3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1

Analysis

max time kernel
44s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1.exe
Size

2.1MB
MD5

ef7ff172494e0ed2259018d5b0d5764e
SHA1

ef701a254164bf39c2b227710b2b9111480aa39d
SHA256

3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1
SHA512

5f450ec7362f5706510887bbe3d16eea59d6a1cf83025f8628397e34441048d37c9f60e38211014a7f894e2caf30ee89cee2ca9e54aa9a5597d3ac787c64d278
SSDEEP

49152:XQbKC+8gDy+yfg0MCTQKb0Ev4zf5KQrVnVcTx/eKwOIPSJ:NCPN+6FoU0e6fsSVnVOkK/IPS

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	jWU4lsOc.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\CzAcxAX.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\InprocServer32	regsvr32.exe

Loads dropped DLL 4 IoCs

pid	Process
1492	3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1.exe
1748	jWU4lsOc.exe
1832	regsvr32.exe
1732	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ameiphjfhoigedipkcckcmkepiikgnem\2.1\manifest.json	jWU4lsOc.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ameiphjfhoigedipkcckcmkepiikgnem\2.1\manifest.json	jWU4lsOc.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ameiphjfhoigedipkcckcmkepiikgnem\2.1\manifest.json	jWU4lsOc.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7818C557-12EE-23FF-73C0-217ED4DBD103}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7818C557-12EE-23FF-73C0-217ED4DBD103}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7818C557-12EE-23FF-73C0-217ED4DBD103}	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7818C557-12EE-23FF-73C0-217ED4DBD103}\ = "SaveClicker"	jWU4lsOc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7818C557-12EE-23FF-73C0-217ED4DBD103}\NoExplorer = "1"	jWU4lsOc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7818C557-12EE-23FF-73C0-217ED4DBD103}	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7818C557-12EE-23FF-73C0-217ED4DBD103}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7818C557-12EE-23FF-73C0-217ED4DBD103}\ = "SaveClicker"	regsvr32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	jWU4lsOc.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	jWU4lsOc.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	jWU4lsOc.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	jWU4lsOc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\SaveClicker\CzAcxAX.x64.dll	jWU4lsOc.exe
File created	C:\Program Files (x86)\SaveClicker\CzAcxAX.dll	jWU4lsOc.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\CzAcxAX.dll	jWU4lsOc.exe
File created	C:\Program Files (x86)\SaveClicker\CzAcxAX.tlb	jWU4lsOc.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\CzAcxAX.tlb	jWU4lsOc.exe
File created	C:\Program Files (x86)\SaveClicker\CzAcxAX.dat	jWU4lsOc.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\CzAcxAX.dat	jWU4lsOc.exe
File created	C:\Program Files (x86)\SaveClicker\CzAcxAX.x64.dll	jWU4lsOc.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7818C557-12EE-23FF-73C0-217ED4DBD103}	jWU4lsOc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7818C557-12EE-23FF-73C0-217ED4DBD103}	jWU4lsOc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	jWU4lsOc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7818C557-12EE-23FF-73C0-217ED4DBD103}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7818C557-12EE-23FF-73C0-217ED4DBD103}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	jWU4lsOc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\Programmable	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\ = "SaveClicker"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SaveClicker\\CzAcxAX.tlb"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\ProgID\ = "SaveClicker.2.1"	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer\ = "SaveClicker.2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\VersionIndependentProgID	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\ProgID\ = "SaveClicker.2.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\ = "SaveClicker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\ = "SaveClicker"	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\Implemented Categories	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1	jWU4lsOc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\ = "SaveClicker"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\CzAcxAX.dll"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\ = "SaveClicker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\ = "SaveClicker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	jWU4lsOc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\VersionIndependentProgID	jWU4lsOc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	jWU4lsOc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\CLSID\ = "{7818C557-12EE-23FF-73C0-217ED4DBD103}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103}\VersionIndependentProgID\ = "SaveClicker"	jWU4lsOc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1748	jWU4lsOc.exe
1748	jWU4lsOc.exe
1748	jWU4lsOc.exe
1748	jWU4lsOc.exe
1748	jWU4lsOc.exe
1748	jWU4lsOc.exe
1748	jWU4lsOc.exe
1748	jWU4lsOc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	jWU4lsOc.exe
Token: SeDebugPrivilege	1748	jWU4lsOc.exe
Token: SeDebugPrivilege	1748	jWU4lsOc.exe
Token: SeDebugPrivilege	1748	jWU4lsOc.exe
Token: SeDebugPrivilege	1748	jWU4lsOc.exe
Token: SeDebugPrivilege	1748	jWU4lsOc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1748	1492	3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1.exe	27
PID 1492 wrote to memory of 1748	1492	3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1.exe	27
PID 1492 wrote to memory of 1748	1492	3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1.exe	27
PID 1492 wrote to memory of 1748	1492	3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1.exe	27
PID 1748 wrote to memory of 1832	1748	jWU4lsOc.exe	28
PID 1748 wrote to memory of 1832	1748	jWU4lsOc.exe	28
PID 1748 wrote to memory of 1832	1748	jWU4lsOc.exe	28
PID 1748 wrote to memory of 1832	1748	jWU4lsOc.exe	28
PID 1748 wrote to memory of 1832	1748	jWU4lsOc.exe	28
PID 1748 wrote to memory of 1832	1748	jWU4lsOc.exe	28
PID 1748 wrote to memory of 1832	1748	jWU4lsOc.exe	28
PID 1832 wrote to memory of 1732	1832	regsvr32.exe	29
PID 1832 wrote to memory of 1732	1832	regsvr32.exe	29
PID 1832 wrote to memory of 1732	1832	regsvr32.exe	29
PID 1832 wrote to memory of 1732	1832	regsvr32.exe	29
PID 1832 wrote to memory of 1732	1832	regsvr32.exe	29
PID 1832 wrote to memory of 1732	1832	regsvr32.exe	29
PID 1832 wrote to memory of 1732	1832	regsvr32.exe	29

