Overview

overview

8

Static

static

562bd2013a...02.exe

windows7-x64

8

562bd2013a...02.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    29s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    562bd2013aeccb257d1cc8d10d554a3169d532736d5977d7740db405183a3402.exe

  • Size

    3.0MB

  • MD5

    2fae6c03c9cec38d6d674aa13d934961

  • SHA1

    28b305f77a556a4f3216d0543065c034868e2ab3

  • SHA256

    562bd2013aeccb257d1cc8d10d554a3169d532736d5977d7740db405183a3402

  • SHA512

    5ee5cc6a33ec7fdf76df50e0397ddc05811b572e264176869378d9068a41b6c9d8fd01656979ad73876ce1d5fb92b924b657297b5a917b21b679886dc6a1aa9e

  • SSDEEP

    49152:Ja+rpFCFSaMxuYNwAufZx78NjJe0eTRt2QhIdNqAr6Z0OR80s2LxCylbmt:JaCpFfuKcH7wJe0eRt2ddNEZ0q80s2LX

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\562bd2013aeccb257d1cc8d10d554a3169d532736d5977d7740db405183a3402.exe
    "C:\Users\Admin\AppData\Local\Temp\562bd2013aeccb257d1cc8d10d554a3169d532736d5977d7740db405183a3402.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:940
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\SaveClicker\TiWryHfd.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\SaveClicker\TiWryHfd.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:2024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SaveClicker\TiWryHfd.dat
    Filesize

    4KB

    MD5

    1a993cee1420f0955752eef77136199a

    SHA1

    d664d07a61ff96166e9a8e54a5ee52a91169e384

    SHA256

    41f9ce47af7f8b09d49376e30ea4bc66158982654e1eb6aaa4ec4ada0e65b11f

    SHA512

    bedfdd3d3c53e6fef8465f9ff4f615e9a7c57baf7d71a9ebbaae210030ed94a2b27072662053efd7d46e817441547f014094f556f561278b1095153a95e3d040

    Download Submit

  • C:\Program Files (x86)\SaveClicker\TiWryHfd.tlb
    Filesize

    3KB

    MD5

    3fdfaa71c68f31e83daf46b214ff8c89

    SHA1

    fe4a9d2172e9a94570f46fc151b94f90db08da77

    SHA256

    2d4e42ee22cf2171777f6f2aa232df7a2ad3445b6988ee2f2666ec2a863aca93

    SHA512

    392faf168a97d35fc4fa414844cae3662d231f18d5db55891e6cf281f34cef590cb94f6a650565b5b2bdf2c0899dc872c432106449604079f3283da241f2a100

    Download Submit

  • C:\Program Files (x86)\SaveClicker\TiWryHfd.x64.dll
    Filesize

    687KB

    MD5

    cd1a0489adc1f05fc31a65eb26e08c92

    SHA1

    95af9d7095d36dee3e4d2e2952ca1a199c2bb596

    SHA256

    b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

    SHA512

    52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

    Download Submit

  • \Program Files (x86)\SaveClicker\TiWryHfd.dll
    Filesize

    610KB

    MD5

    8c17652e3d7951221e9afeb07a4c71e6

    SHA1

    68aeb97e567f4e705d4126a60bd94ef567760b61

    SHA256

    4085d30c67ed3d336266d7dd5c2a1bfac8e6ba45f9240b31283e43ac9555ea24

    SHA512

    6f21a4058579e7babe1ee44199fc41bf282d6e0c92352c636f39160c7c9e61191f9eb4186dcba8f0a25cf51f97c181e3027f2bbcee9f723a85de159121655065

    Download Submit

  • \Program Files (x86)\SaveClicker\TiWryHfd.x64.dll
    Filesize

    687KB

    MD5

    cd1a0489adc1f05fc31a65eb26e08c92

    SHA1

    95af9d7095d36dee3e4d2e2952ca1a199c2bb596

    SHA256

    b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

    SHA512

    52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

    Download Submit

  • \Program Files (x86)\SaveClicker\TiWryHfd.x64.dll
    Filesize

    687KB

    MD5

    cd1a0489adc1f05fc31a65eb26e08c92

    SHA1

    95af9d7095d36dee3e4d2e2952ca1a199c2bb596

    SHA256

    b63804fa2e99e3bd6b8dac3e203cba731ae2317e1fdae32014a88ff40a7a4755

    SHA512

    52bc43818912822eb746196aea22b11287a914f156c2838e8c2bc01469758ac18f0575df3d05f7b37042e8c3fd88d5c905d69f359963d5d57c42d0bd7b073c19

    Download Submit

  • memory/940-73-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-63-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-72-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-71-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-70-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-69-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-68-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-67-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-66-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-65-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-64-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/940-62-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-61-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-60-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-75-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-55-0x0000000000F00000-0x0000000000FA0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/940-76-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-78-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-74-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/940-77-0x0000000000822000-0x0000000000826000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1468-80-0x0000000000000000-mapping.dmp

    Download

  • memory/2024-85-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2024-84-0x0000000000000000-mapping.dmp

    Download