7dfa8052f22eb2a072b7821c29dd292b36dc59baf3155bf4f371af777547b3bb

Analysis

max time kernel
193s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dfa8052f22eb2a072b7821c29dd292b36dc59baf3155bf4f371af777547b3bb.exe
Size

2.1MB
MD5

431e36cea4e356274e7474c6e2f2cbe4
SHA1

f508fb75e8aaaa87924119aca6a66f986eb429be
SHA256

7dfa8052f22eb2a072b7821c29dd292b36dc59baf3155bf4f371af777547b3bb
SHA512

3682749d09241fedb845cc45daf2168f0cb22da03e89261ab90d55491c7b03589bf5ef807d38d651250c0b4a29aaaaea630b1065a5770e223c7e87126cc0bc0b
SSDEEP

49152:h1Os+aFBQd+eIvim2CQHSM3OYVv8JGUpqq0:h1OhaFBw+LNRR2FQt0

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3900	BAADOdPOsxgIILu.exe

Loads dropped DLL 3 IoCs

pid	Process
3900	BAADOdPOsxgIILu.exe
4304	regsvr32.exe
3880	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eelhanccmofmfjlallhihmellemdjnbf\2.0\manifest.json	BAADOdPOsxgIILu.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eelhanccmofmfjlallhihmellemdjnbf\2.0\manifest.json	BAADOdPOsxgIILu.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\eelhanccmofmfjlallhihmellemdjnbf\2.0\manifest.json	BAADOdPOsxgIILu.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eelhanccmofmfjlallhihmellemdjnbf\2.0\manifest.json	BAADOdPOsxgIILu.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\eelhanccmofmfjlallhihmellemdjnbf\2.0\manifest.json	BAADOdPOsxgIILu.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	BAADOdPOsxgIILu.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	BAADOdPOsxgIILu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	BAADOdPOsxgIILu.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	BAADOdPOsxgIILu.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.dat	BAADOdPOsxgIILu.exe
File created	C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.x64.dll	BAADOdPOsxgIILu.exe
File opened for modification	C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.x64.dll	BAADOdPOsxgIILu.exe
File created	C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.dll	BAADOdPOsxgIILu.exe
File opened for modification	C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.dll	BAADOdPOsxgIILu.exe
File created	C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.tlb	BAADOdPOsxgIILu.exe
File opened for modification	C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.tlb	BAADOdPOsxgIILu.exe
File created	C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.dat	BAADOdPOsxgIILu.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3900	4908	7dfa8052f22eb2a072b7821c29dd292b36dc59baf3155bf4f371af777547b3bb.exe	82
PID 4908 wrote to memory of 3900	4908	7dfa8052f22eb2a072b7821c29dd292b36dc59baf3155bf4f371af777547b3bb.exe	82
PID 4908 wrote to memory of 3900	4908	7dfa8052f22eb2a072b7821c29dd292b36dc59baf3155bf4f371af777547b3bb.exe	82
PID 3900 wrote to memory of 4304	3900	BAADOdPOsxgIILu.exe	83
PID 3900 wrote to memory of 4304	3900	BAADOdPOsxgIILu.exe	83
PID 3900 wrote to memory of 4304	3900	BAADOdPOsxgIILu.exe	83
PID 4304 wrote to memory of 3880	4304	regsvr32.exe	84
PID 4304 wrote to memory of 3880	4304	regsvr32.exe	84

C:\Users\Admin\AppData\Local\Temp\7dfa8052f22eb2a072b7821c29dd292b36dc59baf3155bf4f371af777547b3bb.exe
"C:\Users\Admin\AppData\Local\Temp\7dfa8052f22eb2a072b7821c29dd292b36dc59baf3155bf4f371af777547b3bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\BAADOdPOsxgIILu.exe
  .\BAADOdPOsxgIILu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.dat