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	jWU4lsOc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{7818C557-12EE-23FF-73C0-217ED4DBD103} = "1"	jWU4lsOc.exe

C:\Users\Admin\AppData\Local\Temp\3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1.exe
"C:\Users\Admin\AppData\Local\Temp\3623c3a9d0390dc4f1c6ea0eb9edc08abaf23e8415c70167a16cc937271f89c1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\5e4221d0\jWU4lsOc.exe
  "C:\Users\Admin\AppData\Local\Temp/5e4221d0/jWU4lsOc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1748
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\SaveClicker\CzAcxAX.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\SaveClicker\CzAcxAX.x64.dll"
      4⤵
      Registers COM server for autorun
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SaveClicker\CzAcxAX.dat

Filesize
4KB

MD5
5bf6fcd094033794ce38699718beea90

SHA1
6f4365c5fcd34650425d3be6f42c0554d67e6d84

SHA256
3051644b22c061dbdf46875c9ed4034b0ed94d0d9567d5e17d05eaee15f51c68

SHA512
dc3491cfc80d1508b7558ad359733e3a675fc4cd491c1e876b565ab98b839c0ad5e8e32a847273268b65a7459f86bbc5d8a901567c601abfaa06c341c3d98b2e

Download Submit
C:\Program Files (x86)\SaveClicker\CzAcxAX.tlb

Filesize
3KB

MD5
6101ac132c9a4133107178f12e0b25d4

SHA1
64a9d5d3ec0be4ef322776c28b5d6ac90df0ffd4

SHA256
f9b73914e458e514e06360d95a365c2d40293b3f77ee55a0f0c40ccca5f735e6

SHA512
7fcc1021f536fd417368333c4e45e656feb2bdedb6658f2ad6b9eb0f0c51dbe70c2d3f2a3a32695af3715e6dcdf7503734e58431405701d7058d106357dbebeb

Download Submit
C:\Program Files (x86)\SaveClicker\CzAcxAX.x64.dll

Filesize
694KB

MD5
c5ad41a0a13f64e21316c8e2ec186327

SHA1
13c9bf4d8288119095b7ef72f51322968bfd9b9e

SHA256
2af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1

SHA512
45e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\CzAcxAX.dll

Filesize
614KB

MD5
61edf8c8862834aa1b2ecf8f61fc3379

SHA1
5cb8cd66cf5c5fe8a2b73226b4a0257cea17150a

SHA256
8ced8d83b9d40ee1748b1a3c52aaa3f2693709f92926a804cc1019f989850232

SHA512
35bd23bf8094f4b765fdf8436936c23048524c97d9e4d59ca1a749c1206b2b90c5f500848dbfa207567a2174dd94889dedf8f150feafe382e226e6c677d1d9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\CzAcxAX.tlb

