d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d

Analysis

max time kernel
103s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d.exe
Size

2.1MB
MD5

a3b869b5cd18047d3a85acf0fec996fe
SHA1

c5f7f981763a5adbb998692b55eaf8ef26662156
SHA256

d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d
SHA512

a90932256ef7622c210bef05b7791f428c7ee1c219e6ea1c89e5b44a3618ef96e37c8f0987c277c15f74f92889a3958f85eab42146220717367d0fb0bc0020a9
SSDEEP

49152:h1Os3YIGWkf6jd9YMhKKumq+4oAczj/i6jgvb7GvKSa:h1OEdd9YMhKgq+4f7

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	ofnALGRDKiZctXV.exe

Loads dropped DLL 4 IoCs

pid	Process
576	d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d.exe
1716	ofnALGRDKiZctXV.exe
452	regsvr32.exe
1440	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkbkkakkppgnlpdlhejhjkdfhfjakgpa\2.0\manifest.json	ofnALGRDKiZctXV.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkbkkakkppgnlpdlhejhjkdfhfjakgpa\2.0\manifest.json	ofnALGRDKiZctXV.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkbkkakkppgnlpdlhejhjkdfhfjakgpa\2.0\manifest.json	ofnALGRDKiZctXV.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	ofnALGRDKiZctXV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	ofnALGRDKiZctXV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	ofnALGRDKiZctXV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	ofnALGRDKiZctXV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	ofnALGRDKiZctXV.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.dll	ofnALGRDKiZctXV.exe
File created	C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.tlb	ofnALGRDKiZctXV.exe
File opened for modification	C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.tlb	ofnALGRDKiZctXV.exe
File created	C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.dat	ofnALGRDKiZctXV.exe
File opened for modification	C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.dat	ofnALGRDKiZctXV.exe
File created	C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.x64.dll	ofnALGRDKiZctXV.exe
File opened for modification	C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.x64.dll	ofnALGRDKiZctXV.exe
File created	C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.dll	ofnALGRDKiZctXV.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1716	576	d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d.exe	28
PID 576 wrote to memory of 1716	576	d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d.exe	28
PID 576 wrote to memory of 1716	576	d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d.exe	28
PID 576 wrote to memory of 1716	576	d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d.exe	28
PID 1716 wrote to memory of 452	1716	ofnALGRDKiZctXV.exe	29
PID 1716 wrote to memory of 452	1716	ofnALGRDKiZctXV.exe	29
PID 1716 wrote to memory of 452	1716	ofnALGRDKiZctXV.exe	29
PID 1716 wrote to memory of 452	1716	ofnALGRDKiZctXV.exe	29
PID 1716 wrote to memory of 452	1716	ofnALGRDKiZctXV.exe	29
PID 1716 wrote to memory of 452	1716	ofnALGRDKiZctXV.exe	29
PID 1716 wrote to memory of 452	1716	ofnALGRDKiZctXV.exe	29
PID 452 wrote to memory of 1440	452	regsvr32.exe	30
PID 452 wrote to memory of 1440	452	regsvr32.exe	30
PID 452 wrote to memory of 1440	452	regsvr32.exe	30
PID 452 wrote to memory of 1440	452	regsvr32.exe	30
PID 452 wrote to memory of 1440	452	regsvr32.exe	30
PID 452 wrote to memory of 1440	452	regsvr32.exe	30
PID 452 wrote to memory of 1440	452	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d.exe
"C:\Users\Admin\AppData\Local\Temp\d876d031100e4a3738b4945ac595f17e89d0f1e3bec98a520657102d4b6bb14d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\ofnALGRDKiZctXV.exe
  .\ofnALGRDKiZctXV.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.dat

Filesize
6KB

MD5
f1a367c86aa9e47d12c635c955cc7d93

SHA1
3cb237a555a32b6d83bcc4f987f77060d3110292

SHA256
e2b06c1fbafa2c7c93be49c7e01b2f15c6135b3904bf15922521689f1567ca8d

SHA512
61ed022f6db4e05109a263da5283af4808418ae65e01842a56e12bb26c7473bf70283e32cc6988f0ef20236d85d047f66e8a533ae8f731c9085f54b950239345

Download Submit
C:\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\2JIGv7jFosDitQ.dll

Filesize
623KB

MD5
103866fff4628ada4be6e5235b2ebf5d

SHA1
86ca018b33c7cdb953371ee1e290313b9a54a251

SHA256
963728f71b4ecee9380a18f5bbc6930256be6018a8087a9964f98ba3e17b7a7c

SHA512
2a8f9ce8854bab77b801eb146934e267de3cca83727a8a7c13885b41c75a0b563fdd0cb1683f78057fc6833b22d9d14c5ef0d3707753293d59d4b61f7a9744c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\2JIGv7jFosDitQ.tlb

Filesize
3KB

MD5
3c920faafd032eeda08e4166860d4318

SHA1
26451ee3659c4a217f42ebd07f254679ab452f3a

SHA256
3377d0af1044505271c64fc342e22a7a24b757e5471657f656ac743373e22857

SHA512
327668001f94842eee3ff1dc44c70ddca5da3a0bb49aeea6b3162608b07496456e78bcb3de0462e5e375b349e813f13fd02e61b9e389b1d954cea2628c3c4a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\2JIGv7jFosDitQ.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\OV01sGvZi@U.net\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\OV01sGvZi@U.net\chrome.manifest

