c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec

Analysis

max time kernel
31s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec.exe
Size

2.1MB
MD5

304ad28c917650c85a7b7f6f0d4bd99a
SHA1

3482471db8ed8e9b1e6091d740354ebad8fc4cf3
SHA256

c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec
SHA512

b39e82d7afd45b8d1224ca2ba1a83c6a0bf2504b9270990e908b3e08929626a945885913994ee4ce0bde43bba700babc49a3daac455e563033ce74834ebf04b7
SSDEEP

49152:h1OsYYIGWkf6jd9YMhKKumq+4oAczj/i6jgvb7GvKSO:h1Obdd9YMhKgq+4fb

Score

8^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1804	Z1ppxx4RNBTdBAj.exe

Loads dropped DLL 4 IoCs

pid	Process
1932	c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec.exe
1804	Z1ppxx4RNBTdBAj.exe
1988	regsvr32.exe
1976	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	Z1ppxx4RNBTdBAj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	Z1ppxx4RNBTdBAj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	Z1ppxx4RNBTdBAj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	Z1ppxx4RNBTdBAj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	Z1ppxx4RNBTdBAj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.tlb	Z1ppxx4RNBTdBAj.exe
File created	C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.dat	Z1ppxx4RNBTdBAj.exe
File opened for modification	C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.dat	Z1ppxx4RNBTdBAj.exe
File created	C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.x64.dll	Z1ppxx4RNBTdBAj.exe
File opened for modification	C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.x64.dll	Z1ppxx4RNBTdBAj.exe
File created	C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.dll	Z1ppxx4RNBTdBAj.exe
File opened for modification	C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.dll	Z1ppxx4RNBTdBAj.exe
File created	C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.tlb	Z1ppxx4RNBTdBAj.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1804	1932	c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec.exe	27
PID 1932 wrote to memory of 1804	1932	c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec.exe	27
PID 1932 wrote to memory of 1804	1932	c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec.exe	27
PID 1932 wrote to memory of 1804	1932	c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec.exe	27
PID 1804 wrote to memory of 1988	1804	Z1ppxx4RNBTdBAj.exe	28
PID 1804 wrote to memory of 1988	1804	Z1ppxx4RNBTdBAj.exe	28
PID 1804 wrote to memory of 1988	1804	Z1ppxx4RNBTdBAj.exe	28
PID 1804 wrote to memory of 1988	1804	Z1ppxx4RNBTdBAj.exe	28
PID 1804 wrote to memory of 1988	1804	Z1ppxx4RNBTdBAj.exe	28
PID 1804 wrote to memory of 1988	1804	Z1ppxx4RNBTdBAj.exe	28
PID 1804 wrote to memory of 1988	1804	Z1ppxx4RNBTdBAj.exe	28
PID 1988 wrote to memory of 1976	1988	regsvr32.exe	29
PID 1988 wrote to memory of 1976	1988	regsvr32.exe	29
PID 1988 wrote to memory of 1976	1988	regsvr32.exe	29
PID 1988 wrote to memory of 1976	1988	regsvr32.exe	29
PID 1988 wrote to memory of 1976	1988	regsvr32.exe	29
PID 1988 wrote to memory of 1976	1988	regsvr32.exe	29
PID 1988 wrote to memory of 1976	1988	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec.exe
"C:\Users\Admin\AppData\Local\Temp\c4f829d8b983b2998b0df6ee59e7926450dcdcdbd92d36bf1580fad9eda17fec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\7zS3AEF.tmp\Z1ppxx4RNBTdBAj.exe
  .\Z1ppxx4RNBTdBAj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.dat

Filesize
5KB

MD5
00f639df580523b0c8925f92a33876ea

SHA1
debe7d82d951e7d05cec47d4c7bbdd273249f18e

SHA256
5d811f7544ef264686caf635bb5363e3de3b2b75e51b480edf1b7a1fde924abf

SHA512
41c9e62a4696e5e648fabd404f38c743a48fbe24c16e8a74fc07429b83df4d5b9b3e120a0d33163c0470c164c597fa766d6354fa172eea0c553757e209faa636

