27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb.exe
Size

2.0MB
MD5

9c8fb19aa34428619b53d7cd535e3f94
SHA1

fcd0538ff313cc1dd79e30e17edebe219f87bf2b
SHA256

27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb
SHA512

ce9713576e304bd2bf5d64d2df59ace4d93d47d949df87c925e425ff52ad6376e2fc76a9be538f1bf033c2674824dd1743fa10dc710aeb15760a4d718fe9eda5
SSDEEP

24576:h1OYdaOzI6E5REGb4sp9whi3+GVFAc7Ynf+eCI3mF7RGT116QDCp2hD4iFhgFauh:h1OsSb4splF+nf+1bF9BQupbFMQL

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1960	0mrOlggE20j88RE.exe

Loads dropped DLL 4 IoCs

pid	Process
828	27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb.exe
1960	0mrOlggE20j88RE.exe
1664	regsvr32.exe
972	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blookmfnkkbkkjpkcecggicllmhdanaj\2.0\manifest.json	0mrOlggE20j88RE.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blookmfnkkbkkjpkcecggicllmhdanaj\2.0\manifest.json	0mrOlggE20j88RE.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\blookmfnkkbkkjpkcecggicllmhdanaj\2.0\manifest.json	0mrOlggE20j88RE.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	0mrOlggE20j88RE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	0mrOlggE20j88RE.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	0mrOlggE20j88RE.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	0mrOlggE20j88RE.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	0mrOlggE20j88RE.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.tlb	0mrOlggE20j88RE.exe
File opened for modification	C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.tlb	0mrOlggE20j88RE.exe
File created	C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.dat	0mrOlggE20j88RE.exe
File opened for modification	C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.dat	0mrOlggE20j88RE.exe
File created	C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.x64.dll	0mrOlggE20j88RE.exe
File opened for modification	C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.x64.dll	0mrOlggE20j88RE.exe
File created	C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.dll	0mrOlggE20j88RE.exe
File opened for modification	C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.dll	0mrOlggE20j88RE.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1960	828	27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb.exe	28
PID 828 wrote to memory of 1960	828	27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb.exe	28
PID 828 wrote to memory of 1960	828	27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb.exe	28
PID 828 wrote to memory of 1960	828	27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb.exe	28
PID 1960 wrote to memory of 1664	1960	0mrOlggE20j88RE.exe	29
PID 1960 wrote to memory of 1664	1960	0mrOlggE20j88RE.exe	29
PID 1960 wrote to memory of 1664	1960	0mrOlggE20j88RE.exe	29
PID 1960 wrote to memory of 1664	1960	0mrOlggE20j88RE.exe	29
PID 1960 wrote to memory of 1664	1960	0mrOlggE20j88RE.exe	29
PID 1960 wrote to memory of 1664	1960	0mrOlggE20j88RE.exe	29
PID 1960 wrote to memory of 1664	1960	0mrOlggE20j88RE.exe	29
PID 1664 wrote to memory of 972	1664	regsvr32.exe	30
PID 1664 wrote to memory of 972	1664	regsvr32.exe	30
PID 1664 wrote to memory of 972	1664	regsvr32.exe	30
PID 1664 wrote to memory of 972	1664	regsvr32.exe	30
PID 1664 wrote to memory of 972	1664	regsvr32.exe	30
PID 1664 wrote to memory of 972	1664	regsvr32.exe	30
PID 1664 wrote to memory of 972	1664	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb.exe
"C:\Users\Admin\AppData\Local\Temp\27edd65e642a35b63684a0f889a3ea4656b81de8c713ebdee4d7076dcbbaffdb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\0mrOlggE20j88RE.exe
  .\0mrOlggE20j88RE.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.dat

Filesize
6KB

MD5
2a51b0a1f7d9f22f6b34dadbf9006375

SHA1
d08d1d7b5a40846ab030a4f0e2751df3b5a0127a

SHA256
467c891e1b63f87d8901da4c34af78eff1ab790262524b8fbed9bd8c1eafb974

SHA512
6cd39620de8d40f39c95c46f8b3b035bc078b42e8df722680667d46141cc276a9b048f8d77f1340118a93dfca8e9b4cb1245fe8920e97b6f6500e47f20daa737

Download Submit
C:\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.x64.dll

Filesize
695KB

MD5
778129815857ac62bb0c123b8b428189

SHA1
df269d9de71cfde97a5f156492aaba450e671287

SHA256
c76feac6ef5e2da002411d7bf90a1bb2ae6ac1eeaa8ba26d83851d54879005eb

SHA512
204feaaa4e592e6d57f54a4bc99bcd8b5b6e214e6936230fbf5dd8608d2c7f1b2fc16495221b1e7f8c5f6a0f19a3e62900a33e7852f86b07479023fc8048d8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\0mrOlggE20j88RE.dat

Filesize
6KB

MD5
2a51b0a1f7d9f22f6b34dadbf9006375

SHA1
d08d1d7b5a40846ab030a4f0e2751df3b5a0127a

SHA256
467c891e1b63f87d8901da4c34af78eff1ab790262524b8fbed9bd8c1eafb974

SHA512
6cd39620de8d40f39c95c46f8b3b035bc078b42e8df722680667d46141cc276a9b048f8d77f1340118a93dfca8e9b4cb1245fe8920e97b6f6500e47f20daa737

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\0mrOlggE20j88RE.exe

Filesize
618KB

MD5
1f6c233b6bd46db7ed2e62ea5a824bf6

SHA1
d7f27647c97fc8b832463335df28fe750a4aebb2

SHA256
4548be95d5d9ea78c9cc37eba06f8c30b23da2e60392dabd2f8fb0082719475b

SHA512
af26f7ee482193a1cc4a16edba3daa9f8593cf06b70d14d043e92e2fdca86b097f8a7e93bdf97ba1c3cd760aa18a8080088d7d502bcf58ff0b83f9275c88bd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\0mrOlggE20j88RE.exe

Filesize
618KB

MD5
1f6c233b6bd46db7ed2e62ea5a824bf6

SHA1
d7f27647c97fc8b832463335df28fe750a4aebb2

SHA256
4548be95d5d9ea78c9cc37eba06f8c30b23da2e60392dabd2f8fb0082719475b

SHA512
af26f7ee482193a1cc4a16edba3daa9f8593cf06b70d14d043e92e2fdca86b097f8a7e93bdf97ba1c3cd760aa18a8080088d7d502bcf58ff0b83f9275c88bd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\6sahE9xsBnfB9s.dll

Filesize
614KB

MD5
c6b13b59b5326dd95e352027a180e42f

SHA1
16e02b4d300896d0384f5deed58a301191be0b8a

SHA256
a732d4f500b4df6cec5852bc4e8c7f8c64857b7c089637aca46643ecdd9f9a9f

SHA512
c24466afe116ce22c14e0e80348eb2f7ec2498a188605afd34cf1e51ad7bb018920dda997c88063f38e12ff4a0e0e627fdc5140b66d890b0c6862f441421bf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\6sahE9xsBnfB9s.tlb

Filesize
3KB

MD5
04394c6fd86d2619f9ca279c405ce4fa

SHA1
75c975f51db8219dd89825408f9748ed557a271d

SHA256
c70e8100821466642b0df8f4e5c399ec9d9428f4b4716aef32eb96c1fd5d982b

SHA512
e7fb1ebd90d6570b81d3b3c4c903356bd3f619ed5197c67a10f5a1181f41eeb0f27ad5e2b02398f00da2c21055c29d5a1dc8b9e3a98003219eac8cfd2eaa7ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\6sahE9xsBnfB9s.x64.dll

Filesize
695KB

MD5
778129815857ac62bb0c123b8b428189

SHA1
df269d9de71cfde97a5f156492aaba450e671287

SHA256
c76feac6ef5e2da002411d7bf90a1bb2ae6ac1eeaa8ba26d83851d54879005eb

SHA512
204feaaa4e592e6d57f54a4bc99bcd8b5b6e214e6936230fbf5dd8608d2c7f1b2fc16495221b1e7f8c5f6a0f19a3e62900a33e7852f86b07479023fc8048d8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\blookmfnkkbkkjpkcecggicllmhdanaj\Dvpsl6.js

Filesize
5KB

MD5
ee5a7509fecf5104741e586459d7b5e5

SHA1
e4ae053fb5adae82d7a7551b5f4883f95c28d2a1

SHA256
40115909460dd3adc8bdbbf0899f153d54d1a96907d6d8e2d4c4e2956ef35194

SHA512
5bae1777d858f8bb3a22ea44cba8db05b64db4e5113b465a19603e10c2edfecb6c3cb162c4a0fc1d6de77a770a9270339f64e3c07048ccc54eaf6269fe66a1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\blookmfnkkbkkjpkcecggicllmhdanaj\background.html

Filesize
143B

MD5
d6926e1cca118a31d39c7a66e9d7b0ca

SHA1
626ed45c6f6ac6233cc2fa4752e5ea0c1bc51829

SHA256
ae19f6f60920518f8a360ec83efa1d2be515a90bb831e4a6789670919d58467a

SHA512
3d78086c3e49eb963148aadd631a280c33331e63094e19931dedd3e8b8f3e6cbf42c569944779375194a552faa0ebb25677f0fed5bd33507652c357f599bac9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\blookmfnkkbkkjpkcecggicllmhdanaj\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\blookmfnkkbkkjpkcecggicllmhdanaj\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\blookmfnkkbkkjpkcecggicllmhdanaj\manifest.json

Filesize
501B

MD5
fa1f9ff9137eac76206a3697f6e32499

SHA1
04b66de13325068d455dd13e8d7023f6a6e3c767

SHA256
90c5e0032c3526e88ae5e9a1c29d1c14075aee92905a344c26b024bc7dae57dd

SHA512
c470288dcdaa3eba94f9bddcc445dcb04fb2a163129fa669068206f340a3728dbaff64a1fa52e2703390d968fff5e60136c65bd3d5ba553bcd865ea699a303aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
94d998899042ad0c08aeece19d6655d5

SHA1
7a37f36531dc1d711ed495881e05caf28725d934

SHA256
f38a425ec9c5da075103921850d7280ddfacfb9377e99ea7fb38e9b8419c4e35

SHA512
4c4da543abe2c9011d5e7c104231610677abb85650b9cf6bb3e56f5828bf86da7b168c337a9156e57e0fd96217434b7d56f8192956eda81d3a5f1fb6cd985c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
e08151ff6f7a5f58719d6a02ffdef2a6

SHA1
0c002eb9dfbc6fe9f4eb43efc7c2d20608c83c6d

SHA256
f99fec78d9348143cdb503a0c1e188d08e4e2a146caeed76f26da8a8670f95ac

SHA512
575e59f5823c4a755dd6ec42700ce5832fadd54af2447ff1216b533c8abd7d49e83277c8be1f506563cf6de9c455b007a29fee56422e1cd0b45d3089464ed396

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\[email protected]\install.rdf

Filesize
596B

MD5
f60794cc81731cdc8d8a4c90b832e28c

SHA1
4df665465f1da37efb9455cb08202bd17560a4c9

SHA256
0b15afce3686e2a1a74680dcf4556499ca98e1ca6cf8ff5ad887601aac2db516

SHA512
c628fb1f23b95fe982d4729fd957331b74d47803fd87c6c33dc4617a4acc999c4669efce34adbeb7fafafa3dadabfad3f0b187c4730e79e9c472c4f9dbf2e2b9

Download Submit
\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.dll

Filesize
614KB

MD5
c6b13b59b5326dd95e352027a180e42f

SHA1
16e02b4d300896d0384f5deed58a301191be0b8a

SHA256
a732d4f500b4df6cec5852bc4e8c7f8c64857b7c089637aca46643ecdd9f9a9f

SHA512
c24466afe116ce22c14e0e80348eb2f7ec2498a188605afd34cf1e51ad7bb018920dda997c88063f38e12ff4a0e0e627fdc5140b66d890b0c6862f441421bf8e

Download Submit
\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.x64.dll

Filesize
695KB

MD5
778129815857ac62bb0c123b8b428189

SHA1
df269d9de71cfde97a5f156492aaba450e671287

SHA256
c76feac6ef5e2da002411d7bf90a1bb2ae6ac1eeaa8ba26d83851d54879005eb

SHA512
204feaaa4e592e6d57f54a4bc99bcd8b5b6e214e6936230fbf5dd8608d2c7f1b2fc16495221b1e7f8c5f6a0f19a3e62900a33e7852f86b07479023fc8048d8d7

Download Submit
\Program Files (x86)\GooSaavee\6sahE9xsBnfB9s.x64.dll

Filesize
695KB

MD5
778129815857ac62bb0c123b8b428189

SHA1
df269d9de71cfde97a5f156492aaba450e671287

SHA256
c76feac6ef5e2da002411d7bf90a1bb2ae6ac1eeaa8ba26d83851d54879005eb

SHA512
204feaaa4e592e6d57f54a4bc99bcd8b5b6e214e6936230fbf5dd8608d2c7f1b2fc16495221b1e7f8c5f6a0f19a3e62900a33e7852f86b07479023fc8048d8d7

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFE8B.tmp\0mrOlggE20j88RE.exe

Filesize
618KB

MD5
1f6c233b6bd46db7ed2e62ea5a824bf6

SHA1
d7f27647c97fc8b832463335df28fe750a4aebb2

SHA256
4548be95d5d9ea78c9cc37eba06f8c30b23da2e60392dabd2f8fb0082719475b

SHA512
af26f7ee482193a1cc4a16edba3daa9f8593cf06b70d14d043e92e2fdca86b097f8a7e93bdf97ba1c3cd760aa18a8080088d7d502bcf58ff0b83f9275c88bd9d

Download Submit
memory/828-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/972-78-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download