Overview

overview

8

Static

static

3

aa54f68350...18.exe

windows7-x64

7

aa54f68350...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.exe

windows7-x64

7

$PLUGINSDI...er.exe

windows10-2004-x64

8

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$SYSDIR/Sk...05.dll

windows7-x64

3

$SYSDIR/Sk...05.dll

windows10-2004-x64

3

LimeWire A...ol.exe

windows7-x64

3

LimeWire A...ol.exe

windows10-2004-x64

3

UpdateApp.exe

windows7-x64

3

UpdateApp.exe

windows10-2004-x64

3

gdiplus.dll

windows7-x64

3

gdiplus.dll

windows10-2004-x64

3

mfc80.dll

windows7-x64

3

mfc80.dll

windows10-2004-x64

3

packet.dll

windows7-x64

3

packet.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/Gossiper.exe

  • Size

    5.1MB

  • MD5

    1c89e1b7b17c0ada4b6dfe347493a835

  • SHA1

    1215b533ec5b67d23cd59551da50658b5d5e6288

  • SHA256

    250d3b191f5a723fc9b045fbb9b89c747cade393d85705966f8cec58e6373a00

  • SHA512

    1b9bcd900ed17e3441c9691c85483c5d82809c009da01ba74e8f6f8dd3da3d06fd0949f7d4fc6dcbbc3aeedb10d495e5699faa14b802ae4f5fad2167f35bf77a

  • SSDEEP

    98304:LnREBoBGZxci3pItnmLufTzki76yvdvwwWcUCTivQI7qQ9l7f1FzbQt:LkoBGTNSQOzv5vccHT27TlvG

Score
8/10
adwarediscoveryspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 30 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 8 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Gossiper.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Gossiper.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Users\Admin\AppData\Local\Temp\GLB99DE.tmp
      C:\Users\Admin\AppData\Local\Temp\GLB99DE.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$PLUGI~1\Gossiper.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Users\Admin\AppData\Local\Temp\CT1547~1\STUBWR~1.EXE
        "C:\Users\Admin\AppData\Local\Temp\CT1547~1\STUBWR~1.EXE" -parameters=C:\Users\Admin\AppData\Local\Temp\CT1547340\parameters.csf
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3080
        • C:\Users\Admin\AppData\Local\Temp\conduitinstaller.exe
          C:\Users\Admin\AppData\Local\Temp\conduitinstaller.exe -StartPage=TRUE -DefaultSearch=TRUE -SearchFromAddress=TRUE -InstallId=CT1547340_Gossiper.exe -OpenUninstallPage=FALSE -Fix404=TRUE -EnableAlerts=TRUE -openwelcomedialog=FALSE -ctid=CT1547340 -ie=C:\Users\Admin\AppData\Local\Temp\CT1547340\CT1547340_ie.exe -ff=C:\Users\Admin\AppData\Local\Temp\CT1547340\CT1547340_ff.exe -ch=C:\Users\Admin\AppData\Local\Temp\CT1547340\CT1547340_ch.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2376
          • \??\c:\users\admin\appdata\local\temp\ct1547340\ct1547340_ie.exe
            "c:\users\admin\appdata\local\temp\ct1547340\ct1547340_ie.exe" /s -silent -startpage=true -defaultsearch=true -showwelcomepage=false -openwelcomedialog=false -showpersonalcompdialog=false -fix404=true -searchfromaddress=true -searchfromadress=true -openuninstallpage=false -defaultsearchdisplayname= -defaultsearchurl= -enablealerts=true -installtype=ConduitNSISIntegration -installid=ct1547340_gossiper.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:400
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 "C:\Program Files (x86)\Gossiper\tbGoss.dll" DllSendInstallationUsage New Installation
              6⤵
              • Blocklisted process makes network request
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:464
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 "C:\Program Files (x86)\Gossiper\tbGoss.dll" DllVerifyEnableExtension
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:3500
          • \??\c:\users\admin\appdata\local\temp\ct1547340\ct1547340_ff.exe
            "c:\users\admin\appdata\local\temp\ct1547340\ct1547340_ff.exe" /s -silent -startpage=true -defaultsearch=true -showwelcomepage=false -openwelcomedialog=false -showpersonalcompdialog=false -fix404=true -searchfromaddress=true -searchfromadress=true -openuninstallpage=false -defaultsearchdisplayname= -defaultsearchurl= -enablealerts=true -installtype=ConduitNSISIntegration -installid=ct1547340_gossiper.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1084
          • \??\c:\users\admin\appdata\local\temp\ct1547340\ct1547340_ch.exe
            "c:\users\admin\appdata\local\temp\ct1547340\ct1547340_ch.exe" /s -silent -startpage=true -defaultsearch=true -showwelcomepage=false -openwelcomedialog=false -showpersonalcompdialog=false -fix404=true -searchfromaddress=true -searchfromadress=true -openuninstallpage=false -defaultsearchdisplayname= -defaultsearchurl= -enablealerts=true -installtype=ConduitNSISIntegration -installid=ct1547340_gossiper.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Conduit\Community Alerts\Alert.dll
    Filesize