Filesize
3KB

MD5
6101ac132c9a4133107178f12e0b25d4

SHA1
64a9d5d3ec0be4ef322776c28b5d6ac90df0ffd4

SHA256
f9b73914e458e514e06360d95a365c2d40293b3f77ee55a0f0c40ccca5f735e6

SHA512
7fcc1021f536fd417368333c4e45e656feb2bdedb6658f2ad6b9eb0f0c51dbe70c2d3f2a3a32695af3715e6dcdf7503734e58431405701d7058d106357dbebeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\CzAcxAX.x64.dll

Filesize
694KB

MD5
c5ad41a0a13f64e21316c8e2ec186327

SHA1
13c9bf4d8288119095b7ef72f51322968bfd9b9e

SHA256
2af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1

SHA512
45e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\ameiphjfhoigedipkcckcmkepiikgnem\background.html

Filesize
138B

MD5
2643a603cad6cfdb7ebea9e3d6a3acd1

SHA1
609cfc18a6e8dae074fb63d9a823d2ef70f3c504

SHA256
9e35d464502aaa3709c4927afff45850b32ac8dbec80408b277776c1852e2248

SHA512
11221727792a766d9ac3f960c552e52706462ff7a0b0e737f3c7d4f0626e3eee5f4b70be848ed16747b38ba0189e691578a93d6644dedf5729dc510b9ffe9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\ameiphjfhoigedipkcckcmkepiikgnem\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\ameiphjfhoigedipkcckcmkepiikgnem\j.js

Filesize
5KB

MD5
3e09fde9735c256c1c31e75fca1d12f1

SHA1
3c10bdb407de1708afb1103fb0f70f8d629bcf2c

SHA256
763a4d77e51857832cc39d2a19fba5d123f8b7b9812df00b78a34fb6fbd1a4f1

SHA512
aa88a2ec051a579342bf7b80a447e9a509cd98909edbb791ece03eec8622ffd6655361d6b25c5ec45c4212bde7d3045fe4fa70aea6ed727da2e1d0f2a642c4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\ameiphjfhoigedipkcckcmkepiikgnem\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\ameiphjfhoigedipkcckcmkepiikgnem\manifest.json

Filesize
503B

MD5
aa6fc24e028b07a032fbc6f859819dca

SHA1
166f2c578c4f164da313ece0e914e56e053418c2

SHA256
2f026100e6faf41a63ea0c5d289914bfceba28094b32c9a3566a4932b7c71038

SHA512
4f5328b27ace6ec4d786e7369b8a071fedf46f30e0b1d223d8fa9332d1df60914f22b84725e3055c894f027f79f05dd91d47ae5c22bebaad34c0af440f634701

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\[email protected]\chrome.manifest

Filesize
28B

MD5
be04fcdf85eb906d225691eb52590913

SHA1
567f3f9fa9569131ff85b71bce41389d4c954fc7

SHA256
9118dbf38ed40987acd48a13cccb9789aa66f00c3a91e27e4cb1434d4ffb2b4b

SHA512
3d18ca1ec902fad386c18830019ae42fb5d84179bddfb12a3dc03865743b571b0cceb45de8ad24793b42ca04149e066ff41747b441e2edf6cc7c65ecc5232ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\[email protected]\content\bg.js

Filesize
7KB

MD5
8fca29298571ddd5b20443e547ba01bb

SHA1
d323e09d2e3c89f927cd96bb541c47e1f731713c

SHA256
e87370e07077c3f8d60e061be6bbe84383bca6b7e7426b0ad8fdbc76b3af6807

SHA512
9f6705ba3cbeb4cd63501157cbd1003f2a02501125da3b42a6b82d286a2f88331151b28266b9d2dda5319058abbeb15b918d12f7b6725964b7b523fbfbb15a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\[email protected]\install.rdf

