Analysis
-
max time kernel
38s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe
Resource
win10v2004-20220812-en
General
-
Target
3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe
-
Size
2.3MB
-
MD5
436406aeac4e056e96d279bdb2b51bbe
-
SHA1
8a637bebd05a3c2439f1c632d6a5145d15adf72d
-
SHA256
3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5
-
SHA512
999b1c68d4a13985514dedc892c27b33420417f32d812eb9576a8dbfb7ed15f40d8c753d4c93048d77ed9e6699a26173457094fdf1ffee0a17752a0bdc548710
-
SSDEEP
49152:7X8MHZSa4a4FhQZT1SCRmG32eiN/IoB4MYYwOspNRrnBNazuOTc5zwHtIMNrH3h:JHZz4a4FhQx1SCsG3JiN/IoB4MYYwOsS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
JTk6X4qsVTaErsD.exepid process 2032 JTk6X4qsVTaErsD.exe -
Registers COM server for autorun 1 TTPs 4 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32\ = "C:\\Program Files (x86)\\GooSSave\\PJ2cwdeo48nR7l.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32 regsvr32.exe -
Loads dropped DLL 4 IoCs
Processes:
3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exeJTk6X4qsVTaErsD.exeregsvr32.exeregsvr32.exepid process 1688 3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe 2032 JTk6X4qsVTaErsD.exe 1512 regsvr32.exe 1320 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
JTk6X4qsVTaErsD.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\olejpbacddhlhfedjocnkdpocpkhfheg\2.0\manifest.json JTk6X4qsVTaErsD.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\olejpbacddhlhfedjocnkdpocpkhfheg\2.0\manifest.json JTk6X4qsVTaErsD.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\olejpbacddhlhfedjocnkdpocpkhfheg\2.0\manifest.json JTk6X4qsVTaErsD.exe -
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exeJTk6X4qsVTaErsD.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84133bb7-14a5-4e51-82e8-3a22ccf3859f} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\ = "GooSSave" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\NoExplorer = "1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84133bb7-14a5-4e51-82e8-3a22ccf3859f} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84133bb7-14a5-4e51-82e8-3a22ccf3859f} JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\ = "GooSSave" JTk6X4qsVTaErsD.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\NoExplorer = "1" JTk6X4qsVTaErsD.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84133bb7-14a5-4e51-82e8-3a22ccf3859f} JTk6X4qsVTaErsD.exe -
Drops file in System32 directory 4 IoCs
Processes:
JTk6X4qsVTaErsD.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI JTk6X4qsVTaErsD.exe File opened for modification C:\Windows\System32\GroupPolicy JTk6X4qsVTaErsD.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini JTk6X4qsVTaErsD.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol JTk6X4qsVTaErsD.exe -
Drops file in Program Files directory 8 IoCs
Processes:
JTk6X4qsVTaErsD.exedescription ioc process File created C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.dll JTk6X4qsVTaErsD.exe File opened for modification C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.dll JTk6X4qsVTaErsD.exe File created C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.tlb JTk6X4qsVTaErsD.exe File opened for modification C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.tlb JTk6X4qsVTaErsD.exe File created C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.dat JTk6X4qsVTaErsD.exe File opened for modification C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.dat JTk6X4qsVTaErsD.exe File created C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.x64.dll JTk6X4qsVTaErsD.exe File opened for modification C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.x64.dll JTk6X4qsVTaErsD.exe -
Processes:
JTk6X4qsVTaErsD.exeregsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{84133bb7-14a5-4e51-82e8-3a22ccf3859f} JTk6X4qsVTaErsD.exe Key deleted \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{84133BB7-14A5-4E51-82E8-3A22CCF3859F} JTk6X4qsVTaErsD.exe Key deleted \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration JTk6X4qsVTaErsD.exe Key deleted \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{84133BB7-14A5-4E51-82E8-3A22CCF3859F} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{84133bb7-14a5-4e51-82e8-3a22ccf3859f} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration JTk6X4qsVTaErsD.exe -
