Overview

overview

8

Static

static

db6a51aed5...1d.exe

windows7-x64

8

db6a51aed5...1d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    25s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db6a51aed58898cf8170f4756d2f75fc7dcc8e88418e1ecae26cc7e941673b1d.exe

  • Size

    3.5MB

  • MD5

    a88e7ac223bd691b9ab33e42995f0b70

  • SHA1

    11ce77d169e0b92374d20a9560c369f0ff36aa62

  • SHA256

    db6a51aed58898cf8170f4756d2f75fc7dcc8e88418e1ecae26cc7e941673b1d

  • SHA512

    630b2cc145a82ce89470cbd4e13ff7df32b0bac1e949f1ebf7799659246d1be8950ca19d8bcacf15932c54fb87e86ddbd8d401c61d6dcb34955798dcf469ce97

  • SSDEEP

    49152:yVxYLlFQRuG9zYHTYJkR+lAAfz1TW/p4DjL5W61Cl9I:yVx809EzLR+lAAr1aaDvb1

Score
8/10
adwarediscoverypersistencestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\db6a51aed58898cf8170f4756d2f75fc7dcc8e88418e1ecae26cc7e941673b1d.exe
    "C:\Users\Admin\AppData\Local\Temp\db6a51aed58898cf8170f4756d2f75fc7dcc8e88418e1ecae26cc7e941673b1d.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2032
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\GOSave\eTWGfeYTIfy0EH.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\GOSave\eTWGfeYTIfy0EH.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\GOSave\eTWGfeYTIfy0EH.dat
    Filesize

    4KB

    MD5

    f391a9c455ebc2d25186a1d557a63c73

    SHA1

    1f681cda9df3de31f1ea77eb32a1f99c0a02a609

    SHA256

    f05fcab93513c1ea3de67c9c001d3935978e26780bac89b04e052f6422faf45d

    SHA512

    9be652df54b6ff932d8d78f019a77985d71fbc397f71e615cc5d548dfeb8e63d67cddf09a7e772ecf5d4c2ff1cdde05e782fc5a6d4b4ef945993722970c2239e

    Download Submit
  • C:\Program Files (x86)\GOSave\eTWGfeYTIfy0EH.tlb
    Filesize

    3KB

    MD5

    62cb4133d9d3a46f4f1c6c0fb3688619

    SHA1

    feaaef6e2b8c41be2575d0763cc8de3e8c19478e

    SHA256

    3ddcfb4b206fc4856f5bb5c06bcc3761dde53882eea20b5dc5ddf4ee8864bea5

    SHA512

    cb30dc73d52eb502f745fe32b4055b53306f62f0847cae1275d0856608949ea62c30f40d7f252ad450909a4bd425cf0e50012400175cc42a4096cf1451d90123

    Download Submit
  • C:\Program Files (x86)\GOSave\eTWGfeYTIfy0EH.x64.dll
    Filesize

    702KB

    MD5

    1287246338d36f26f77735bd58d74e70

    SHA1

    aabda37cd307e50f2444c73bd656eaf2b78fc291

    SHA256

    4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

    SHA512

    ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

    Download Submit
  • \Program Files (x86)\GOSave\eTWGfeYTIfy0EH.dll
    Filesize

    619KB

    MD5

    4f328f4e17a2c81830aac4c8c3d67141

    SHA1

    063c8e33d6a263dd604d072ffd143305f6c3d4a8

    SHA256

    303917029755e7a44a6e7392c5e751e4fbcb66feaa8a5f09142efaf5a91ad2fc

    SHA512

    d387cf9ee95426717be8bac7a6cd422b8ddc2aa925723a9b25a169d9b4a0f5cb5607e2f2b8161cadb0e4333d1fda4ba24ecb838dbb49571d55a6799efce404c0

    Download Submit
  • \Program Files (x86)\GOSave\eTWGfeYTIfy0EH.x64.dll
    Filesize

    702KB

    MD5

    1287246338d36f26f77735bd58d74e70

    SHA1

    aabda37cd307e50f2444c73bd656eaf2b78fc291

    SHA256

    4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

    SHA512

    ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

    Download Submit
  • \Program Files (x86)\GOSave\eTWGfeYTIfy0EH.x64.dll
    Filesize

    702KB

    MD5

    1287246338d36f26f77735bd58d74e70

    SHA1

    aabda37cd307e50f2444c73bd656eaf2b78fc291

    SHA256

    4d1d5893df770fc7c94b33c90f87f8cc8b9d7669f4f914df9139ddb22042acc1

    SHA512

    ee4177dbd58c1327ea0334e43499e99cea642d458844b589116d147d72a6f71e063fe5dadbe262a7bca7cf0ba7ec48708e64827b513abc3e46144bcfcc6f46f1

    Download Submit
  • memory/1532-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1568-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1568-66-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2032-54-0x0000000075201000-0x0000000075203000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2032-55-0x0000000002790000-0x0000000002832000-memory.dmp
    Filesize

    648KB

    Download