Filesize
602B

MD5
01dc3981aa36995c556454a7ea3a42b1

SHA1
586260c3c5e6e20e546c8ca54345d1ffc5ee42f0

SHA256
bf7344aed1a6097f0bf48bc7aea61439b310651dc050ea5ea088cb24f00fab58

SHA512
d2ac2fb52bec2b166d911d34578d2a5e245fe7b94ee00dc45522e2390f8036c5d6414f45bd391f5ac850ea509123e17a0c6d7266c794c640c340d92e2d25b4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\jWU4lsOc.dat

Filesize
4KB

MD5
5bf6fcd094033794ce38699718beea90

SHA1
6f4365c5fcd34650425d3be6f42c0554d67e6d84

SHA256
3051644b22c061dbdf46875c9ed4034b0ed94d0d9567d5e17d05eaee15f51c68

SHA512
dc3491cfc80d1508b7558ad359733e3a675fc4cd491c1e876b565ab98b839c0ad5e8e32a847273268b65a7459f86bbc5d8a901567c601abfaa06c341c3d98b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\jWU4lsOc.exe

Filesize
640KB

MD5
000c9075b04b40b29806cb6ca2796d46

SHA1
b8cadb0176435018829f14b8b43697657a372975

SHA256
9c040eb72594f21cbb2e62a8949e0d24c6b5833d5b49ab143889154bbff8992e

SHA512
9466c07315c72b1a9930cd12105ab84fa3cf168fc34d1e4714daae27b3dbbf0d4ee71c0048cb2ac8e9e63e4dacfd39c94c596a1dbbad2619ff0cccb78a9c1920

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4221d0\jWU4lsOc.exe

Filesize
640KB

MD5
000c9075b04b40b29806cb6ca2796d46

SHA1
b8cadb0176435018829f14b8b43697657a372975

SHA256
9c040eb72594f21cbb2e62a8949e0d24c6b5833d5b49ab143889154bbff8992e

SHA512
9466c07315c72b1a9930cd12105ab84fa3cf168fc34d1e4714daae27b3dbbf0d4ee71c0048cb2ac8e9e63e4dacfd39c94c596a1dbbad2619ff0cccb78a9c1920

Download Submit
\Program Files (x86)\SaveClicker\CzAcxAX.dll

Filesize
614KB

MD5
61edf8c8862834aa1b2ecf8f61fc3379

SHA1
5cb8cd66cf5c5fe8a2b73226b4a0257cea17150a

SHA256
8ced8d83b9d40ee1748b1a3c52aaa3f2693709f92926a804cc1019f989850232

SHA512
35bd23bf8094f4b765fdf8436936c23048524c97d9e4d59ca1a749c1206b2b90c5f500848dbfa207567a2174dd94889dedf8f150feafe382e226e6c677d1d9da

Download Submit
\Program Files (x86)\SaveClicker\CzAcxAX.x64.dll

Filesize
694KB

MD5
c5ad41a0a13f64e21316c8e2ec186327

SHA1
13c9bf4d8288119095b7ef72f51322968bfd9b9e

SHA256
2af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1

SHA512
45e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4

Download Submit
\Program Files (x86)\SaveClicker\CzAcxAX.x64.dll

Filesize
694KB

MD5
c5ad41a0a13f64e21316c8e2ec186327

SHA1
13c9bf4d8288119095b7ef72f51322968bfd9b9e

SHA256
2af1c188224457f920ec19bb64797bd89cc55df7a1592395502aac9f2d1e9cd1

SHA512
45e489fbac63b34769b426faf8aba3f4bf396aa4e5bfe31cf39c1884839440fedaafc613083bcfb3fa18395c04d050d6a4a0545a0ce8f064e7ab781385b23cd4

Download Submit
\Users\Admin\AppData\Local\Temp\5e4221d0\jWU4lsOc.exe

Filesize
640KB

MD5
000c9075b04b40b29806cb6ca2796d46

SHA1
b8cadb0176435018829f14b8b43697657a372975

SHA256
9c040eb72594f21cbb2e62a8949e0d24c6b5833d5b49ab143889154bbff8992e

SHA512
9466c07315c72b1a9930cd12105ab84fa3cf168fc34d1e4714daae27b3dbbf0d4ee71c0048cb2ac8e9e63e4dacfd39c94c596a1dbbad2619ff0cccb78a9c1920

Download Submit
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1732-78-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download