Modifies registry class 64 IoCs
Processes:
JTk6X4qsVTaErsD.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32\ = "C:\\Program Files (x86)\\GooSSave\\PJ2cwdeo48nR7l.x64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9 JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\. JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\VersionIndependentProgID JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF} JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" JTk6X4qsVTaErsD.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\VersionIndependentProgID\ JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32 JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32 JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GooSSave" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133BB7-14A5-4E51-82E8-3A22CCF3859F}\Implemented Categories regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\ProgID JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} JTk6X4qsVTaErsD.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{84133bb7-14a5-4e51-82e8-3a22ccf3859f}" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GooSSave\\PJ2cwdeo48nR7l.tlb" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0} JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{84133bb7-14a5-4e51-82e8-3a22ccf3859f}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\VersionIndependentProgID\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\Programmable JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0} JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{84133bb7-14a5-4e51-82e8-3a22ccf3859f}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GooSSave" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32\ThreadingModel = "Apartment" JTk6X4qsVTaErsD.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32 JTk6X4qsVTaErsD.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\VersionIndependentProgID JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib JTk6X4qsVTaErsD.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32 JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133BB7-14A5-4E51-82E8-3A22CCF3859F}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133BB7-14A5-4E51-82E8-3A22CCF3859F}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0" JTk6X4qsVTaErsD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f}\ProgID\ = ".9" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS JTk6X4qsVTaErsD.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
JTk6X4qsVTaErsD.exepid process 2032 JTk6X4qsVTaErsD.exe 2032 JTk6X4qsVTaErsD.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exeJTk6X4qsVTaErsD.exeregsvr32.exedescription pid process target process PID 1688 wrote to memory of 2032 1688 3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe JTk6X4qsVTaErsD.exe PID 1688 wrote to memory of 2032 1688 3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe JTk6X4qsVTaErsD.exe PID 1688 wrote to memory of 2032 1688 3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe JTk6X4qsVTaErsD.exe PID 1688 wrote to memory of 2032 1688 3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe JTk6X4qsVTaErsD.exe PID 2032 wrote to memory of 1512 2032 JTk6X4qsVTaErsD.exe regsvr32.exe PID 2032 wrote to memory of 1512 2032 JTk6X4qsVTaErsD.exe regsvr32.exe PID 2032 wrote to memory of 1512 2032 JTk6X4qsVTaErsD.exe regsvr32.exe PID 2032 wrote to memory of 1512 2032 JTk6X4qsVTaErsD.exe regsvr32.exe PID 2032 wrote to memory of 1512 2032 JTk6X4qsVTaErsD.exe regsvr32.exe PID 2032 wrote to memory of 1512 2032 JTk6X4qsVTaErsD.exe regsvr32.exe PID 2032 wrote to memory of 1512 2032 JTk6X4qsVTaErsD.exe regsvr32.exe PID 1512 wrote to memory of 1320 1512 regsvr32.exe regsvr32.exe PID 1512 wrote to memory of 1320 1512 regsvr32.exe regsvr32.exe PID 1512 wrote to memory of 1320 1512 regsvr32.exe regsvr32.exe PID 1512 wrote to memory of 1320 1512 regsvr32.exe regsvr32.exe PID 1512 wrote to memory of 1320 1512 regsvr32.exe regsvr32.exe PID 1512 wrote to memory of 1320 1512 regsvr32.exe regsvr32.exe PID 1512 wrote to memory of 1320 1512 regsvr32.exe regsvr32.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
