84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c.exe
Size

2.0MB
MD5

084fc0fe8190a1c41c7e215f7ed8a27b
SHA1

b9d6786eef9aece22c1d9871c1db93e90cf4cb62
SHA256

84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c
SHA512

fd174c35c385309704cf16d85820bba030ffec4fefc02ab536b93c4ef8bd7836cb02e127245b017cc0cb5985790cd7009ec87cc1c055e1753ba0fb85c689fad5
SSDEEP

24576:h1OYdaOdZh01dhan4PpxKt2lQm8xmoDSJoCtltCSyxqJqBcfGLX/A4pxiYDOu:h1OsnMPknWp7ugJowltCSyxqkL5UY3

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1048	8o85w8M24QUMRod.exe

Loads dropped DLL 4 IoCs

pid	Process
2012	84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c.exe
1048	8o85w8M24QUMRod.exe
1684	regsvr32.exe
520	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgnpkdblcalffdejopdjkffokbilancg\2.0\manifest.json	8o85w8M24QUMRod.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgnpkdblcalffdejopdjkffokbilancg\2.0\manifest.json	8o85w8M24QUMRod.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgnpkdblcalffdejopdjkffokbilancg\2.0\manifest.json	8o85w8M24QUMRod.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	8o85w8M24QUMRod.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	8o85w8M24QUMRod.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	8o85w8M24QUMRod.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	8o85w8M24QUMRod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	8o85w8M24QUMRod.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.dll	8o85w8M24QUMRod.exe
File created	C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.tlb	8o85w8M24QUMRod.exe
File opened for modification	C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.tlb	8o85w8M24QUMRod.exe
File created	C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.dat	8o85w8M24QUMRod.exe
File opened for modification	C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.dat	8o85w8M24QUMRod.exe
File created	C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.x64.dll	8o85w8M24QUMRod.exe
File opened for modification	C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.x64.dll	8o85w8M24QUMRod.exe
File created	C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.dll	8o85w8M24QUMRod.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1048	2012	84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c.exe	27
PID 2012 wrote to memory of 1048	2012	84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c.exe	27
PID 2012 wrote to memory of 1048	2012	84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c.exe	27
PID 2012 wrote to memory of 1048	2012	84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c.exe	27
PID 1048 wrote to memory of 1684	1048	8o85w8M24QUMRod.exe	28
PID 1048 wrote to memory of 1684	1048	8o85w8M24QUMRod.exe	28
PID 1048 wrote to memory of 1684	1048	8o85w8M24QUMRod.exe	28
PID 1048 wrote to memory of 1684	1048	8o85w8M24QUMRod.exe	28
PID 1048 wrote to memory of 1684	1048	8o85w8M24QUMRod.exe	28
PID 1048 wrote to memory of 1684	1048	8o85w8M24QUMRod.exe	28
PID 1048 wrote to memory of 1684	1048	8o85w8M24QUMRod.exe	28
PID 1684 wrote to memory of 520	1684	regsvr32.exe	29
PID 1684 wrote to memory of 520	1684	regsvr32.exe	29
PID 1684 wrote to memory of 520	1684	regsvr32.exe	29
PID 1684 wrote to memory of 520	1684	regsvr32.exe	29
PID 1684 wrote to memory of 520	1684	regsvr32.exe	29
PID 1684 wrote to memory of 520	1684	regsvr32.exe	29
PID 1684 wrote to memory of 520	1684	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c.exe
"C:\Users\Admin\AppData\Local\Temp\84e7e43196b6cb1842801a8f20f479350b2c7ec01ce0664baa67de8e5c58040c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\8o85w8M24QUMRod.exe
  .\8o85w8M24QUMRod.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.dat

Filesize
6KB

MD5
e9c1989eb00fd0a04367893765d075d1

SHA1
6ac9b0c334c70fd01d9fca4f402fe2f5630ed34c

SHA256
ed5c437697d5f791e10c1c7e42d741bf9ad141f159dc8e01dbdc9f65e6440b1c

SHA512
54b172bf566f0fc3fd52f65f694b7f1b1c3171fac574c97eac5bd98b599751264361f702fdd974afd2540704d3d01fa6574cb5ca5796bd8ef94563d37f79530b

Download Submit
C:\Program Files (x86)\GooSave\ekaLGps6EXYhj1.x64.dll

Filesize
693KB

MD5
bf63868fef3bb9233eded9e79dcbe885

SHA1
a3115e49e92c71c79b918155831b100b38d7db2b

SHA256
2047fb1789881422265023c55a535f6f24dd12df2a717f62a8ebf55ba574b46e

SHA512
39be01a64496e61d677f5a3a5f750f2e0722c40c5842a89dcecdac73d26515e6f6836bfa6a415d408a9e8367b389661150fc8506aa4f457f3864331184b9cb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\8o85w8M24QUMRod.dat

