1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88

Analysis

max time kernel
42s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88.exe
Size

2.1MB
MD5

f38bdeb1fe6fe5dbc994326f434b436b
SHA1

92db2c67b9b7ca36b33b916ad5bea6b324dadf06
SHA256

1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88
SHA512

800e0402793e22420a83518a7f6d975c8b9aa1a91278f875fc2477f2e960b49cef47500eee22c467b5c44afe8dc89b522f85cf397b06d9e22142a1705c1d89cc
SSDEEP

49152:h1Os0pj8guEgHdd4f8FEgePZDllAndSz1m+hoGT:h1O3pj8fEjMePZDgD8

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1648	iBjCQNnJNp50WhN.exe

Loads dropped DLL 4 IoCs

pid	Process
1632	1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88.exe
1648	iBjCQNnJNp50WhN.exe
316	regsvr32.exe
1924	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfieehmgjgamkfoacbgkhabgmmkcmii\2.0\manifest.json	iBjCQNnJNp50WhN.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfieehmgjgamkfoacbgkhabgmmkcmii\2.0\manifest.json	iBjCQNnJNp50WhN.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfieehmgjgamkfoacbgkhabgmmkcmii\2.0\manifest.json	iBjCQNnJNp50WhN.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	iBjCQNnJNp50WhN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	iBjCQNnJNp50WhN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iBjCQNnJNp50WhN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	iBjCQNnJNp50WhN.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	iBjCQNnJNp50WhN.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.dll	iBjCQNnJNp50WhN.exe
File created	C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.tlb	iBjCQNnJNp50WhN.exe
File opened for modification	C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.tlb	iBjCQNnJNp50WhN.exe
File created	C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.dat	iBjCQNnJNp50WhN.exe
File opened for modification	C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.dat	iBjCQNnJNp50WhN.exe
File created	C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.x64.dll	iBjCQNnJNp50WhN.exe
File opened for modification	C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.x64.dll	iBjCQNnJNp50WhN.exe
File created	C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.dll	iBjCQNnJNp50WhN.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1648	1632	1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88.exe	28
PID 1632 wrote to memory of 1648	1632	1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88.exe	28
PID 1632 wrote to memory of 1648	1632	1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88.exe	28
PID 1632 wrote to memory of 1648	1632	1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88.exe	28
PID 1648 wrote to memory of 316	1648	iBjCQNnJNp50WhN.exe	29
PID 1648 wrote to memory of 316	1648	iBjCQNnJNp50WhN.exe	29
PID 1648 wrote to memory of 316	1648	iBjCQNnJNp50WhN.exe	29
PID 1648 wrote to memory of 316	1648	iBjCQNnJNp50WhN.exe	29
PID 1648 wrote to memory of 316	1648	iBjCQNnJNp50WhN.exe	29
PID 1648 wrote to memory of 316	1648	iBjCQNnJNp50WhN.exe	29
PID 1648 wrote to memory of 316	1648	iBjCQNnJNp50WhN.exe	29
PID 316 wrote to memory of 1924	316	regsvr32.exe	30
PID 316 wrote to memory of 1924	316	regsvr32.exe	30
PID 316 wrote to memory of 1924	316	regsvr32.exe	30
PID 316 wrote to memory of 1924	316	regsvr32.exe	30
PID 316 wrote to memory of 1924	316	regsvr32.exe	30
PID 316 wrote to memory of 1924	316	regsvr32.exe	30
PID 316 wrote to memory of 1924	316	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88.exe
"C:\Users\Admin\AppData\Local\Temp\1bca50e6ddf807ce243424c35ba29b51f8c9f5c6aceb6a53ee62ada5e835ca88.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\iBjCQNnJNp50WhN.exe
  .\iBjCQNnJNp50WhN.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.dat

Filesize
6KB

MD5
825126ff626e04284a16628a3edd9bf0

SHA1
013bc3e8e93536f570dce0f6370191be9ed81376

SHA256
919b1d8554e3ab1fed2ed3b2b3c1736b1ec774e1c9079760124ea0ae4858fa7c

SHA512
230bea043c3a36a14f270b914a094cd3427bfb4fa8720c4c24bf65c73b4cc9f43bbe5463f3e0a21a58f6de0c2e0c99c288405f90ba05e6a639efef3b91a650f6