Download Submit
C:\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3AEF.tmp\Z1ppxx4RNBTdBAj.dat

Filesize
5KB

MD5
00f639df580523b0c8925f92a33876ea

SHA1
debe7d82d951e7d05cec47d4c7bbdd273249f18e

SHA256
5d811f7544ef264686caf635bb5363e3de3b2b75e51b480edf1b7a1fde924abf

SHA512
41c9e62a4696e5e648fabd404f38c743a48fbe24c16e8a74fc07429b83df4d5b9b3e120a0d33163c0470c164c597fa766d6354fa172eea0c553757e209faa636

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3AEF.tmp\Z1ppxx4RNBTdBAj.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3AEF.tmp\Z1ppxx4RNBTdBAj.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3AEF.tmp\bKhkDKj0i52grN.dll

Filesize
623KB

MD5
103866fff4628ada4be6e5235b2ebf5d

SHA1
86ca018b33c7cdb953371ee1e290313b9a54a251

SHA256
963728f71b4ecee9380a18f5bbc6930256be6018a8087a9964f98ba3e17b7a7c

SHA512
2a8f9ce8854bab77b801eb146934e267de3cca83727a8a7c13885b41c75a0b563fdd0cb1683f78057fc6833b22d9d14c5ef0d3707753293d59d4b61f7a9744c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3AEF.tmp\bKhkDKj0i52grN.tlb

Filesize
3KB

MD5
3c920faafd032eeda08e4166860d4318

SHA1
26451ee3659c4a217f42ebd07f254679ab452f3a

SHA256
3377d0af1044505271c64fc342e22a7a24b757e5471657f656ac743373e22857

SHA512
327668001f94842eee3ff1dc44c70ddca5da3a0bb49aeea6b3162608b07496456e78bcb3de0462e5e375b349e813f13fd02e61b9e389b1d954cea2628c3c4a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3AEF.tmp\bKhkDKj0i52grN.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.dll

Filesize
623KB

MD5
103866fff4628ada4be6e5235b2ebf5d

SHA1
86ca018b33c7cdb953371ee1e290313b9a54a251

SHA256
963728f71b4ecee9380a18f5bbc6930256be6018a8087a9964f98ba3e17b7a7c

SHA512
2a8f9ce8854bab77b801eb146934e267de3cca83727a8a7c13885b41c75a0b563fdd0cb1683f78057fc6833b22d9d14c5ef0d3707753293d59d4b61f7a9744c3

Download Submit
\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
\Program Files (x86)\GoSAVe\bKhkDKj0i52grN.x64.dll

Filesize
700KB

MD5
401087ab67c6d917bf08d82f011d9eee

SHA1
d13dbf241d214d6036f8c6276e0e305fc2ac2b8a

SHA256
fada9f28483ab94341359011d5ab92a6fa2418d010aa3eb1c485c19db15e62f5

SHA512
4d952fc0a2ef968997d62d901a731193105da2f4541abf4eb3e5c99e247edc7ffb15ae55a8d0e5d228ae704b0a7ff7dca24e14312f778896d834971e7f3d8af6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3AEF.tmp\Z1ppxx4RNBTdBAj.exe

Filesize
629KB

MD5
150107c0a55484355ce5881240cca669

SHA1
35d2f6723091fc4af5c4a00645b6b0f43efd4a06

SHA256
c422b33bee8c0b6664a7462093734aea98026ebf7cc9dc65589572213f576f0e

SHA512
eb189951a9a89c54c8d7b3a9fcfb97777bd55088186814597ba13e9f985f846e313b5fcd1566de56060ef8cdfb815ed2a77f5c41c02d1c666c47691b1c0aba04

Download Submit
memory/1932-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1976-69-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download