Overview

overview

8

Static

static

35d6d23dcb...72.exe

windows7-x64

8

35d6d23dcb...72.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe

  • Size

    2.6MB

  • MD5

    3d8635844d1d85c713e43aa5447892da

  • SHA1

    ad800d66cf444dfe9c30b38892a463c5059ec737

  • SHA256

    35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972

  • SHA512

    4ba2b0555f4fa13cc3b07798b72fb82a927234830666ed0f0f22fe12f89203ecb857c2162c969c6e39ef81deffa36481727f4eb974fd99571457b176f38a3926

  • SSDEEP

    49152:GNHmbN57+3zROrNKAxQLLVsYWOAxbk9klssP2Oifyz7FAEejFma8:jx5242GQ9Kssfrj

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe
    "C:\Users\Admin\AppData\Local\Temp\35d6d23dcbacb5c8a56391f2bfb87ff03f7a04f25ac23701bcfda9b9ebdac972.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1752
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:4232
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:4504
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:4188

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\SaveClicker\av5sGc.dat
        Filesize

        4KB

        MD5

        378f612a731edf14c06961a83cdd8771

        SHA1

        82f44b2de0072594a30e48aab31743417f926e8d

        SHA256

        b56ec43627566ac2296c4f0b92fda3ca51f617dad0fd9f24890f4414c939be5e

        SHA512

        eed7eebc28b227b3866b127a06b29646547dc1df54543183108feea451f6ed5e17190f41d6c9b2e363f447712306d13d5aff0f603b2b37ddb6764bc49537f911

        Download Submit
      • C:\Program Files (x86)\SaveClicker\av5sGc.dll
        Filesize

        614KB

        MD5

        cab8782981889392a56a5a56718d4c24

        SHA1

        411c952e93521df349387e33a116a476c1f9d523

        SHA256

        f281bfb67cdc444d8b4230001daca219281a5dcc15dc769c71c7c584a36dfc04

        SHA512

        dc2d538af76ee5dab34203e4562e7983167de0f93b9a4b84b811b090c5ad6cbf1091c4be6e1d2891f7a4131b4240348af25c2c3582573439eab71f83bd68c75d

        Download Submit
      • C:\Program Files (x86)\SaveClicker\av5sGc.tlb
        Filesize

        3KB

        MD5

        8844036f19677bdb4c605f95b8e35c71

        SHA1

        54c162cba6a8e9c97ff630eabdd9f091fed3e0f8

        SHA256

        c1e650b67e3a09532103a4f1114ce74fbc783fa1de4106c18966b6ad3ecee943

        SHA512

        c731684798263fce7856599059b9f6773a2593b81940d3f1f6c17edb8f0a344ba5fd4d9d556982f0d12cc189904c1ff04d1831a49d7dd6ed7a230b340dce6916

        Download Submit
      • C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll
        Filesize

        688KB

        MD5

        d07082b313f2048d6de092f5d2228aab

        SHA1

        acf58e08f2902339f3b8a0f653dc6a6dfec85f77

        SHA256

        b4084282a5149ad3553159628d98baec116a3447306c563dd83d03a91e5b883d

        SHA512

        c57ae6d325b25fde1175ccbca1f5fba1a5cee37a29d3034e1376d244915d7b1d85d2c05f08d8b56c8c06beefeeb8eb98af364b60def5357dcd468c9d013cc40d

        Download Submit
      • C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll
        Filesize

        688KB

        MD5

        d07082b313f2048d6de092f5d2228aab

        SHA1

        acf58e08f2902339f3b8a0f653dc6a6dfec85f77

        SHA256

        b4084282a5149ad3553159628d98baec116a3447306c563dd83d03a91e5b883d

        SHA512

        c57ae6d325b25fde1175ccbca1f5fba1a5cee37a29d3034e1376d244915d7b1d85d2c05f08d8b56c8c06beefeeb8eb98af364b60def5357dcd468c9d013cc40d

        Download Submit
      • C:\Program Files (x86)\SaveClicker\av5sGc.x64.dll
        Filesize

        688KB

        MD5

        d07082b313f2048d6de092f5d2228aab

        SHA1

        acf58e08f2902339f3b8a0f653dc6a6dfec85f77

        SHA256

        b4084282a5149ad3553159628d98baec116a3447306c563dd83d03a91e5b883d

        SHA512

        c57ae6d325b25fde1175ccbca1f5fba1a5cee37a29d3034e1376d244915d7b1d85d2c05f08d8b56c8c06beefeeb8eb98af364b60def5357dcd468c9d013cc40d

        Download Submit
      • memory/1752-132-0x0000000000400000-0x00000000004A3000-memory.dmp
        Filesize

        652KB

        Download
      • memory/2056-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4232-141-0x0000000000000000-mapping.dmp
        Download