Filesize
35B

MD5
141bb1d26f8dd8afb58391eafbca91e3

SHA1
4ee844419c4a26dcd2c2b8ffb79ff5c6cbdf7699

SHA256
7d8d2fbce8188923192f78dd4fa588b2d5dfca2d601fd2cb4260640a9cd3d70d

SHA512
502e16484c71f779564f436a6f4706bd6ba6daaf6c1f682b2f889252c88cd35376a7e323216de7d27abef9e2293aa14d75ecfefefb751f2107bbaa221db8411e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\OV01sGvZi@U.net\content\bg.js

Filesize
7KB

MD5
5bad0fe7fb1bc8d5a3cfe674c4ebca30

SHA1
543a12c3ef0eca1d314514de7ca51a75578d9f70

SHA256
7eb82ceb4cf8d24f8cae831455453b2fdc8a9fd1438a3384b113a129ce97120c

SHA512
82b2cd6e91aef8bc590c7da565f502c8740075515b16e2443d8373b6be8f68fb6cfdaf51380872435580f265012092d340ac1099060e6285bb14ea6a34bbdb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\OV01sGvZi@U.net\install.rdf

Filesize
599B

MD5
81378aafecc9b4b05a73a97774d4231b

SHA1
a426bec64238742de587f574f19b601f6c19f32e

SHA256
aeb67f289cd9583b8a0f0acba4b4e173248f00cca22da12d1f8127dcf292e847

SHA512
3c3d728f428e95910f1b9760fc8fa16aecedf1f8634d1c1c5b0cae2331aad1f579778a12519626e6389274ee3f925d01c642180839cfa4415bb3de056269c3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\ofnALGRDKiZctXV.dat

Filesize
6KB

MD5
f1a367c86aa9e47d12c635c955cc7d93

SHA1
3cb237a555a32b6d83bcc4f987f77060d3110292

SHA256
e2b06c1fbafa2c7c93be49c7e01b2f15c6135b3904bf15922521689f1567ca8d

SHA512
61ed022f6db4e05109a263da5283af4808418ae65e01842a56e12bb26c7473bf70283e32cc6988f0ef20236d85d047f66e8a533ae8f731c9085f54b950239345

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\ofnALGRDKiZctXV.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\ofnALGRDKiZctXV.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\pkbkkakkppgnlpdlhejhjkdfhfjakgpa\HDlhj.js

Filesize
5KB

MD5
43a92aa23c487b1be5020c0cd3f7c155

SHA1
dd9e2d129966d88ae2b9bd75d6fb68c0bb5b34b6

SHA256
d037c53057eb454556f42f3b1bfdfb02ecae400e5aeb400e6d9e62e87301e98f

SHA512
db8ddd88f8376a4ed02515fd4f59cf9503d3e867530d99fdf58105ebfbd34fd57a15fe0d12c9a5d9e2bf3780d0d9e0a8f85dc9d8e38828a5234d5d6657b6ae1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\pkbkkakkppgnlpdlhejhjkdfhfjakgpa\background.html

Filesize
142B

MD5
c4dce73e18498b4186db148fb3f08961

SHA1
f09686928b60c4a6b4a0665a599235ba83e34661

SHA256
16f0e8ba94753d40c1af7e9c242d8bc74656eceb0b5b6a9863fb2a2535e5ca62

SHA512
c055388ba054abaade921a18f0811c328bcd1074458fedba89a180d57ad51fdab9c88411ace6df7d827d79fef2cabbe6a2cb9b995eacb2ca1e68b7a63bee2d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\pkbkkakkppgnlpdlhejhjkdfhfjakgpa\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\pkbkkakkppgnlpdlhejhjkdfhfjakgpa\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\pkbkkakkppgnlpdlhejhjkdfhfjakgpa\manifest.json

Filesize
500B

MD5
96aa632285e199d54d346e088c234340

SHA1
4117b3d65a48742f6557da1a11b1a56cd20a02e9

SHA256
60aa94ac58d62c32205d07a470af3751d567d6044b34349b9a2a2faf81b21519

SHA512
59dda3644ab7415175e2a28d0badd2efe5dca3b2bd0a4c19911c3fbc88ab70bb07ae6c79572e4ad243d3cf2c8a118848a1f3c59337ecdebdb6a7c053a2d84862

Download Submit
\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.dll

Filesize
623KB

MD5
103866fff4628ada4be6e5235b2ebf5d

SHA1
86ca018b33c7cdb953371ee1e290313b9a54a251

SHA256
963728f71b4ecee9380a18f5bbc6930256be6018a8087a9964f98ba3e17b7a7c

SHA512
2a8f9ce8854bab77b801eb146934e267de3cca83727a8a7c13885b41c75a0b563fdd0cb1683f78057fc6833b22d9d14c5ef0d3707753293d59d4b61f7a9744c3

Download Submit
\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
\Program Files (x86)\GooSoaVe\2JIGv7jFosDitQ.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6E3E.tmp\ofnALGRDKiZctXV.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
memory/576-54-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download
memory/1440-78-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Filesize
8KB

Download