    623KB

    MD5

    6796f6e449f90a543dc3345538acc46f

    SHA1

    97bccd25561f44e9b13f05f6eef083c9ce9ba529

    SHA256

    f22e58cdfe94d4a5fbbf2795a743b167ed9923e289e14654631e0077dd306c1d

    SHA512

    f4402027bf1d40f550aab809b17f3bb8543ae76694d1a0ca429c6e1a0e2eacd835b81c4d8f13debed5c80e51c4214991ec8dba8f3a5731b8e5c8ff88e047685a

    Download Submit

  • C:\Program Files (x86)\Gossiper\prxtbGoss.dll
    Filesize

    172KB

    MD5

    4c163bd2a5905d18893ee311608e8c54

    SHA1

    a2d929a9864513c0e8ed84aad622ef6adcc9b950

    SHA256

    4553d99f1f146e2359ceb60987d904bafd24843b71d3e95c358776f3a1d5c6f1

    SHA512

    e1c7b44dc683f58c7c7b66b2448ed19c4e846b35f4018592c2d87191f3d8a2e4649ec3c92aa2f444b249f8ac27e5f2e7fe1cefbedd5d12721d21335a1c55afb1

    Download Submit

  • C:\Program Files (x86)\Gossiper\toolbar.cfg
    Filesize

    20B

    MD5

    cd363c210e1e88a3c760577cf7246fa9

    SHA1

    40596f44914a12d3ef2da27a35e85df8fae3ef2e

    SHA256

    66ffcf9708fa59ce6a218ff529e1e93c89542b48ee4938cb176d63c94993ce37

    SHA512

    bb009e0555f0ab8e5e96265952c3a5ba9c58fb3906869027fc16cb8f9e527a1fde0764f4ab044d256b5d3947cd05abd6dd4de92583accc715f6d78bc30f3c04b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Gossiper\ldrtbGoss.dll
    Filesize

    257KB

    MD5

    76b3946090c94bb38dbbca54ac8ff9f7

    SHA1

    1e00782fec3ca539ae30f866502633ff550356c6

    SHA256

    d3f942951b10476d7f16124295bbacd6da61f63edee8d136260715cc4d929e99

    SHA512

    7c5e1231e6a0174f6c0c88c12bccdef673fd81001f746b7b4e543e73b078312b2fa808bda1616e93f98d44df99ee0d31a9bef2a7adcda783d6b21db7c897e793

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CT1547~1\STUBWR~1.EXE
    Filesize

    237KB

    MD5

    6c729a49e8776ba7b52503bb736de1b5

    SHA1

    3a26fbd2fbe2564e2a69f3a64c39940c3ea69920

    SHA256

    b4a1c56c5936f81ceecd8ea31cd3aa56c9c8de954a8601d970ff8be2ef736fdb

    SHA512

    cd9370b88f710fe552d640bb9330f3401864b293a57cb309bdde3afa8c1244858c86267c9d2a23da7f8b9f5a00adc5dbffa15f63cc79ace84d35e267a6c15d31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GLB99DE.tmp
    Filesize

