7e82b23a88542fde721e9ba70e5c2e4e1f0d7eacbfb50d6b803bb16ab971ee57

Analysis

max time kernel
150s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e82b23a88542fde721e9ba70e5c2e4e1f0d7eacbfb50d6b803bb16ab971ee57.exe
Size

2.1MB
MD5

bc907f3fd0c264c49747c687c52ec52c
SHA1

06f437c646b5216e452e2ea1de0a3588f45a000a
SHA256

7e82b23a88542fde721e9ba70e5c2e4e1f0d7eacbfb50d6b803bb16ab971ee57
SHA512

bcf917772131f82ee5242314aa44d3f08bfa2cf4bdc643ad92a2b81e0596c5865e98698e374751052d341bf9a704366b0d580e0805b75c39790af6050cb66fc0
SSDEEP

49152:h1Os0yuyoY0IKAVWQrQSM5eeHY1h2PlSUQ8PciV:h1O5goP9oM5LFN

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4776	fhhf7mipKKpqXw2.exe

Loads dropped DLL 3 IoCs

pid	Process
4776	fhhf7mipKKpqXw2.exe
4268	regsvr32.exe
4140	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\feoeppcficblfcdpgikbkgnlpnkjfapn\2.0\manifest.json	fhhf7mipKKpqXw2.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\feoeppcficblfcdpgikbkgnlpnkjfapn\2.0\manifest.json	fhhf7mipKKpqXw2.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\feoeppcficblfcdpgikbkgnlpnkjfapn\2.0\manifest.json	fhhf7mipKKpqXw2.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\feoeppcficblfcdpgikbkgnlpnkjfapn\2.0\manifest.json	fhhf7mipKKpqXw2.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\feoeppcficblfcdpgikbkgnlpnkjfapn\2.0\manifest.json	fhhf7mipKKpqXw2.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	fhhf7mipKKpqXw2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	fhhf7mipKKpqXw2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	fhhf7mipKKpqXw2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	fhhf7mipKKpqXw2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.x64.dll	fhhf7mipKKpqXw2.exe
File opened for modification	C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.x64.dll	fhhf7mipKKpqXw2.exe
File created	C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.dll	fhhf7mipKKpqXw2.exe
File opened for modification	C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.dll	fhhf7mipKKpqXw2.exe
File created	C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.tlb	fhhf7mipKKpqXw2.exe
File opened for modification	C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.tlb	fhhf7mipKKpqXw2.exe
File created	C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.dat	fhhf7mipKKpqXw2.exe
File opened for modification	C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.dat	fhhf7mipKKpqXw2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4776	4824	7e82b23a88542fde721e9ba70e5c2e4e1f0d7eacbfb50d6b803bb16ab971ee57.exe	81
PID 4824 wrote to memory of 4776	4824	7e82b23a88542fde721e9ba70e5c2e4e1f0d7eacbfb50d6b803bb16ab971ee57.exe	81
PID 4824 wrote to memory of 4776	4824	7e82b23a88542fde721e9ba70e5c2e4e1f0d7eacbfb50d6b803bb16ab971ee57.exe	81
PID 4776 wrote to memory of 4268	4776	fhhf7mipKKpqXw2.exe	82
PID 4776 wrote to memory of 4268	4776	fhhf7mipKKpqXw2.exe	82
PID 4776 wrote to memory of 4268	4776	fhhf7mipKKpqXw2.exe	82
PID 4268 wrote to memory of 4140	4268	regsvr32.exe	83
PID 4268 wrote to memory of 4140	4268	regsvr32.exe	83

C:\Users\Admin\AppData\Local\Temp\7e82b23a88542fde721e9ba70e5c2e4e1f0d7eacbfb50d6b803bb16ab971ee57.exe
"C:\Users\Admin\AppData\Local\Temp\7e82b23a88542fde721e9ba70e5c2e4e1f0d7eacbfb50d6b803bb16ab971ee57.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\fhhf7mipKKpqXw2.exe
  .\fhhf7mipKKpqXw2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.dat

Filesize
6KB

MD5
3cf9fc69c0790513e615d3c87be89fb5

SHA1
90e0b23192bf7ce3b6c72da0e903ef8162f915ab

SHA256
8bafc68b8418b494aee20251f559d96661249df846c2a89434d176b0ce4e3f30

SHA512
f8aa022ec0f00b29c6dd0215e1860f825f5663e341d2db3b0da2d2678f25780e1177410814a276ae39e8f319df873a297bf45e84ab32efea78b6eba66db43e37

Download Submit
C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Program Files (x86)\GooSave\i9J64XIJlLbo0f.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
0f70dbdeed89c3f3352a2bf0ddb7af1d

