memory of 1724	876	dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682.exe	28
PID 1724 wrote to memory of 1760	1724	ruolYAXsGJC7T2S.exe	29
PID 1724 wrote to memory of 1760	1724	ruolYAXsGJC7T2S.exe	29
PID 1724 wrote to memory of 1760	1724	ruolYAXsGJC7T2S.exe	29
PID 1724 wrote to memory of 1760	1724	ruolYAXsGJC7T2S.exe	29
PID 1724 wrote to memory of 1760	1724	ruolYAXsGJC7T2S.exe	29
PID 1724 wrote to memory of 1760	1724	ruolYAXsGJC7T2S.exe	29
PID 1724 wrote to memory of 1760	1724	ruolYAXsGJC7T2S.exe	29
PID 1760 wrote to memory of 1244	1760	regsvr32.exe	30
PID 1760 wrote to memory of 1244	1760	regsvr32.exe	30
PID 1760 wrote to memory of 1244	1760	regsvr32.exe	30
PID 1760 wrote to memory of 1244	1760	regsvr32.exe	30
PID 1760 wrote to memory of 1244	1760	regsvr32.exe	30
PID 1760 wrote to memory of 1244	1760	regsvr32.exe	30
PID 1760 wrote to memory of 1244	1760	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682.exe
"C:\Users\Admin\AppData\Local\Temp\dbc8acc69a74cae76fa559a1a54bf0f1bd5f3d107975a1352cb8e48e8e2b6682.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\ruolYAXsGJC7T2S.exe
  .\ruolYAXsGJC7T2S.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.dat

Filesize
6KB

MD5
a4cb7fd3f7263fb0fc8618e2454cb736

SHA1
c01ff0e370a2cdec9ecd9590168358d20885f27e

SHA256
699bf1fc4a62726da55335031bcff56495076f3258c42d1100005c94e013007a

SHA512
4ed82502873359a8032655d2de8703dc575d2ee10ab73d232cf5c5b3017c88eec1046ae9fc5903011451e2bf9ee0e262d5b1f7a2f95e492729ee593dbf9532b4

Download Submit
C:\Program Files (x86)\GoSave\4pM58xFh4xkj5y.x64.dll

Filesize
697KB

MD5
23ad68ee70d2413eeab4dceeb8c86d0f

SHA1
168c74861643a81642db54da501e7019c4c8befb

SHA256
11b280d9010eb9083eb31d2f3e848242a93396873e977c94378a7e148a498496

SHA512
5da3b20d908f163cf48a4d19eb6c0956dd90c0f8ee39c5cd9608a8261433cadcd113b13e62cdfa7194981877a5f1ad13ea9973b96c677b891a2ada13ed6385c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\4pM58xFh4xkj5y.dll

Filesize
618KB

MD5
f97a736f62d4ffa6ab0a122d7f258949

SHA1
58c4dd296c9a16b5e2f6148ac6b6e5fedddf312b

SHA256
74b249b8a3eeb48625a16e26fcebe583a0a67719361cfba8dba3dc29562783c4

SHA512
554ae9c930fbf0938f116c821abcc2f0b0cfb073844c5843b8e055e9a6aed054467f87d546706b498b4b6a55993cb3061fb6632d79569d7c6b345d2fa0c5945a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\4pM58xFh4xkj5y.tlb

Filesize
3KB

MD5
81eeb6476ae12975e506f0d619c0233d

SHA1
5a6e36815b04261a4aab15a04f6444fe9dda78ed

SHA256
5279a4e8c3b896c885db8a2b7285d3f39c9a3cedbca84476b1cdce87bcd78843

SHA512
d5256ef992f443f4c1577389559db46c4991c47bfdcfb97a5f9b724b1ce70ed32f75318a38aff16628c97d664110dbec86fd459266a8c662dd38483a2c20dfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\4pM58xFh4xkj5y.x64.dll

Filesize
697KB

MD5
23ad68ee70d2413eeab4dceeb8c86d0f

SHA1
168c74861643a81642db54da501e7019c4c8befb

SHA256
11b280d9010eb9083eb31d2f3e848242a93396873e977c94378a7e148a498496

SHA512
5da3b20d908f163cf48a4d19eb6c0956dd90c0f8ee39c5cd9608a8261433cadcd113b13e62cdfa7194981877a5f1ad13ea9973b96c677b891a2ada13ed6385c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
b04bada374bcc09ec2c7528d19c5d819

SHA1
f226c5803b38d3b672038b7bfd5354dd4fcfc35a

SHA256
792ada35ebd4b8cfa001e8e7963e4b00aa6cf6be5cead70fde45e83e97120979

SHA512
b4c62774ee6c90749127f972e48fc11d2d9d12b8864a717513387f5d6ba10e08006d953c4e298858e9ebd612d0f2c1f6e035e80c1b2cdec1beba8244a617bc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
f3b0118252b6bffbf76d2f7c6c4bcf80

SHA1
acdeae1668b73befe1268f5679a36de7790a97a5

SHA256
5c23af8cfaf1d244519c0c0f5c26c5668edd7f67ad15c3b44058b021799a2d26

SHA512
1af72c0092ec5ba2434316afd116d1eb8716f037d5adba778abc6f973cb402d02a425356095dd3231f55bd1858701c6afed040539825ca3e1567820c58c39931

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\[email protected]\install.rdf

Filesize
598B

MD5
4fd9f95b1a652b12ca63c52753d433b6

SHA1
a50c05f0032d7a75accc3435338fde0201154304

SHA256
3c16e66237c4599f05802b6720005afaba31b345dc83a0fce170c74a7fcbbb52

SHA512
9a568a157a363c77ab839b6d9c4d875f8c715d1290196cae0ec2abcc709a4794829625c8a0e498b08a79536dadba3bfd4805649064785bc3e086425df9f37367