Download Submit
C:\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.x64.dll

Filesize
698KB

MD5
d849b62ecaba982b03bd28101d8ea633

SHA1
45f7a863feb99388d4222df2c271409487e95d0b

SHA256
8403b14eb417b0bbc9decadf0911129cbc5cf607b57ac136c33a7cc8c7359c7b

SHA512
e5ea1fa87d42c10199e49b1bba6f9158408ae0154d8717c17f3580b9bd64bb4a9295b1c34c1751b1ef35c63e24da8b182c395239145c14071b78e1181433e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\G6y1MaRLoiyUiC.dll

Filesize
617KB

MD5
38282da4c9ac22d997bde9aa82115045

SHA1
3c446e4380279201e681841e2e10c02938cb4204

SHA256
304d23b4d3c3a93900e50c06881800761b7a70153ffd45b9718b3af47b27d4fb

SHA512
20410386f9bf4e4695ae33b212c22ae2e64c0cb9fdd5747e57aad785d9b4a42ca9c8413149ee1c8e2af2704fc1b704ed88791c736354227d4580843dd682743f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\G6y1MaRLoiyUiC.tlb

Filesize
3KB

MD5
7eb752f26bb43cd7529a2f2e1c9a2aae

SHA1
99706272b5d6157baf0b99a2688b8df059d342e3

SHA256
7c0664a864f0f9e40c40ddba67a396549b19829f7cd977ae775ed28c3e9a6695

SHA512
e581356ed19ebe9f912cc60becb21483b63ccb519d333282a01902236ead1ef92aa2c2f9ba030d1d04e0de9fe75e41107cd34e01b6e762c527d43bd03e7970e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\G6y1MaRLoiyUiC.x64.dll

Filesize
698KB

MD5
d849b62ecaba982b03bd28101d8ea633

SHA1
45f7a863feb99388d4222df2c271409487e95d0b

SHA256
8403b14eb417b0bbc9decadf0911129cbc5cf607b57ac136c33a7cc8c7359c7b

SHA512
e5ea1fa87d42c10199e49b1bba6f9158408ae0154d8717c17f3580b9bd64bb4a9295b1c34c1751b1ef35c63e24da8b182c395239145c14071b78e1181433e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
5aca78311d5bf44fb77e9bea6008c5cc

SHA1
c23a0c9adf1dd612228e2087029941a577a60a5b

SHA256
fe94fdffa14c65205d3d17ea36084fc6c86b2e7677cea3272a513eab3c980678

SHA512
49a7ea0dfab12b0fd67c4d5267afad71da29838ecfe07e8aac88096f7fbb2960f8bbc23583cd6a77ff3474c7fcf9caa09ae65f0205e6af3f37a2ccbd6e7b7360

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
7b99197ccf9955f81dc240956e4562dc

SHA1
245fb26650b104da3c138331e4a65b3ea3ddf5ba

SHA256
63dcdb59eb1ea65a936f43e3ca5681910c7663747adedaec5a22425d9d8504f5

SHA512
c573f798fcae30aad533b3ea78b1be6f66945f03f40ab046f0de13a9fa51f422f325e3ff0113fb8e15887a338cd794b81597960988ba689dc84a3f9f8a3f5ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\[email protected]\install.rdf

Filesize
597B

MD5
7754366b8ee0161515f596128b90171b

SHA1
a9721780f688793227d704f77bb05b876f34ff11

SHA256
72583978c4038fd4aa1bda5549ecf4265b72c6d8651a0aa9bd08495acd8c01eb

SHA512
2f552f632359127aa9e955f78dd46b72a2885fcba57b3020c24021ce72de21827eaf95e2ab97df291d70baf8163e927459183af9c600a8247c27841d5b1afa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\iBjCQNnJNp50WhN.dat

Filesize
6KB

MD5
825126ff626e04284a16628a3edd9bf0

SHA1
013bc3e8e93536f570dce0f6370191be9ed81376

SHA256
919b1d8554e3ab1fed2ed3b2b3c1736b1ec774e1c9079760124ea0ae4858fa7c

SHA512
230bea043c3a36a14f270b914a094cd3427bfb4fa8720c4c24bf65c73b4cc9f43bbe5463f3e0a21a58f6de0c2e0c99c288405f90ba05e6a639efef3b91a650f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\iBjCQNnJNp50WhN.exe

Filesize
624KB

MD5
3850cc4e5a43481d30eb2b611315f92f

SHA1
30149abe80dac786e329dbf93fd2a216e879a6e2

SHA256
175d7bdbedad2c221ccab76be7f0993e3b6fb5dda7b3093e6b81601235483562

SHA512
f64b683d6f87cfa0a74dd5acc81b732f6e002e7de61066bbe66300764cf2e9b1fc2f1c16467ce2154020dc54c34f63933cb18769f90c920c84532cc682476a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\iBjCQNnJNp50WhN.exe