    70KB

    MD5

    a64e7a7a00ae2ef9c15cb721c60c60c7

    SHA1

    b738107d696aec72a3fc5a371c23023386c50b7d

    SHA256

    5630aad833e5ae2eaa4e0e4ea2f829779470e7e22dcca28a6b2e96c352d737b9

    SHA512

    05d9adfecf9d1ee19faa9fe108c6dc0e237b00f5e4c6e65ee7e9657287271961b018e8ea949c07e3a63ef37d423138ea80f825df5f6e12189157c57c5317dcf3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GLC9A6B.tmp
    Filesize

    161KB

    MD5

    8c97d8bb1470c6498e47b12c5a03ce39

    SHA1

    15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

    SHA256

    a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

    SHA512

    7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GLK9A7C.tmp
    Filesize

    33KB

    MD5

    517419cae37f6c78c80f9b7d0fbb8661

    SHA1

    a9e419f3d9ef589522556e0920c84fe37a548873

    SHA256

    bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

    SHA512

    5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\conduitinstaller.exe
    Filesize

    199KB

    MD5

    77b50711b04aa0bf26f9977434db315d

    SHA1

    5110b3a2ade2494e1e2f58785c78ba3c6a7ee6b1

    SHA256

    b268697abaa33a5e61532a99ee208861900d40b0ade549e45de228a5bb637d64

    SHA512

    a276ac5e4c7f360ca1d0e56e56a95e3a06c6c423436e98ba1c2d40e7d11230c8ebb32744f5620df7f85d73780c342aeedcd91540381faaa16eeb31c48caa5f76

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsaA077.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    acc2b699edfea5bf5aae45aba3a41e96

    SHA1

    d2accf4d494e43ceb2cff69abe4dd17147d29cc2

    SHA256

    168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

    SHA512

    e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsaAE61.tmp\ZipDLL.dll
    Filesize

    163KB

    MD5

    2dc35ddcabcb2b24919b9afae4ec3091

    SHA1

    9eeed33c3abc656353a7ebd1c66af38cccadd939

    SHA256

    6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

    SHA512

    0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsqA25B.tmp\System.dll
    Filesize

    11KB

    MD5

    a82b0479708b96c7bf4dd6b798aedee0

    SHA1

    7e47b402848a86bdddd5f0de8bb4620471caaab0

    SHA256

    72410442a894b8316da6ad469f03997ec17c0b0d117745bb6ac5cac3232c7d20

    SHA512

    02e07def3897d87d546c0cf1492191591be587f64ae5c165b9a91fb977585c65a860135eb8c102b67dede913ea935459ce70c4ca973b292122c8d097ab130d58

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsqA25C.tmp.tbGoss.dll
    Filesize

    4.2MB

    MD5

    caa8e6de32b2474f03faf1b42f537913

    SHA1

    9a1f6904557ae6a064776ccf9e2857c0baef6222

    SHA256

    9945f7e93f87e81dcbe9f401c1f13aeeaa18e95055543de188370e69cfc4391e

    SHA512

    5ca269628645f2218d2b7c8e4f8537c4aa81aa58410ae2579d6109754036bcdfba4fdcf3accafee8cff0132c88d3f75cafcee23008d1b5eaaccc5af9dff6ebc1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsqAEC0.tmp
    Filesize

    342B

    MD5

    4c6d49a1adbf726a07d9dc9402a5d9d3

    SHA1

    f038c26c561b3fe7fbb1d376fe44a40a0b039c8a

    SHA256

    7a33b60dceac942468799a98c4cd83084b67d491c48def7fcdefc9724501c6f9

    SHA512

    6e18a8284bcaabb55ffb7ae4ba2c161fb14fd2e55ea1c0010ec4352dc47ec64ecf99a62162203f6df0f6ecb1d3dea980ecbbd37a77fe7ca4411fc14da05a76fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsvA0F4.tmp\ConduitInetc.dll
    Filesize