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\naodcemmbcficdpcapkpcgjkpbjcepkd\background.html

Filesize
141B

MD5
d7d3c62353a99998bfbcf4e25c0f0e72

SHA1
0d049e095a0533d7e70a257c9d6d77ad256be22b

SHA256
af1615991557761bb0971973fd0a143d3851495e6c387868bbea78aa599e9f96

SHA512
142c582e0594c699144c7139b861f7bad144933d3917ad094bdc80c31b22d1b581b18e5f84c252bea1271a901fcbe50b4e927893feda86163a8dbc43e2220aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\naodcemmbcficdpcapkpcgjkpbjcepkd\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\naodcemmbcficdpcapkpcgjkpbjcepkd\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\naodcemmbcficdpcapkpcgjkpbjcepkd\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\naodcemmbcficdpcapkpcgjkpbjcepkd\v6WL.js

Filesize
5KB

MD5
a036978bed2c1f47edad55f0026e6d32

SHA1
d63707a10821299e669a99c2c3023c78a57e7cc1

SHA256
cfe62c39a6e2f4dfd59b1f083f64958c07ed5451c70878f9e9898784ff576e1b

SHA512
83a4dec4af97f983c8ac10c84a61a098702a47ef217f8207c634e95fd2b3d5555598613e4c90f269dfc26b3ff3fa2290f08849e89e01817c6425c4823b981562

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\ruolYAXsGJC7T2S.dat

Filesize
6KB

MD5
a4cb7fd3f7263fb0fc8618e2454cb736

SHA1
c01ff0e370a2cdec9ecd9590168358d20885f27e

SHA256
699bf1fc4a62726da55335031bcff56495076f3258c42d1100005c94e013007a

SHA512
4ed82502873359a8032655d2de8703dc575d2ee10ab73d232cf5c5b3017c88eec1046ae9fc5903011451e2bf9ee0e262d5b1f7a2f95e492729ee593dbf9532b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\ruolYAXsGJC7T2S.exe

Filesize
639KB

MD5
192c035eeba4a5ba246f96e10295fbd9

SHA1
a796b6f3e06477149b783217fb46d1485f51ea6c

SHA256
0434e7a9dbe12ad0cbec2d4a66e9d7a14bfcb3676b8b91eade3bd2da5323b112

SHA512
b8c59521e72b291c39d94f3436ccf9e0756cd383f913129e38c755b8479b9f084078ff1d9efd5514e9d64093f78053e986a27f2ebf304cab0871b21108443ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2666.tmp\ruolYAXsGJC7T2S.exe

Filesize
639KB

MD5
192c035eeba4a5ba246f96e10295fbd9

SHA1
a796b6f3e06477149b783217fb46d1485f51ea6c

SHA256
0434e7a9dbe12ad0cbec2d4a66e9d7a14bfcb3676b8b91eade3bd2da5323b112

SHA512
b8c59521e72b291c39d94f3436ccf9e0756cd383f913129e38c755b8479b9f084078ff1d9efd5514e9d64093f78053e986a27f2ebf304cab0871b21108443ab6

Download Submit
\Program Files (x86)\GoSave\4pM58xFh4xkj5y.dll

Filesize
618KB

MD5
f97a736f62d4ffa6ab0a122d7f258949

SHA1
58c4dd296c9a16b5e2f6148ac6b6e5fedddf312b

SHA256
74b249b8a3eeb48625a16e26fcebe583a0a67719361cfba8dba3dc29562783c4

SHA512
554ae9c930fbf0938f116c821abcc2f0b0cfb073844c5843b8e055e9a6aed054467f87d546706b498b4b6a55993cb3061fb6632d79569d7c6b345d2fa0c5945a

Download Submit
\Program Files (x86)\GoSave\4pM58xFh4xkj5y.x64.dll

Filesize
697KB

MD5
23ad68ee70d2413eeab4dceeb8c86d0f

SHA1
168c74861643a81642db54da501e7019c4c8befb

SHA256
11b280d9010eb9083eb31d2f3e848242a93396873e977c94378a7e148a498496

SHA512
5da3b20d908f163cf48a4d19eb6c0956dd90c0f8ee39c5cd9608a8261433cadcd113b13e62cdfa7194981877a5f1ad13ea9973b96c677b891a2ada13ed6385c7

Download Submit
\Program Files (x86)\GoSave\4pM58xFh4xkj5y.x64.dll

Filesize
697KB

MD5
23ad68ee70d2413eeab4dceeb8c86d0f

SHA1
168c74861643a81642db54da501e7019c4c8befb

SHA256
11b280d9010eb9083eb31d2f3e848242a93396873e977c94378a7e148a498496

SHA512
5da3b20d908f163cf48a4d19eb6c0956dd90c0f8ee39c5cd9608a8261433cadcd113b13e62cdfa7194981877a5f1ad13ea9973b96c677b891a2ada13ed6385c7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2666.tmp\ruolYAXsGJC7T2S.exe

Filesize
639KB

MD5
192c035eeba4a5ba246f96e10295fbd9

SHA1
a796b6f3e06477149b783217fb46d1485f51ea6c

SHA256
0434e7a9dbe12ad0cbec2d4a66e9d7a14bfcb3676b8b91eade3bd2da5323b112

SHA512
b8c59521e72b291c39d94f3436ccf9e0756cd383f913129e38c755b8479b9f084078ff1d9efd5514e9d64093f78053e986a27f2ebf304cab0871b21108443ab6

Download Submit
memory/876-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1244-78-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/1244-77-0x0000000000000000-mapping.dmp

Download
memory/1724-56-0x0000000000000000-mapping.dmp

Download
memory/1760-73-0x0000000000000000-mapping.dmp

Download