Filesize
624KB

MD5
3850cc4e5a43481d30eb2b611315f92f

SHA1
30149abe80dac786e329dbf93fd2a216e879a6e2

SHA256
175d7bdbedad2c221ccab76be7f0993e3b6fb5dda7b3093e6b81601235483562

SHA512
f64b683d6f87cfa0a74dd5acc81b732f6e002e7de61066bbe66300764cf2e9b1fc2f1c16467ce2154020dc54c34f63933cb18769f90c920c84532cc682476a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\jmfieehmgjgamkfoacbgkhabgmmkcmii\background.html

Filesize
139B

MD5
13ccfc55a49e078c8871c20e15bcd983

SHA1
2f5e5dcd392afbe3c2bca53c0d4f7a3722efb818

SHA256
59669e93ead9cabfe56c24ca08b2c50c3f36d7d987f56926a615b32df1bc8335

SHA512
6d84dee33847fc3caef9af521c7f5fc640d0ee6893fcc4d082e6c60c57828263d560cdf99882b2cbf4369adf7e8b775677c80fcdb0ce18c79328b25f95fb1339

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\jmfieehmgjgamkfoacbgkhabgmmkcmii\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\jmfieehmgjgamkfoacbgkhabgmmkcmii\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\jmfieehmgjgamkfoacbgkhabgmmkcmii\manifest.json

Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\jmfieehmgjgamkfoacbgkhabgmmkcmii\zX.js

Filesize
5KB

MD5
78ea67d40808569274891b3f4a2f8134

SHA1
a9ea4ce67aa58696c17ccd52956850eed139003f

SHA256
7ca29f71171240fcae1a530027e46f3e63e7f5ac311a94a4dc3fc57f6900b1f3

SHA512
8696df970e8a6e72c59029f32af85f4f3de6d2239840f8d7095da4b586e467e68ced43cccf6a29e4b9f846faaaf0bf2c69408f71f26973efdb71502a6dc9f419

Download Submit
\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.dll

Filesize
617KB

MD5
38282da4c9ac22d997bde9aa82115045

SHA1
3c446e4380279201e681841e2e10c02938cb4204

SHA256
304d23b4d3c3a93900e50c06881800761b7a70153ffd45b9718b3af47b27d4fb

SHA512
20410386f9bf4e4695ae33b212c22ae2e64c0cb9fdd5747e57aad785d9b4a42ca9c8413149ee1c8e2af2704fc1b704ed88791c736354227d4580843dd682743f

Download Submit
\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.x64.dll

Filesize
698KB

MD5
d849b62ecaba982b03bd28101d8ea633

SHA1
45f7a863feb99388d4222df2c271409487e95d0b

SHA256
8403b14eb417b0bbc9decadf0911129cbc5cf607b57ac136c33a7cc8c7359c7b

SHA512
e5ea1fa87d42c10199e49b1bba6f9158408ae0154d8717c17f3580b9bd64bb4a9295b1c34c1751b1ef35c63e24da8b182c395239145c14071b78e1181433e306

Download Submit
\Program Files (x86)\GoSave\G6y1MaRLoiyUiC.x64.dll

Filesize
698KB

MD5
d849b62ecaba982b03bd28101d8ea633

SHA1
45f7a863feb99388d4222df2c271409487e95d0b

SHA256
8403b14eb417b0bbc9decadf0911129cbc5cf607b57ac136c33a7cc8c7359c7b

SHA512
e5ea1fa87d42c10199e49b1bba6f9158408ae0154d8717c17f3580b9bd64bb4a9295b1c34c1751b1ef35c63e24da8b182c395239145c14071b78e1181433e306

Download Submit
\Users\Admin\AppData\Local\Temp\7zSA7E4.tmp\iBjCQNnJNp50WhN.exe

Filesize
624KB

MD5
3850cc4e5a43481d30eb2b611315f92f

SHA1
30149abe80dac786e329dbf93fd2a216e879a6e2

SHA256
175d7bdbedad2c221ccab76be7f0993e3b6fb5dda7b3093e6b81601235483562

SHA512
f64b683d6f87cfa0a74dd5acc81b732f6e002e7de61066bbe66300764cf2e9b1fc2f1c16467ce2154020dc54c34f63933cb18769f90c920c84532cc682476a7f

Download Submit
memory/316-73-0x0000000000000000-mapping.dmp

Download
memory/1632-54-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/1648-56-0x0000000000000000-mapping.dmp

Download
memory/1924-78-0x0000000000000000-mapping.dmp

Download
memory/1924-79-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

Filesize
8KB

Download