35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972

General

Target

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Size

2.6MB
MD5

3d8635844d1d85c713e43aa5447892da
SHA1

ad800d66cf444dfe9c30b38892a463c5059ec737
SHA256

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972
SHA512

4ba2b0555f4fa13cc3b07798b72fb82a927234830666ed0f0f22fe12f89203ecb857c2162c969c6e39ef81deffa36481727f4eb974fd99571457b176f38a3926
SSDEEP

49152:GNHmbN57+3zROrNKAxQLLVsYWOAxbk9klssP2Oifyz7FAEejFma8:jx5242GQ9Kssfrj

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\av5sGc.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exeregsvr32.exeregsvr32.exe

pid process

2024 35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
1120 regsvr32.exe
1900 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gglodbkbkoggnmncalepiinkhngcdgdj\2.1\manifest.json	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gglodbkbkoggnmncalepiinkhngcdgdj\2.1\manifest.json	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gglodbkbkoggnmncalepiinkhngcdgdj\2.1\manifest.json	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8942A99-4512-551B-A781-D69C86E99124}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8942A99-4512-551B-A781-D69C86E99124}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E8942A99-4512-551B-A781-D69C86E99124}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E8942A99-4512-551B-A781-D69C86E99124}\ = "SaveClicker"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E8942A99-4512-551B-A781-D69C86E99124}\NoExplorer = "1"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E8942A99-4512-551B-A781-D69C86E99124}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8942A99-4512-551B-A781-D69C86E99124}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8942A99-4512-551B-A781-D69C86E99124}\ = "SaveClicker"	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

Drops file in Program Files directory 8 IoCs

Processes:

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

description	ioc	process
File created	C:\Program Files (x86)\SaveClicker\av5sGc.dat	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\av5sGc.dat	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File created	C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File created	C:\Program Files (x86)\SaveClicker\av5sGc.dll	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\av5sGc.dll	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File created	C:\Program Files (x86)\SaveClicker\av5sGc.tlb	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\av5sGc.tlb	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E8942A99-4512-551B-A781-D69C86E99124}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E8942A99-4512-551B-A781-D69C86E99124}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E8942A99-4512-551B-A781-D69C86E99124}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E8942A99-4512-551B-A781-D69C86E99124}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SaveClicker\\av5sGc.tlb"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer\ = "SaveClicker.2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\ProgID	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\ProgID\ = "SaveClicker.2.1"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\InprocServer32	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID\ = "{E8942A99-4512-551B-A781-D69C86E99124}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\CLSID\ = "{E8942A99-4512-551B-A781-D69C86E99124}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\VersionIndependentProgID\ = "SaveClicker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\ = "SaveClicker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\InprocServer32	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\ProgID\ = "SaveClicker.2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\ = "SaveClicker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\av5sGc.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\Programmable	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\Implemented Categories	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\VersionIndependentProgID	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}\ProgID	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8942A99-4512-551B-A781-D69C86E99124}	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

pid	process
2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

description	pid	process
Token: SeDebugPrivilege	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Token: SeDebugPrivilege	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Token: SeDebugPrivilege	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Token: SeDebugPrivilege	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Token: SeDebugPrivilege	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Token: SeDebugPrivilege	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exeregsvr32.exe

description	pid	process	target process
PID 2024 wrote to memory of 1120	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe	regsvr32.exe
PID 2024 wrote to memory of 1120	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe	regsvr32.exe
PID 2024 wrote to memory of 1120	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe	regsvr32.exe
PID 2024 wrote to memory of 1120	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe	regsvr32.exe
PID 2024 wrote to memory of 1120	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe	regsvr32.exe
PID 2024 wrote to memory of 1120	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe	regsvr32.exe
PID 2024 wrote to memory of 1120	2024	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe	regsvr32.exe
PID 1120 wrote to memory of 1900	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 1900	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 1900	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 1900	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 1900	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 1900	1120	regsvr32.exe	regsvr32.exe
PID 1120 wrote to memory of 1900	1120	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E8942A99-4512-551B-A781-D69C86E99124} = "1"	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

