283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa.exe
Size

2.1MB
MD5

5cead56089e64bfff367baee447a6870
SHA1

8160e06057d3645176dfa82f5f6344f077d03b30
SHA256

283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa
SHA512

81acb903af08e9947706d690b4cbfeb8b0efb6b4cae6098a740f669e84cd2cfb72f4ea3873b3af64f21416eb87cf34757f6e16835b9c92b339d29439c6664a55
SSDEEP

49152:h1Os2yuyoY0IKAVWQrQSM5eeHY1h2PlSUQ8Pcic:h1ObgoP9oM5LF0

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1536	sAUOhZkFSBJ5wyJ.exe

Loads dropped DLL 4 IoCs

pid	Process
1504	283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa.exe
1536	sAUOhZkFSBJ5wyJ.exe
792	regsvr32.exe
1752	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\caeakkhdffkkibjbpolkkbhmpfppbiib\2.0\manifest.json	sAUOhZkFSBJ5wyJ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\caeakkhdffkkibjbpolkkbhmpfppbiib\2.0\manifest.json	sAUOhZkFSBJ5wyJ.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\caeakkhdffkkibjbpolkkbhmpfppbiib\2.0\manifest.json	sAUOhZkFSBJ5wyJ.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	sAUOhZkFSBJ5wyJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	sAUOhZkFSBJ5wyJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	sAUOhZkFSBJ5wyJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	sAUOhZkFSBJ5wyJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	sAUOhZkFSBJ5wyJ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.x64.dll	sAUOhZkFSBJ5wyJ.exe
File created	C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.dll	sAUOhZkFSBJ5wyJ.exe
File opened for modification	C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.dll	sAUOhZkFSBJ5wyJ.exe
File created	C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.tlb	sAUOhZkFSBJ5wyJ.exe
File opened for modification	C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.tlb	sAUOhZkFSBJ5wyJ.exe
File created	C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.dat	sAUOhZkFSBJ5wyJ.exe
File opened for modification	C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.dat	sAUOhZkFSBJ5wyJ.exe
File created	C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.x64.dll	sAUOhZkFSBJ5wyJ.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1536	1504	283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa.exe	26
PID 1504 wrote to memory of 1536	1504	283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa.exe	26
PID 1504 wrote to memory of 1536	1504	283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa.exe	26
PID 1504 wrote to memory of 1536	1504	283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa.exe	26
PID 1536 wrote to memory of 792	1536	sAUOhZkFSBJ5wyJ.exe	27
PID 1536 wrote to memory of 792	1536	sAUOhZkFSBJ5wyJ.exe	27
PID 1536 wrote to memory of 792	1536	sAUOhZkFSBJ5wyJ.exe	27
PID 1536 wrote to memory of 792	1536	sAUOhZkFSBJ5wyJ.exe	27
PID 1536 wrote to memory of 792	1536	sAUOhZkFSBJ5wyJ.exe	27
PID 1536 wrote to memory of 792	1536	sAUOhZkFSBJ5wyJ.exe	27
PID 1536 wrote to memory of 792	1536	sAUOhZkFSBJ5wyJ.exe	27
PID 792 wrote to memory of 1752	792	regsvr32.exe	28
PID 792 wrote to memory of 1752	792	regsvr32.exe	28
PID 792 wrote to memory of 1752	792	regsvr32.exe	28
PID 792 wrote to memory of 1752	792	regsvr32.exe	28
PID 792 wrote to memory of 1752	792	regsvr32.exe	28
PID 792 wrote to memory of 1752	792	regsvr32.exe	28
PID 792 wrote to memory of 1752	792	regsvr32.exe	28

C:\Users\Admin\AppData\Local\Temp\283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa.exe
"C:\Users\Admin\AppData\Local\Temp\283871e3a5f77a1e6125a00453b886102957ab6933de0c37ebf00c4ef3aeeffa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\sAUOhZkFSBJ5wyJ.exe
  .\sAUOhZkFSBJ5wyJ.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.dat

Filesize
6KB

MD5
8004899cb8ffe35b1f37e58b61389bdb

SHA1
23cc057f35b2ead70543420484440c47925cd6f8

SHA256
98910aec04a43a11f8dfe4cdf050b01586884588590090ec9fd61c912af50614

SHA512
cdca5b9ff40716ac259bfee552adeea39c3f5b0387b6cd9053f88c350f73c3d95cab149546f6ef7d55f8ab1e9660f02b0bff4c601a6cff627f9e7ef3e853d390

Download Submit
C:\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
ae6baaf25ff9b0e3000d9bc5abb21e44

SHA1
bda23bb3042366e4d710be7d90b8c1a7c7d13cab

SHA256
e49de2db6f0a1f3bb9956fe3f3f13d198f6fa1110393d0d2e5beeb8ecba9d0ec

SHA512
96228b52ab0e62241829c4d9511af1a90460487f0a5a47a037990af0aa0063d8a0c452cee52ec99606341312b95b36ea5e67bdb97542bb5242619af339d0cb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
d9bdd8a800c669635fb66e13bc5e568e

SHA1
ba7ac2309550cc37fdea4979191132c41e33ad4b

SHA256
85dc93fb32953f50a3f0ce99b656f82b9cdfb06f7a787236840709690c81e97a

SHA512
96a2922085efb81f92a21d8dd7afd297f9c7af860a8c9f5372d718e705a6972054e8fa474ef6db864f83dc257ae2c4b9556c533bcf12773dfc13bf9e3a1fcda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\[email protected]\install.rdf