JTk6X4qsVTaErsD.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{84133bb7-14a5-4e51-82e8-3a22ccf3859f} = "1" JTk6X4qsVTaErsD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID JTk6X4qsVTaErsD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe"C:\Users\Admin\AppData\Local\Temp\3917ea976c6ff3d5068cf5d85d6ebe150a2cab96d5acd6e4f57bf3949f23cba5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\1d64166a\JTk6X4qsVTaErsD.exe"C:\Users\Admin\AppData\Local\Temp/1d64166a/JTk6X4qsVTaErsD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2032 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.x64.dll"4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.datFilesize
4KB
MD500cfd91a0ce437cd97fd74dd1718825d
SHA118acadc10d0903031e89744cdfaffd606d8b30a5
SHA25640efeb936f1caf4e8cfaaa33f951cce5353eff7fbf6a46208db0485ef0acdb4e
SHA512a91bd6de7ccb54d326906d0a7dc6f88e3775a29af1bc9872e865b82c60125669d2a741cf1d6a0c9560e8db163943b395f9624f77114093d6903e05f737188d14
-
C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.tlbFilesize
3KB
MD51ab9d59d8a24d83e4c6a5a5857e09d47
SHA1602e90f816405264428fece495cab2b78160fe0b
SHA25682c17dfcfbf1a987aec69d023f4ca2e0de26612aaebf5c617c06c6c37deda349
SHA5121fd66e5471a0bffb0a63068fb58f5bb6bc864abf8b06c8d60ffea3ee02e696addbc56c49cb15fd5493336a610ff1cce5efac425606641ab03cf5f532195d2c80
-
C:\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.x64.dllFilesize
701KB
MD5f94dd343cbd39b61666828ca6d669aa7
SHA134ab5c3c3754d945abafc4c5814e40e6e89ba62a
SHA25633d7bd8ef8e025fa2899966b50c2675737264e6951a2815bd913171e2983c672
SHA5129f188853b08bf3f63d6efcd76f724c39ca7f591c77bb9ceedc97e8026c7a7e997f81a2e715e5dc0eee11210b603f0744f80a6d9240bdb542c3b698ab5dc78d6a
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\JTk6X4qsVTaErsD.datFilesize
4KB
MD500cfd91a0ce437cd97fd74dd1718825d
SHA118acadc10d0903031e89744cdfaffd606d8b30a5
SHA25640efeb936f1caf4e8cfaaa33f951cce5353eff7fbf6a46208db0485ef0acdb4e
SHA512a91bd6de7ccb54d326906d0a7dc6f88e3775a29af1bc9872e865b82c60125669d2a741cf1d6a0c9560e8db163943b395f9624f77114093d6903e05f737188d14
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\JTk6X4qsVTaErsD.exeFilesize
634KB
MD546a9ece4310c65d28b03c05e8364d3e9
SHA1f0b678f6f80188648eb3271df46ce408c8e2f8cb
SHA2562dee714b9282e5c291e59aec246e3e9bbc20a4d31c952beb0b96bc538112654e
SHA512abba3ee629fbff3179ac56dab56eda9bae94651f73f9f3e70353b7a0595bb23ca1c0c2666910af2cac7fb75b740682ea31816696308226a1aa130b67e251e652
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\JTk6X4qsVTaErsD.exeFilesize
634KB
MD546a9ece4310c65d28b03c05e8364d3e9
SHA1f0b678f6f80188648eb3271df46ce408c8e2f8cb
SHA2562dee714b9282e5c291e59aec246e3e9bbc20a4d31c952beb0b96bc538112654e
SHA512abba3ee629fbff3179ac56dab56eda9bae94651f73f9f3e70353b7a0595bb23ca1c0c2666910af2cac7fb75b740682ea31816696308226a1aa130b67e251e652
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\PJ2cwdeo48nR7l.dllFilesize
626KB
MD5da2d2831e9a10c1759257bbfbad99cf5
SHA1bd420faa8c08274406f925343b364a729cf9bbaf
SHA2562e3adbb1eabbed9d1157ffdc0cd2d95a89a87187a96bf1cb7a09f6dc5ce81acb
SHA51267fcb81adada24fbe69db61300918c96e178501166a9ccdfe9e15710729b252a3542dcb6378a0553504be6ac9bf0d8856672302d1c54fd5a5adaaeddadeb9c11
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\PJ2cwdeo48nR7l.tlbFilesize
3KB
MD51ab9d59d8a24d83e4c6a5a5857e09d47
SHA1602e90f816405264428fece495cab2b78160fe0b
SHA25682c17dfcfbf1a987aec69d023f4ca2e0de26612aaebf5c617c06c6c37deda349
SHA5121fd66e5471a0bffb0a63068fb58f5bb6bc864abf8b06c8d60ffea3ee02e696addbc56c49cb15fd5493336a610ff1cce5efac425606641ab03cf5f532195d2c80
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\PJ2cwdeo48nR7l.x64.dllFilesize
701KB
MD5f94dd343cbd39b61666828ca6d669aa7
SHA134ab5c3c3754d945abafc4c5814e40e6e89ba62a
SHA25633d7bd8ef8e025fa2899966b50c2675737264e6951a2815bd913171e2983c672
SHA5129f188853b08bf3f63d6efcd76f724c39ca7f591c77bb9ceedc97e8026c7a7e997f81a2e715e5dc0eee11210b603f0744f80a6d9240bdb542c3b698ab5dc78d6a
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\[email protected]\chrome.manifestFilesize