Filesize
6KB

MD5
c61c1379bae7c7171a26cdde4f057aa7

SHA1
340e3f7afb0f16fe9d9d16540637cb83d403db80

SHA256
c354d0ab975433c6f2e40a0aeeca82a2052149ed7e1f55127f926c7aea825e77

SHA512
fcf2af62b94c04dc499c62889dd7aeeaf22d4ab51a6e35b150e24204a1a75d4b1e2d99ea78beffe64b81cf7a6bae270705a5a83959fba11d2bb989bb1bea91e0

Download Submit
C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.dll

Filesize
616KB

MD5
1120f8874c79b25d1298a34781f5f753

SHA1
f7818c6893c2b5edcc4321b011ce30f5494a5cf1

SHA256
c6bbf05c75c90b71c4365aec702ccf85a42522925ae58fe3d99c91f5b8d4e4da

SHA512
5a97c876b83b063069be7748f1e9667d7684c4f3ae6f6345cc1af3bd609805eb9616ba51467ca4493894f1a79e4e23c1a6d1828c771fcbcaff0ab02defa7759b

Download Submit
C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Program Files (x86)\GooSave\3RnAq5v7wiPIxm.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\3RnAq5v7wiPIxm.dll

Filesize
616KB

MD5
1120f8874c79b25d1298a34781f5f753

SHA1
f7818c6893c2b5edcc4321b011ce30f5494a5cf1

SHA256
c6bbf05c75c90b71c4365aec702ccf85a42522925ae58fe3d99c91f5b8d4e4da

SHA512
5a97c876b83b063069be7748f1e9667d7684c4f3ae6f6345cc1af3bd609805eb9616ba51467ca4493894f1a79e4e23c1a6d1828c771fcbcaff0ab02defa7759b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\3RnAq5v7wiPIxm.tlb

Filesize
3KB

MD5
633d469f7307d711a7f6b08d024cbe2d

SHA1
a8c01e9c7a081c175a393345a7a60fb3be0f8cde

SHA256
b3c5da764bfb906053b84e92b31e3d9b04a46b65b4e35d34c0c645496a80d054

SHA512
8b66733187095168668526f37d0348d0e78889d44edc4c0da4be486bc10fe443862228af3b112f968d08d2afe5e86a21ab26ef72d4365a15785bef400652d485

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\3RnAq5v7wiPIxm.x64.dll

Filesize
696KB

MD5
8f30c38a6da083d86b39a511dcef943a

SHA1
0a6e8dd59ede58b74d2e3ea0176260f2c51a4b23

SHA256
09428431f07c3a45a7e38933bf2e4a271ad501f35a43305962259dfa84161166

SHA512
e0326b5e58ced39a6c6b75534aa6db531fdbae68882224ebb4cfbb306a4578847481fe1902bb1c0c1d84e6db997f250d801303b9cc5f51dddeff80dadd9f6ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\BAADOdPOsxgIILu.dat

Filesize
6KB

MD5
c61c1379bae7c7171a26cdde4f057aa7

SHA1
340e3f7afb0f16fe9d9d16540637cb83d403db80

SHA256
c354d0ab975433c6f2e40a0aeeca82a2052149ed7e1f55127f926c7aea825e77

SHA512
fcf2af62b94c04dc499c62889dd7aeeaf22d4ab51a6e35b150e24204a1a75d4b1e2d99ea78beffe64b81cf7a6bae270705a5a83959fba11d2bb989bb1bea91e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\BAADOdPOsxgIILu.exe

Filesize
624KB

MD5
bfdd027de2e75467ce1d542d4e925e19

SHA1
1c076814ad25983cbdf0cd061978090014ebfcd1

SHA256
ebb6c1511f94ddb23847bbfe73a41bc99496c97287bfce1942af48c52e0db84a

SHA512
63c6f40107d20f4e186dbfece46c8889d17af15e641ca71db39d3dde4689c08248be12318925a3d3eeb6b6bf29b8276994feb5548a92cdcd1149118e7d857fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\BAADOdPOsxgIILu.exe