Filesize
6KB

MD5
e9c1989eb00fd0a04367893765d075d1

SHA1
6ac9b0c334c70fd01d9fca4f402fe2f5630ed34c

SHA256
ed5c437697d5f791e10c1c7e42d741bf9ad141f159dc8e01dbdc9f65e6440b1c

SHA512
54b172bf566f0fc3fd52f65f694b7f1b1c3171fac574c97eac5bd98b599751264361f702fdd974afd2540704d3d01fa6574cb5ca5796bd8ef94563d37f79530b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\8o85w8M24QUMRod.exe

Filesize
621KB

MD5
8aa3ce0eb96e5b622a0a633a3958ee32

SHA1
5161a17f440514859a07bef2270f527ac4d6bf3f

SHA256
0e5fe209f38e623e280c10d127b6c33b9eca95edfe4f4b7dc64a55955c746a68

SHA512
c4dde7bd17d544d94e931bfc91c71fc8841863963b0f9edd180c10d9b22c1886b95fff707a5736d99647fa8c2d4ab98c9732db2e96799d4e973628d70f753699

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\8o85w8M24QUMRod.exe

Filesize
621KB

MD5
8aa3ce0eb96e5b622a0a633a3958ee32

SHA1
5161a17f440514859a07bef2270f527ac4d6bf3f

SHA256
0e5fe209f38e623e280c10d127b6c33b9eca95edfe4f4b7dc64a55955c746a68

SHA512
c4dde7bd17d544d94e931bfc91c71fc8841863963b0f9edd180c10d9b22c1886b95fff707a5736d99647fa8c2d4ab98c9732db2e96799d4e973628d70f753699

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
3ac12bcfc349fc589cfca33558ecad41

SHA1
724b08feb1223939c969b9ea708a5564e660093a

SHA256
9b022e48ef317e6367db23d6ca8feef0734d5ed767b4a642f5c76c0b2015dad4

SHA512
3bffeeb107aae17b6c22e16eedefcf3deebce53505e32acbdb4312727e9a3c6e991f910003b9bec1022e63e83e5cf25b56aab98dc6127f9e2a103471033f9500

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
61d79b0d06b1e8ce62e1b6173d486955

SHA1
4d41785d30f66cf999b386d267267a29dbffb279

SHA256
95c10e033f0fe450849e7482dc63037d02f8f25a78e7c2d2394bce5a1c5a99dd

SHA512
07072bdda9ed1b44b4899b58d3ae5bd02a6f2feaa2f82f14c814ee2aa0fcd90e4f6f9fe9fa1c363ca94926edef8179b29ee6bf42023c321319ac3d525477f9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\[email protected]\install.rdf

Filesize
598B

MD5
91ad122821ceefc0a0e0f8b7b203610e

SHA1
23a2556a9fa2839f46aeade4008cf7ca15a5feb5

SHA256
9d63b290d8fe12d9baf9173faa12966faaeeb59d6aab604af48ae3ec5fe14407

SHA512
77ed1cde715d453d9de4b3eac30add5e9c6c316a3312314363ea25c174abe9f2c618c54b2c440e2d404d0dec7635d94822b08d7d192be40c253b46e6f953dbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\ekaLGps6EXYhj1.dll

Filesize
614KB

MD5
e66ed8c84db56aa41b9622c91244cd38

SHA1
d7bfb28ca2e5c73e238b82a7366b805265e72133

SHA256
ee579c9f6e6077c8fe03508ae0c3769f0494bd847b1da853149ba0793f401327

SHA512
70e4c9fc31214b9e779c693d57a2b0594d63b3a533175138c2010c2028eb81e9cacf8d1ce78cf8a7301e145d8a352c06110da10219fb6bc43175b20a55e60476

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\ekaLGps6EXYhj1.tlb

Filesize
3KB

MD5
b911019962417c95b6398296c108874f

SHA1
c8d67ac189eca150274deeb1cf34213364ef54b4

SHA256
ad4c3f723e6ee9db48511b756f0437a7ad1025dec7e17dfd31b647b739a1b54a

SHA512
349ccc38d8e14a6fb0d8b25c3bc817538a39159fe8795042c0fe43cdb282e944ba556bf54c8a6b76073318e3b14e4e17b30ffd244ab26a35e3c68bcd2dffb3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\ekaLGps6EXYhj1.x64.dll