35B
MD5b156f78588611aa4dad5eb5f5fb36097
SHA1c2ac6375a6d46b924043ce8c398054d7e94111e7
SHA2560200636122ac7d054dc77ab04c15f77aae4ab85c9903736b6c8f084bea1ab624
SHA512075fe5d12b63ec33e307cf9dd99a3fc16fb09bc6e0e18b07f210a9a325c5ec32c52b6efedc177d811202d8f413377a380490c8ac75d2130539d0cad9e6a215e1
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\[email protected]\content\bg.jsFilesize
8KB
MD5024a965b64847c4b08992c72708d565e
SHA1ef90489aeb0e6ee1c43566920a01ea168f6fc2db
SHA2567daa9c4ad04f6288fa690e739140bfc0ff77e68f8a5d9ce38e8ec436903fbd7f
SHA512d2e5c2b573a51f00a59270cf1135d5a4787cb5bfca619b61e2c245121d67f889b5eb089e54e8a9efe0c49abdbe599e41bf0ef79f4c23379c34aaf9cf78ac74e5
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\[email protected]\install.rdfFilesize
600B
MD50803a62ca6725d505c2fe356aa3f990d
SHA17a3b44d4c33daa65fd54981259c4978ccffa9acf
SHA256636fc97fb577c692cbd0dbd53e7f7adf2acbedcb92e855ae28209362ffdca691
SHA51263e2fc92fe7b1c47e316bf805471b1c6fb19c89d019e13be09303861a0c1f499de915fc04e50b3abaf64f0c2fd4412231c5d95fc2b72b8449a38f00aae78b26a
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\olejpbacddhlhfedjocnkdpocpkhfheg\BlZU.jsFilesize
6KB
MD5f7a7188d0f77561fc511492747075d7b
SHA1ec7173e3b624c2c807592909139b6dee58da5adc
SHA256f1177c6ff23d2b0acf79ce07b12012890dbb17fcd9b01dbdf1b7a5bd44400999
SHA5128dc7a765c08a1483bb1f6227e77e79390dcc7d5da65faf5195a3437ad4c1328dbc88333fd1d3d8ec30c3d94f58ffeb8db898a21c7a54a9655ccc8bfd39d14b81
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\olejpbacddhlhfedjocnkdpocpkhfheg\background.htmlFilesize
141B
MD597513b05eff67432b7d854404bc72627
SHA1646e86f1a718d7acf487e801a9fee08654dcaedb
SHA256893e23d2a0afbdde7e45b3fd94f5b88c9237dd79da244d5da9c5c09ae4277979
SHA512d3f35d1687460e35b5f3e50bca141f0d6db6cb4dede2959214b2b37c855c07808201fe3d35a7483e5a95771f2110c55ad007f9491962e1b9b5c1862313174a13
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\olejpbacddhlhfedjocnkdpocpkhfheg\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\olejpbacddhlhfedjocnkdpocpkhfheg\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\1d64166a\olejpbacddhlhfedjocnkdpocpkhfheg\manifest.jsonFilesize
500B
MD552023f81736bd6d05c1f2f5bc57dcfa1
SHA1e0571d9f8d77807dc269ec6da95537f543e8d7dc
SHA25619d4ead9dcdb734df9c41fb160c7057a78f7ee8a6ae9696001f02ca605ffc78c
SHA512f067961b37f50a32218c8cabbfaec6a127fa223df95739629e3cf958afafe32d66e1819af23e1885c5cb0301a4abc24cd198675ca9b4da180364be742aa15030
-
\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.dllFilesize
626KB
MD5da2d2831e9a10c1759257bbfbad99cf5
SHA1bd420faa8c08274406f925343b364a729cf9bbaf
SHA2562e3adbb1eabbed9d1157ffdc0cd2d95a89a87187a96bf1cb7a09f6dc5ce81acb
SHA51267fcb81adada24fbe69db61300918c96e178501166a9ccdfe9e15710729b252a3542dcb6378a0553504be6ac9bf0d8856672302d1c54fd5a5adaaeddadeb9c11
-
\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.x64.dllFilesize
701KB
MD5f94dd343cbd39b61666828ca6d669aa7
SHA134ab5c3c3754d945abafc4c5814e40e6e89ba62a
SHA25633d7bd8ef8e025fa2899966b50c2675737264e6951a2815bd913171e2983c672
SHA5129f188853b08bf3f63d6efcd76f724c39ca7f591c77bb9ceedc97e8026c7a7e997f81a2e715e5dc0eee11210b603f0744f80a6d9240bdb542c3b698ab5dc78d6a
-
\Program Files (x86)\GooSSave\PJ2cwdeo48nR7l.x64.dllFilesize
701KB
MD5f94dd343cbd39b61666828ca6d669aa7
SHA134ab5c3c3754d945abafc4c5814e40e6e89ba62a
SHA25633d7bd8ef8e025fa2899966b50c2675737264e6951a2815bd913171e2983c672
SHA5129f188853b08bf3f63d6efcd76f724c39ca7f591c77bb9ceedc97e8026c7a7e997f81a2e715e5dc0eee11210b603f0744f80a6d9240bdb542c3b698ab5dc78d6a
-
\Users\Admin\AppData\Local\Temp\1d64166a\JTk6X4qsVTaErsD.exeFilesize
634KB
MD546a9ece4310c65d28b03c05e8364d3e9
SHA1f0b678f6f80188648eb3271df46ce408c8e2f8cb
SHA2562dee714b9282e5c291e59aec246e3e9bbc20a4d31c952beb0b96bc538112654e
SHA512abba3ee629fbff3179ac56dab56eda9bae94651f73f9f3e70353b7a0595bb23ca1c0c2666910af2cac7fb75b740682ea31816696308226a1aa130b67e251e652
-
memory/1320-77-0x0000000000000000-mapping.dmp
-
memory/1320-78-0x000007FEFB731000-0x000007FEFB733000-memory.dmpFilesize
8KB
-
memory/1512-73-0x0000000000000000-mapping.dmp
-
memory/1688-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/2032-56-0x0000000000000000-mapping.dmp