Filesize
624KB

MD5
bfdd027de2e75467ce1d542d4e925e19

SHA1
1c076814ad25983cbdf0cd061978090014ebfcd1

SHA256
ebb6c1511f94ddb23847bbfe73a41bc99496c97287bfce1942af48c52e0db84a

SHA512
63c6f40107d20f4e186dbfece46c8889d17af15e641ca71db39d3dde4689c08248be12318925a3d3eeb6b6bf29b8276994feb5548a92cdcd1149118e7d857fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\eelhanccmofmfjlallhihmellemdjnbf\IL4b.js

Filesize
5KB

MD5
241a8f5266e42d78ca79aa1b2c2b2bfc

SHA1
bb5292edcb71c79d60443e5ecb03d53a489328d6

SHA256
006f9cc20d72462531d2095ecbbb900265f36f807639a76870e41492aa9da5ad

SHA512
9a35a3ca6baa34be9280b69acd98aa3070d4f1681c7dced23548d00a2cc887ca2e7e8b5a239708660267b7cd07a6c67279f234b0ed2392d43f455d8b860108de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\eelhanccmofmfjlallhihmellemdjnbf\background.html

Filesize
141B

MD5
992e1e2e5f2a2bd272130e10e18b4c38

SHA1
4842eb9bf67c6638633c9831f986a41c9d8580da

SHA256
bd2e2a3b41c82f83ad7e9bfe1057a1cee8209ecafdd2162fcd37b054003050a1

SHA512
e111e827b391af2554df462f5db766d1e509380b16ecdd063843191f08db70baae1b88e2852cbb9d1e5b0126782974b4e65641a6bbd097021cb0aa37af3c17df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\eelhanccmofmfjlallhihmellemdjnbf\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\eelhanccmofmfjlallhihmellemdjnbf\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\eelhanccmofmfjlallhihmellemdjnbf\manifest.json

Filesize
499B

MD5
2bafae0ea4ab5ac51958f72d544ef543

SHA1
4a4665d6b13fbba59d92c908b8fc30aac3bedd08

SHA256
9c47ef92b7f138a1487632f023fb3f9ff2c379b29c627b716707b162ae56f473

SHA512
1f76f2b5423a040f29ecbc58e257c336faade2f80fc41917d165d02989858057508ed0cf5c7eecd12b6238885331f27d4f05d61ec0334200f6c17f2e4974b72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
e8161069c2ba2958edbf7d8998ab4038

SHA1
7cec2ef588e2aa75ecfc971467d25c37169cbc9c

SHA256
4065a158a07a235da5bc8ff28b28943889c7f738f2bf56313dabdf105feb89bb

SHA512
15a1d1176e4f9a2f1bfd284ff234a1e4f6c7d0f12e71125b2a3f7fc803c02dc0ee1a49d412c904113d07400fedf38875716f4de1cbc1b536bdc044ce2d67b418

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
85a9618ff5a3479d8dee9f1ec4a7442c

SHA1
fb7e1c9ba4070286e5a99acd9322c8a62bb1b4d0

SHA256
ebc68510251dc7e2febcbf74b5e2109420074ed725eb68cb369abca310dfdc59

SHA512
712b6227bde772c43d8ef093e38456c46affd205c2bf9324cb1cb8b757e1c5e946d99e2d5e029aae5613e4bfc3e91838a623141e04c656e269d8f5e75da3117a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC44A.tmp\[email protected]\install.rdf

Filesize
600B

MD5
d8928e6094bff0f55c1315797ad6e57e

SHA1
1da2cee5e313bcbf0124e86704c07b3d26e9f216

SHA256
7afd81adc1771ca9e60b0d9ab57b729df3f0ae0ed6536a1174e9b6aab3660c29

SHA512
911dceb4c419d1d4c45439a6b004158501884b8e7ad081317a3a40b312cb02a107cf3cb1e31f0fe6169e7df09bbf2e643cd074820f4bad79ee2095823657aa7a

Download Submit