SHA1
0015caaa4fc489eaa938ff54a151a8a13e8b9e02

SHA256
0c22aa79524bf5914e3463d072db3533b2dd44086f25ecd501feaf934754866c

SHA512
97a8d59670e9370d1f98a40d47dc85946cd8817c4f9dd5924a5aca61df00eb0c8f8f5a76cbdf71658959a0e13ed65bc612f9d42b2a46fc1c4df014cea30d1c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
8812997988758833790282947a5e87ff

SHA1
f90149f7b4024e7f7611578b1c727f3e4d66fbf3

SHA256
fa889f3f774566081e0a22c6675b147b62e43d2a6aca0f8a180acb22dd968226

SHA512
385e5896994311d7d3a701aa39bb0310f3f996fcd56afca300e338620462ed5f137e40d7240d8b54c97df92b48ed1f838cc80d870e9d7062868bbdc6fe4cf530

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\[email protected]\install.rdf

Filesize
592B

MD5
8aeff21770941538c48d3e5d0790ea4f

SHA1
11abf4b7c89509ae43431dc46a3e228c0f7fa3a7

SHA256
ce16ecec217a2b4d5334cf6e60be95708d561279776cc57cf77005c49f269356

SHA512
19a652bdbcfa66589de8ef6d76caf3e48020e674862290ba0e48c4848b80bd6f3c675dbf3a299c9c3df92945bd05458e6d6ab4dda157032d985ab39cd575eabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\feoeppcficblfcdpgikbkgnlpnkjfapn\Zewe5.js

Filesize
5KB

MD5
a306e2198bf3215f0f6d2a859b3b65d7

SHA1
e78613b81f7939bfa5504db0def2181669c9dc15

SHA256
0f5c46f62ff7832a23f77b13b1ec9c88e1b4fb9d5e6d13d625be3fbc99d4a641

SHA512
68e678057d722ae2a02c938dc931d911226ef796c849ef45c946a9aed8a162e3c557a0eaba62bedc8eb02180b2a551917a29e78b1ca3514718068a4db35d788a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\feoeppcficblfcdpgikbkgnlpnkjfapn\background.html

Filesize
142B

MD5
45d702046c974f7f6115e55c729a4b4e

SHA1
a29e654d0cefe0f280af7d68abd56483e366e4e2

SHA256
8f9b2961205b50026868da1c39eef0a87f5faadb516c534ce2672e7945cbe5f1

SHA512
2b3b89c446bc29a6d80b179e7036966ebf9ed09b78ddaaa64a4e8cfe32370d62d1db2a6af8da683bc91251d944b0fdf1978c32000bea5011bb455609f48f6a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\feoeppcficblfcdpgikbkgnlpnkjfapn\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\feoeppcficblfcdpgikbkgnlpnkjfapn\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\feoeppcficblfcdpgikbkgnlpnkjfapn\manifest.json

Filesize
499B

MD5
2bafae0ea4ab5ac51958f72d544ef543

SHA1
4a4665d6b13fbba59d92c908b8fc30aac3bedd08

SHA256
9c47ef92b7f138a1487632f023fb3f9ff2c379b29c627b716707b162ae56f473

SHA512
1f76f2b5423a040f29ecbc58e257c336faade2f80fc41917d165d02989858057508ed0cf5c7eecd12b6238885331f27d4f05d61ec0334200f6c17f2e4974b72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\fhhf7mipKKpqXw2.dat

Filesize
6KB

MD5
3cf9fc69c0790513e615d3c87be89fb5

SHA1
90e0b23192bf7ce3b6c72da0e903ef8162f915ab

SHA256
8bafc68b8418b494aee20251f559d96661249df846c2a89434d176b0ce4e3f30

SHA512
f8aa022ec0f00b29c6dd0215e1860f825f5663e341d2db3b0da2d2678f25780e1177410814a276ae39e8f319df873a297bf45e84ab32efea78b6eba66db43e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\fhhf7mipKKpqXw2.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\fhhf7mipKKpqXw2.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\i9J64XIJlLbo0f.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\i9J64XIJlLbo0f.tlb

Filesize
3KB

MD5
52acf269931e562ad7445f7a803bd5e3

SHA1
ef86bb5f96b2bba4c85a73efef5df4a08ab99031

SHA256
bc29a9426767cb54f6f11ea9d457613f858aa0d0e33137ab8ad1f53ff601d8f2

SHA512
545cc433a340e0b6ef70c92ab7854058222bb76385fb4027f1cc174a0baececb48c8e04ea83e9387d2c664505d4dd3799d41512e06c3ec5b4e32d0bf4a84668b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC577.tmp\i9J64XIJlLbo0f.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
memory/4140-152-0x0000000000000000-mapping.dmp

Download
memory/4268-149-0x0000000000000000-mapping.dmp

Download
memory/4776-132-0x0000000000000000-mapping.dmp

Download