499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02

Analysis

max time kernel
27s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02.exe
Size

2.1MB
MD5

022354f17ebdce046d26e29498c6444b
SHA1

31c80480ad827d1792dabfc437cbd6719d8f3c94
SHA256

499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02
SHA512

c937f49fa76bad51f47ab7fdc3537285affcdcf2a99ff47cb3b2bba4c1fa4cbcd8932c0e2578cd710e86141e8ea2cfe2f13097ff035c6d414e52bf5ae659c83d
SSDEEP

24576:h1OYdaOeZ4/yZSbsUcMInv5HPeIvYgKLdQ4z7NW6IY12Ck5GfPra5TDVRS:h1OsQ+yZS/cMIndPeIvzKL/7NW6L+pRS

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	t9bp29aHmUTy1v3.exe

Loads dropped DLL 4 IoCs

pid	Process
1872	499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02.exe
1992	t9bp29aHmUTy1v3.exe
984	regsvr32.exe
916	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eibknaofeelpmocgncpebaikbjanookf\2.0\manifest.json	t9bp29aHmUTy1v3.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eibknaofeelpmocgncpebaikbjanookf\2.0\manifest.json	t9bp29aHmUTy1v3.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eibknaofeelpmocgncpebaikbjanookf\2.0\manifest.json	t9bp29aHmUTy1v3.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	t9bp29aHmUTy1v3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	t9bp29aHmUTy1v3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	t9bp29aHmUTy1v3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	t9bp29aHmUTy1v3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	t9bp29aHmUTy1v3.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.tlb	t9bp29aHmUTy1v3.exe
File created	C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.dat	t9bp29aHmUTy1v3.exe
File opened for modification	C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.dat	t9bp29aHmUTy1v3.exe
File created	C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.x64.dll	t9bp29aHmUTy1v3.exe
File opened for modification	C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.x64.dll	t9bp29aHmUTy1v3.exe
File created	C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.dll	t9bp29aHmUTy1v3.exe
File opened for modification	C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.dll	t9bp29aHmUTy1v3.exe
File created	C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.tlb	t9bp29aHmUTy1v3.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1992	1872	499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02.exe	27
PID 1872 wrote to memory of 1992	1872	499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02.exe	27
PID 1872 wrote to memory of 1992	1872	499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02.exe	27
PID 1872 wrote to memory of 1992	1872	499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02.exe	27
PID 1992 wrote to memory of 984	1992	t9bp29aHmUTy1v3.exe	28
PID 1992 wrote to memory of 984	1992	t9bp29aHmUTy1v3.exe	28
PID 1992 wrote to memory of 984	1992	t9bp29aHmUTy1v3.exe	28
PID 1992 wrote to memory of 984	1992	t9bp29aHmUTy1v3.exe	28
PID 1992 wrote to memory of 984	1992	t9bp29aHmUTy1v3.exe	28
PID 1992 wrote to memory of 984	1992	t9bp29aHmUTy1v3.exe	28
PID 1992 wrote to memory of 984	1992	t9bp29aHmUTy1v3.exe	28
PID 984 wrote to memory of 916	984	regsvr32.exe	29
PID 984 wrote to memory of 916	984	regsvr32.exe	29
PID 984 wrote to memory of 916	984	regsvr32.exe	29
PID 984 wrote to memory of 916	984	regsvr32.exe	29
PID 984 wrote to memory of 916	984	regsvr32.exe	29
PID 984 wrote to memory of 916	984	regsvr32.exe	29
PID 984 wrote to memory of 916	984	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02.exe
"C:\Users\Admin\AppData\Local\Temp\499134658200da842870f49a2fd70b3bcec9d88b324d035e654ef2093222fb02.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\t9bp29aHmUTy1v3.exe
  .\t9bp29aHmUTy1v3.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.dat

Filesize
6KB

MD5
ae331bde852deb2a3cbdb06432b3022b

SHA1
50a5fc948a22c0cd7e7ddf546ddec8fbbc7b8408

SHA256
1b271ef94b228eb8c926e6b866412df7eb770827a7f1f4f9f3c126c0e1dcafd8

SHA512
f2632d88be50a477ccd0b0b905a0db384b1b0e55391db90beccd73f4f97947aeed293d511c382ce739ce3163e25083f0442c207c37bd921b3461cd989a73b710

Download Submit
C:\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.x64.dll

Filesize
686KB

MD5
793a36af8b6c6f5a86d5c8781f13b166

SHA1
5ea93c1b58bc0c2df3e7258ff4ef31fe77d61fd7

SHA256
885104c4082c1b441ae70ff3c673db3618e62295c2729720c88f553af6c0a585

SHA512
a737c2f5e6f93bf4a8973cc439fb7419ed2764bb7bfb4a01c4bdcc7983b24cd22132867b70a39446c613221934ff29c2bab7c382acd01eb2a2e9719a9e0cf255