    471KB

    MD5

    70e3b20d184751b642b06c5a7855c455

    SHA1

    89b00dc942e9c4965765acdb08b3e4a392f2af66

    SHA256

    92e693d3d8be731a66a314e5f15cfad1f4e656f3fee3d32e9e9a736b80be46c1

    SHA512

    48318557e3eb67379b8a8732457ef07864d4dd7a711f22834f883aaa66dbdab01b490a8928c831690e9aadc1514dfb559731142d7c10afd3e75550ab303a0dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsvA0F4.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\174bkmn3.Admin\extensions\{0a452a47-c5a8-4854-a237-4b9b06b376f0}\install.rdf
    Filesize

    1KB

    MD5

    24865c8dd8bed15151f502bc88ffe62e

    SHA1

    10a3a311de4e9cf483b91c9fc806bbd705e25a46

    SHA256

    30944d7cce9e71c64de29892fec67dd149d561cadb5510ef520e84bbf03fb8b4

    SHA512

    291b1d8443f0d146b1b0df050cac76951132039470932a578f1ace1c39b1f39a703e08c0da1ea7df7f089d75da4466da1ff787cc02bc4ea8be4d7d7cd70e472f

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\ct1547340\ct1547340_ch.exe
    Filesize

    1.5MB

    MD5

    5d63e53a12f4ae4f3e0677de60a57d54

    SHA1

    4e17b4128c980fb80bef6f78a99852ca186f9756

    SHA256

    61a3bc3330c57e1dced4130b7b9f88d1afa20c80b94e6dce06c6a0dc3cc32b67

    SHA512

    cf3b59e4392087c3770aff01b53c70868ad8e09311b267efccb7e58f7bab2089b61a4baf0e09e4d06aa82e99c8b633de9334aaa880b151124767b3e51c7dd0f2

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\ct1547340\ct1547340_ff.exe
    Filesize

    1.3MB

    MD5

    0e46072ae89db808d6dbdaa76d1dc5f1

    SHA1

    480c60ad8fc609419522026c40a2326ad8cff98c

    SHA256

    f3b4e51419c5c336a232ff5531cb82d5a1fbd78dc3d8bb90b1f6e79eca0641f3

    SHA512

    5cf96e9b2e19805facd78f41faab1c215ceb566af54ae097ff3fd4b763389805def87bd01e092fa31d224c1e2da893f41a31aaadcfd93ffcec1f0efc497da397

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\ct1547340\ct1547340_ie.exe
    Filesize

    2.0MB

    MD5

    87b855420cb25c56f25e1675735882c8

    SHA1

    2e4e39d92c4bb936d4c0398310e2978fc899c6d0

    SHA256

    0d46102bbeab99df9ccbebe2b65ab7ee0e1f1ef36853056394568d8c500ec244

    SHA512

    fb655abf08e5a14ba0a0feac007a9ed5107ca175fde1a5d8125bc961af8018aaf871736ce6926f1a77184064a117910a81f83f0eee80d8f682a1ebf9fbd10e4c

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\ct1547340\parameters.csf
    Filesize

    411B

    MD5

    e653bb1ca504157802b1da29bc9fe5ac

    SHA1

    2a67e089eb435ac0553b6c7b74239f1f479496f5

    SHA256

    498c877c0d25237615e6d92428c17022b585789eabd99c1c25611bdf78830025

    SHA512

    38b436136a3386430c8b3f73f3c2ea6567b006faccd858209ac0e52fa94749cbc9d14207c4c455ba7bd0abf135831dc31c60d2c07938dfa7ad02b194ca7923a1

    Download Submit

  • memory/400-231-0x0000000003900000-0x000000000392F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/400-276-0x0000000003390000-0x0000000003431000-memory.dmp

    Filesize

    644KB

    Download

  • memory/400-266-0x0000000003BB0000-0x0000000003FE8000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/400-257-0x0000000003D20000-0x0000000004158000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/400-250-0x00000000039C0000-0x0000000003A03000-memory.dmp

    Filesize

    268KB

    Download

  • memory/400-210-0x0000000003390000-0x00000000037C8000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2376-178-0x0000000002360000-0x00000000023DC000-memory.dmp

    Filesize

    496KB

    Download