Filesize
693KB

MD5
bf63868fef3bb9233eded9e79dcbe885

SHA1
a3115e49e92c71c79b918155831b100b38d7db2b

SHA256
2047fb1789881422265023c55a535f6f24dd12df2a717f62a8ebf55ba574b46e

SHA512
39be01a64496e61d677f5a3a5f750f2e0722c40c5842a89dcecdac73d26515e6f6836bfa6a415d408a9e8367b389661150fc8506aa4f457f3864331184b9cb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\jgnpkdblcalffdejopdjkffokbilancg\E6WCBji9et.js

Filesize
5KB

MD5
a5e4dd78da33e07c2d0c228ee3932004

SHA1
a0a939a215ced89e389d7bea55440d40a117f7f3

SHA256
1128f2e2afa09c1c77efef50a374793031fa39fb51f83482426ed57643ecf8c0

SHA512
98c441b9af6bc1a2ebe028aab877f61b2ec2abc83ff84c093ba6097930f7a05d8d3260ac0a2c9f47d336c92e74164b580b71342aff142f29fcec773567e84a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\jgnpkdblcalffdejopdjkffokbilancg\background.html

Filesize
147B

MD5
a309cc4757a54383317d6a4b41903019

SHA1
a6925edb1f961ee43c55808fa093bae082bca332

SHA256
2478c896c28399ed4e3111c078f8ff0b8b5c8522e42f41df32a8a76a124e0ba7

SHA512
cfb16bfe776e6166e439f7648664c54ae12e1c0976f451854fc0da0eb84342c278e8008fb0691d9856608ce1e5664cb001bc0ca749806dfce2e724d7fcc5af53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\jgnpkdblcalffdejopdjkffokbilancg\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\jgnpkdblcalffdejopdjkffokbilancg\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS935.tmp\jgnpkdblcalffdejopdjkffokbilancg\manifest.json

Filesize
499B

MD5
2bafae0ea4ab5ac51958f72d544ef543

SHA1
4a4665d6b13fbba59d92c908b8fc30aac3bedd08

SHA256
9c47ef92b7f138a1487632f023fb3f9ff2c379b29c627b716707b162ae56f473

SHA512
1f76f2b5423a040f29ecbc58e257c336faade2f80fc41917d165d02989858057508ed0cf5c7eecd12b6238885331f27d4f05d61ec0334200f6c17f2e4974b72f

Download Submit
\Program Files (x86)\GooSave\ekaLGps6EXYhj1.dll

Filesize
614KB

MD5
e66ed8c84db56aa41b9622c91244cd38

SHA1
d7bfb28ca2e5c73e238b82a7366b805265e72133

SHA256
ee579c9f6e6077c8fe03508ae0c3769f0494bd847b1da853149ba0793f401327

SHA512
70e4c9fc31214b9e779c693d57a2b0594d63b3a533175138c2010c2028eb81e9cacf8d1ce78cf8a7301e145d8a352c06110da10219fb6bc43175b20a55e60476

Download Submit
\Program Files (x86)\GooSave\ekaLGps6EXYhj1.x64.dll

Filesize
693KB

MD5
bf63868fef3bb9233eded9e79dcbe885

SHA1
a3115e49e92c71c79b918155831b100b38d7db2b

SHA256
2047fb1789881422265023c55a535f6f24dd12df2a717f62a8ebf55ba574b46e

SHA512
39be01a64496e61d677f5a3a5f750f2e0722c40c5842a89dcecdac73d26515e6f6836bfa6a415d408a9e8367b389661150fc8506aa4f457f3864331184b9cb74

Download Submit
\Program Files (x86)\GooSave\ekaLGps6EXYhj1.x64.dll

Filesize
693KB

MD5
bf63868fef3bb9233eded9e79dcbe885

SHA1
a3115e49e92c71c79b918155831b100b38d7db2b

SHA256
2047fb1789881422265023c55a535f6f24dd12df2a717f62a8ebf55ba574b46e

SHA512
39be01a64496e61d677f5a3a5f750f2e0722c40c5842a89dcecdac73d26515e6f6836bfa6a415d408a9e8367b389661150fc8506aa4f457f3864331184b9cb74

Download Submit
\Users\Admin\AppData\Local\Temp\7zS935.tmp\8o85w8M24QUMRod.exe

Filesize
621KB

MD5
8aa3ce0eb96e5b622a0a633a3958ee32

SHA1
5161a17f440514859a07bef2270f527ac4d6bf3f

SHA256
0e5fe209f38e623e280c10d127b6c33b9eca95edfe4f4b7dc64a55955c746a68

SHA512
c4dde7bd17d544d94e931bfc91c71fc8841863963b0f9edd180c10d9b22c1886b95fff707a5736d99647fa8c2d4ab98c9732db2e96799d4e973628d70f753699

Download Submit
memory/520-78-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download
memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download