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\eibknaofeelpmocgncpebaikbjanookf\b.js

Filesize
5KB

MD5
0744e164b78d5e041060aadec39a395d

SHA1
efadd7352e248abca37012564a3dde2823da78f9

SHA256
d4a3fbfaf06786990cfadbc64133d09a69197ad5d24898df1be8f48dc8244e31

SHA512
5fe4d6e585213a6e2d7021e7c16e081754e34325af9bc217a169ec1bfc38286b3094a0c8a647e7d9c468530884a70de27d6975b3112e86c56ed5f293fee09e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\eibknaofeelpmocgncpebaikbjanookf\background.html

Filesize
138B

MD5
8da4619c91bdfa76bdf19cc7b1cf3f59

SHA1
a9a76753ad10123b20abc4612718b538c154892d

SHA256
9991c7dd05190aa6d09242263945c89496297bd2bc85d06a76fae480d44e2f9b

SHA512
b9b0f7e1d4afafb6009455727007f28cb656fe2d9f2628b31b3557184f352207ab93764acfb8e19501e3e2f5b280c41afa93be6cd81770018f80d70ad24332c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\eibknaofeelpmocgncpebaikbjanookf\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\eibknaofeelpmocgncpebaikbjanookf\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\eibknaofeelpmocgncpebaikbjanookf\manifest.json

Filesize
500B

MD5
0f5fa2afe11c85d482fee161ebbbbc54

SHA1
5d92e55dfe1f30828f9fdad7f0434a8667117160

SHA256
7c0f1fc3561fe852c21adf07b5b50850a911f62d2089920c9a8fe4ed0806b847

SHA512
520d9882ff92e54adf972b1634a8f154b4e34137706f103d9c3f619440bd9ddbd0fea3e4b1d11385fcf835638eebafb92b839e67b9f3c0c76a799c076e2eb464

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
a307a13353ef4f4bfeb0a86cef8c5f29

SHA1
242fc0cfb492ed1ae33d55ba4a4aaf1c87e7b3fc

SHA256
b5950027c5dc57fd7feda9af7e3aa2b055e8dc9de8ec647bc4daadfb0e886609

SHA512
286779c43d2408096e8a6f9e98257e866563c7fbb067e6dd8b4236079741b1ddbc4d796aa27d953b4528868297977602e69ecdf8c833f759c2ae2ca6e7b4296d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
f4ffb12b4cbdd76ef69d4a7761a7eb5b

SHA1
fd6c81940e5d725da7fa8cfc70e119d990fc13c6

SHA256
dd91fdfbdd22186a5085588333cb14805d7cc1fd64deabad088541906b098feb

SHA512
199ab73cc68eb455196ba1473b8987f8c0d27564a3703f29fa28b447b59118f6580d50c0f410b62baab240cefd2c5b7208bcf40145b9337b15d9496eb522acca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\[email protected]\install.rdf

Filesize
594B

MD5
5b748c4fbdd4c636ac19a2cc354fae08

SHA1
fcd859b81d73220f364b860ab8a3df07c41825a1

SHA256
64de1cfd5ca31e30558117c7a267cc83bc5b2e21a4fda299e43230de4e324a29

SHA512
0b3fa46b83b22e31b925c2046bbc250beebeb6d0cc40947a959c03f03bf5e680b79d5e32b380c0b1c5aa06698d62d6940f15194bfb0aa70625312a0b349f3c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\sjs6QBB1leNrBe.dll

Filesize
605KB

MD5
af43f08751e421342670294664fa448a

SHA1
072972dce4232cbd9640ffc07e42ae63b8077fde

SHA256
2f5cc3fdf547907d7a3b5ac5b52adea636d59d1344038c137275d9f1b109bb1d

SHA512
ab4b22d360590cbd2900b27aa67dd7471b7f01df94b14a8ee8e1edefb67e32eaaa1a4efe03deab8f8ff1e4954c264bfc739ad45fd7a46a7a50e34e0d596235f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\sjs6QBB1leNrBe.tlb

Filesize
3KB

MD5
45dab8a859ca3e9f625d893a6f7d273e

SHA1
b6cc5caeb2ad0a60509304d0bb1b5450ee702971

SHA256
8aba29d675b958b133eaf33ba476c9751a40f539ccc3208cc1b489b6df816b40

SHA512
0cc3b41567890e4e14c6153fbf612043a724e5617140ab15a18b3e68eeb478c134971c8e971e61cd5ffd8eeeec560f2fbd4e210237cd783d501428bc12ec81b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\sjs6QBB1leNrBe.x64.dll

Filesize
686KB

MD5
793a36af8b6c6f5a86d5c8781f13b166

SHA1
5ea93c1b58bc0c2df3e7258ff4ef31fe77d61fd7

SHA256
885104c4082c1b441ae70ff3c673db3618e62295c2729720c88f553af6c0a585

SHA512
a737c2f5e6f93bf4a8973cc439fb7419ed2764bb7bfb4a01c4bdcc7983b24cd22132867b70a39446c613221934ff29c2bab7c382acd01eb2a2e9719a9e0cf255

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\t9bp29aHmUTy1v3.dat

Filesize
6KB

MD5
ae331bde852deb2a3cbdb06432b3022b

SHA1
50a5fc948a22c0cd7e7ddf546ddec8fbbc7b8408

SHA256
1b271ef94b228eb8c926e6b866412df7eb770827a7f1f4f9f3c126c0e1dcafd8

SHA512
f2632d88be50a477ccd0b0b905a0db384b1b0e55391db90beccd73f4f97947aeed293d511c382ce739ce3163e25083f0442c207c37bd921b3461cd989a73b710

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\t9bp29aHmUTy1v3.exe

Filesize
642KB

MD5
bab80a5c1288acb341e60c3ddabb3eba

SHA1
64ec624991fa8724cd15764315ac5706c4a8beff

SHA256
2cfbe6b48a770670ba9e14b592c682f1a5b26226517fd86257866ea0b1dc66f8

SHA512
5eef891ee5005320248ea9ed9c79da47f1480a5528abf4d9dcb7150428bff20662ece5b6f09d9d4b5b3ca774fa32954f775f3b48ef913d4e9614e4623366fc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\t9bp29aHmUTy1v3.exe

Filesize
642KB

MD5
bab80a5c1288acb341e60c3ddabb3eba

SHA1
64ec624991fa8724cd15764315ac5706c4a8beff

SHA256
2cfbe6b48a770670ba9e14b592c682f1a5b26226517fd86257866ea0b1dc66f8

SHA512
5eef891ee5005320248ea9ed9c79da47f1480a5528abf4d9dcb7150428bff20662ece5b6f09d9d4b5b3ca774fa32954f775f3b48ef913d4e9614e4623366fc82

Download Submit
\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.dll

Filesize
605KB

MD5
af43f08751e421342670294664fa448a

SHA1
072972dce4232cbd9640ffc07e42ae63b8077fde

SHA256
2f5cc3fdf547907d7a3b5ac5b52adea636d59d1344038c137275d9f1b109bb1d

SHA512
ab4b22d360590cbd2900b27aa67dd7471b7f01df94b14a8ee8e1edefb67e32eaaa1a4efe03deab8f8ff1e4954c264bfc739ad45fd7a46a7a50e34e0d596235f4

Download Submit
\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.x64.dll

Filesize
686KB

MD5
793a36af8b6c6f5a86d5c8781f13b166

SHA1
5ea93c1b58bc0c2df3e7258ff4ef31fe77d61fd7

SHA256
885104c4082c1b441ae70ff3c673db3618e62295c2729720c88f553af6c0a585

SHA512
a737c2f5e6f93bf4a8973cc439fb7419ed2764bb7bfb4a01c4bdcc7983b24cd22132867b70a39446c613221934ff29c2bab7c382acd01eb2a2e9719a9e0cf255

Download Submit
\Program Files (x86)\GooSaVVe\sjs6QBB1leNrBe.x64.dll

Filesize
686KB

MD5
793a36af8b6c6f5a86d5c8781f13b166

SHA1
5ea93c1b58bc0c2df3e7258ff4ef31fe77d61fd7

SHA256
885104c4082c1b441ae70ff3c673db3618e62295c2729720c88f553af6c0a585

SHA512
a737c2f5e6f93bf4a8973cc439fb7419ed2764bb7bfb4a01c4bdcc7983b24cd22132867b70a39446c613221934ff29c2bab7c382acd01eb2a2e9719a9e0cf255

Download Submit
\Users\Admin\AppData\Local\Temp\7zSA0C3.tmp\t9bp29aHmUTy1v3.exe

Filesize
642KB

MD5
bab80a5c1288acb341e60c3ddabb3eba

SHA1
64ec624991fa8724cd15764315ac5706c4a8beff

SHA256
2cfbe6b48a770670ba9e14b592c682f1a5b26226517fd86257866ea0b1dc66f8

SHA512
5eef891ee5005320248ea9ed9c79da47f1480a5528abf4d9dcb7150428bff20662ece5b6f09d9d4b5b3ca774fa32954f775f3b48ef913d4e9614e4623366fc82

Download Submit
memory/916-78-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

Filesize
8KB

Download
memory/1872-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download