Filesize
598B

MD5
6f30b2ac572f255c2a864bf283e8ad5a

SHA1
6f96b6c88e64a309d65202ae68e969b890ae81f7

SHA256
013601c5ab99f7dd7ceb2cf2cbca173d82bc10489ab2329014af317333d91f6f

SHA512
02118d0c844a5967344da32fa5915ca50e50bab092c30ae9d6c45147e4aca16d4f9f3109e0bf0175058dcab41d7583e26e7d62bc7007dc58e1a1740949646d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\caeakkhdffkkibjbpolkkbhmpfppbiib\background.html

Filesize
144B

MD5
e6e3ad34c64c2a1dc84fd05b3ea53145

SHA1
d609822457b8f6e7053f56c2d097509dc0f4903c

SHA256
fa0beea43ec2f537a0ad659d12d59f92833bd960e07ca1ef03d6a2f6f9fa0889

SHA512
4996c0685b60e8b5cd627ca0096bf2fce3053b1d1128701c951b08f4fdde852170142bf37755277221a325673a67a6382d62a463162c840f320c4543dfcf0115

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\caeakkhdffkkibjbpolkkbhmpfppbiib\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\caeakkhdffkkibjbpolkkbhmpfppbiib\iu0y4vy.js

Filesize
5KB

MD5
6d2ceeb94c01875a3a273865ac91e8a6

SHA1
d01dbbcf752923f8dc303a03d350bb19dafe30a0

SHA256
e909d63e21e319d2908b2405e0792b851f02d3801287fd6bd753edd437a49370

SHA512
ae79386892256849e1ce3fdbac035fe38a632f117177654d3ac070e434b304ad9f000f14d7827700705b9d8bf272147b842dfc7b8472bad1f408ca4c7af99d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\caeakkhdffkkibjbpolkkbhmpfppbiib\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\caeakkhdffkkibjbpolkkbhmpfppbiib\manifest.json

Filesize
500B

MD5
65954f6498a32ad64f9c0c65f45d2759

SHA1
433283b8b1f31804f9300325a4a59af6a71e8251

SHA256
dbc16c186824cc356a03b17e2242076be9fd11c5e76179eaabbf4afa167eb531

SHA512
6adee8c276b8a2ffa6a7c7eb472f9c4152df13190d471c541e63dec5186643e5dcd4f3158322cde7e180b7c815e2cb6103fd27ef9cd554af51d74e9ea18f0953

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\fPNdvRIP5ZSFT3.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\fPNdvRIP5ZSFT3.tlb

Filesize
3KB

MD5
52acf269931e562ad7445f7a803bd5e3

SHA1
ef86bb5f96b2bba4c85a73efef5df4a08ab99031

SHA256
bc29a9426767cb54f6f11ea9d457613f858aa0d0e33137ab8ad1f53ff601d8f2

SHA512
545cc433a340e0b6ef70c92ab7854058222bb76385fb4027f1cc174a0baececb48c8e04ea83e9387d2c664505d4dd3799d41512e06c3ec5b4e32d0bf4a84668b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\fPNdvRIP5ZSFT3.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\sAUOhZkFSBJ5wyJ.dat

Filesize
6KB

MD5
8004899cb8ffe35b1f37e58b61389bdb

SHA1
23cc057f35b2ead70543420484440c47925cd6f8

SHA256
98910aec04a43a11f8dfe4cdf050b01586884588590090ec9fd61c912af50614

SHA512
cdca5b9ff40716ac259bfee552adeea39c3f5b0387b6cd9053f88c350f73c3d95cab149546f6ef7d55f8ab1e9660f02b0bff4c601a6cff627f9e7ef3e853d390

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\sAUOhZkFSBJ5wyJ.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\sAUOhZkFSBJ5wyJ.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.dll

Filesize
616KB

MD5
ac2bb9f430ee63577e2e658e576fbaa3

SHA1
661dad0abec24f1cd8400e09fd00881d9dd66b02

SHA256
59bb2ef1513927977be1a94a9e7687a92fd078ad343d481ba40edbfbe85e8812

SHA512
f0c2e9c780bcf67147a7c4803ffb292d6b2c4bf0a03f65273a86c6da85c0b5cd1d24d48726d95ed1e5c6b5662b7fcaba65b47bf1e7d906d97c263d2c92285769

Download Submit
\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Program Files (x86)\GooSaave\fPNdvRIP5ZSFT3.x64.dll

Filesize
698KB

MD5
48aea480f88ba159a05da8c3e1b938e5

SHA1
56cce3368fb512d03e4ed502c1ae1b4a64a54ce9

SHA256
07fd15650c7ea9d453c9a86255445d32ba18b4f74876a1f099a473ff988f7ebf

SHA512
448dfc81b3148be7031e6ebfc813c148c39a4ae86692ace9d0c98bf2605aa5b76052cc6d4f44e3103452fa26eb60a67a28dd3ce5d579e81277421cefdf9c9be5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3C75.tmp\sAUOhZkFSBJ5wyJ.exe

Filesize
632KB

MD5
59ed6cd5a934e324d7ff694adb712b61

SHA1
ee41b1da1ca21a050e548b04bbf37c47f251fd10

SHA256
cb9b055b0e4049898db5c8d1df973692f7e57f57ad053fc9fec5372a294b8726

SHA512
04238927495ce1720202db05e90c1efc0c8d409e5255188fff51ee5589048d7b5c56f080fe7e5a1f45f4a7ca1c0d73fadbc34b8a268547f2f2bbd1c994ec2fd8

Download Submit
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1752-78-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download