C:\Users\Admin\AppData\Local\Temp\35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
"C:\Users\Admin\AppData\Local\Temp\35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2024

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1900

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SaveClicker\av5sGc.dat
Filesize
4KB

MD5
378f612a731edf14c06961a83cdd8771

SHA1
82f44b2de0072594a30e48aab31743417f926e8d

SHA256
b56ec43627566ac2296c4f0b92fda3ca51f617dad0fd9f24890f4414c939be5e

SHA512
eed7eebc28b227b3866b127a06b29646547dc1df54543183108feea451f6ed5e17190f41d6c9b2e363f447712306d13d5aff0f603b2b37ddb6764bc49537f911

Download Submit
C:\Program Files (x86)\SaveClicker\av5sGc.tlb
Filesize
3KB

MD5
8844036f19677bdb4c605f95b8e35c71

SHA1
54c162cba6a8e9c97ff630eabdd9f091fed3e0f8

SHA256
c1e650b67e3a09532103a4f1114ce74fbc783fa1de4106c18966b6ad3ecee943

SHA512
c731684798263fce7856599059b9f6773a2593b81940d3f1f6c17edb8f0a344ba5fd4d9d556982f0d12cc189904c1ff04d1831a49d7dd6ed7a230b340dce6916

Download Submit
C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll
Filesize
688KB

MD5
d07082b313f2048d6de092f5d2228aab

SHA1
acf58e08f2902339f3b8a0f653dc6a6dfec85f77

SHA256
b4084282a5149ad3553159628d98baec116a3447306c563dd83d03a91e5b883d

SHA512
c57ae6d325b25fde1175ccbca1f5fba1a5cee37a29d3034e1376d244915d7b1d85d2c05f08d8b56c8c06beefeeb8eb98af364b60def5357dcd468c9d013cc40d

Download Submit
\Program Files (x86)\SaveClicker\av5sGc.dll
Filesize
614KB

MD5
cab8782981889392a56a5a56718d4c24

SHA1
411c952e93521df349387e33a116a476c1f9d523

SHA256
f281bfb67cdc444d8b4230001daca219281a5dcc15dc769c71c7c584a36dfc04

SHA512
dc2d538af76ee5dab34203e4562e7983167de0f93b9a4b84b811b090c5ad6cbf1091c4be6e1d2891f7a4131b4240348af25c2c3582573439eab71f83bd68c75d

Download Submit
\Program Files (x86)\SaveClicker\av5sGc.x64.dll
Filesize
688KB

MD5
d07082b313f2048d6de092f5d2228aab

SHA1
acf58e08f2902339f3b8a0f653dc6a6dfec85f77

SHA256
b4084282a5149ad3553159628d98baec116a3447306c563dd83d03a91e5b883d

SHA512
c57ae6d325b25fde1175ccbca1f5fba1a5cee37a29d3034e1376d244915d7b1d85d2c05f08d8b56c8c06beefeeb8eb98af364b60def5357dcd468c9d013cc40d

Download Submit
\Program Files (x86)\SaveClicker\av5sGc.x64.dll
Filesize
688KB

MD5
d07082b313f2048d6de092f5d2228aab

SHA1
acf58e08f2902339f3b8a0f653dc6a6dfec85f77

SHA256
b4084282a5149ad3553159628d98baec116a3447306c563dd83d03a91e5b883d

SHA512
c57ae6d325b25fde1175ccbca1f5fba1a5cee37a29d3034e1376d244915d7b1d85d2c05f08d8b56c8c06beefeeb8eb98af364b60def5357dcd468c9d013cc40d

Download Submit
memory/1120-80-0x0000000000000000-mapping.dmp

Download
memory/1900-85-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

Filesize
8KB

Download
memory/1900-84-0x0000000000000000-mapping.dmp

Download
memory/2024-65-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-78-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-69-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-70-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-71-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-73-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-72-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-74-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-75-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-77-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-76-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-67-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-68-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-66-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/2024-64-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-63-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-62-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-61-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-60-0x00000000006D2000-0x00000000006D6000-memory.dmp

Filesize
16KB

Download
memory/2024-55-0x0000000000ED0000-0x0000000000F73000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads