Overview

overview

8

Static

static

cc3c85b050...53.exe

windows7-x64

8

cc3c85b050...53.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    45s
  • max time network
    88s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc3c85b050e2c5e2a5acceaf4a6e7a98f3f7bd41b67b0d011a0f09e2f2d86753.exe

  • Size

    4.3MB

  • MD5

    023815e5bbb2622361efe9726391f521

  • SHA1

    beefdc231b89e84c91e8835b348d23daba44553a

  • SHA256

    cc3c85b050e2c5e2a5acceaf4a6e7a98f3f7bd41b67b0d011a0f09e2f2d86753

  • SHA512

    b3feff6b15dd2677b921ac3f16a808c9cf5515a8cfd805fd228e5e97be2537c1a2e690368eabbb45bca71bcf29b8dd8997ef1eac9164eaa0e30e7e374eca9c70

  • SSDEEP

    98304:6O1W+GLmuEcyneLfroGvNdZ7tJZqycRUa2:6oFuEKvNZJL3l

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc3c85b050e2c5e2a5acceaf4a6e7a98f3f7bd41b67b0d011a0f09e2f2d86753.exe
    "C:\Users\Admin\AppData\Local\Temp\cc3c85b050e2c5e2a5acceaf4a6e7a98f3f7bd41b67b0d011a0f09e2f2d86753.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1216
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\GoSave\Nbo3nYj1c.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\GoSave\Nbo3nYj1c.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:856

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\GoSave\Nbo3nYj1c.dat
    Filesize

    4KB

    MD5

    88b080af51fa86f03c2c8fa91007e16e

    SHA1

    40e97fc6f5ed8f3bff426c6f62be36a5b77ad9e3

    SHA256

    4553e672b074ddf664d24746150c9e4079de911cdd580343047e1c724171eef1

    SHA512

    a1712d4c3c132c1f45f9eacc49a6fc9864896cc86bb3ed30259718c8a0a93564739fa106fad3208819241c4b085ab634b46ae0b55228f5d786b873fd85d80197

    Download Submit

  • C:\Program Files (x86)\GoSave\Nbo3nYj1c.tlb
    Filesize

    3KB

    MD5

    8b0eff5b37b07646ad8af3652b2a07d9

    SHA1

    2871ea51fc456d896e92008ba4786b1b6dafc766

    SHA256

    ea7fe048436847add57a464f3b7e9254d572b02245139e590e826a8e6b4a1876

    SHA512

    f369da1d407d4973b6e86997200384b11bd05a3c03a38f8378bd406e041b782ca67046b722046c01a0be7075a68cfb567ab899a491bc5f4818b7adb2d4cc5977

    Download Submit

  • C:\Program Files (x86)\GoSave\Nbo3nYj1c.x64.dll
    Filesize

    702KB

    MD5

    6bef9cac4a41368acf66c58c0220e9f0

    SHA1

    b3a8cad8c98fea28440a7a7dcf9ed8f17f0e8543

    SHA256

    0cc95db9ff714315ad9f5edd95551bd3dcc558035ce1a88cd975aa5baae68183

    SHA512

    f9b9e868b473b60743e976775a5e5be3c3c12fc355de813f5330071c72d19c84be25f24f7f7b556298cf91826416feabc1902abe72a31ee4bafdff27c56eab61

    Download Submit

  • \Program Files (x86)\GoSave\Nbo3nYj1c.dll
    Filesize

    621KB

    MD5

    5a952460a846f9225ade28210dafcdcc

    SHA1

    754ca01c829a7400ed9d71f4381bcefa1a2baf8b

    SHA256

    3072d493d8b8e4df3885fed083f22c5ea80ed02060ef1ac4134593be8d93ecab

    SHA512

    429e27df9195d8b3c80a3d5fb1a243d6d04c8a4f7e3dc5e662f6f557c3853d9405c40b697e311bae1a4b07dfc608ad299afe4f06cadd4078f799e594535f485b

    Download Submit

  • \Program Files (x86)\GoSave\Nbo3nYj1c.x64.dll
    Filesize

    702KB

    MD5

    6bef9cac4a41368acf66c58c0220e9f0

    SHA1

    b3a8cad8c98fea28440a7a7dcf9ed8f17f0e8543

    SHA256

    0cc95db9ff714315ad9f5edd95551bd3dcc558035ce1a88cd975aa5baae68183

    SHA512

    f9b9e868b473b60743e976775a5e5be3c3c12fc355de813f5330071c72d19c84be25f24f7f7b556298cf91826416feabc1902abe72a31ee4bafdff27c56eab61

    Download Submit

  • \Program Files (x86)\GoSave\Nbo3nYj1c.x64.dll
    Filesize

    702KB

    MD5

    6bef9cac4a41368acf66c58c0220e9f0

    SHA1

    b3a8cad8c98fea28440a7a7dcf9ed8f17f0e8543

    SHA256

    0cc95db9ff714315ad9f5edd95551bd3dcc558035ce1a88cd975aa5baae68183

    SHA512

    f9b9e868b473b60743e976775a5e5be3c3c12fc355de813f5330071c72d19c84be25f24f7f7b556298cf91826416feabc1902abe72a31ee4bafdff27c56eab61

    Download Submit

  • memory/656-61-0x0000000000000000-mapping.dmp

    Download

  • memory/856-65-0x0000000000000000-mapping.dmp

    Download

  • memory/856-66-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1216-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1216-55-0x0000000000900000-0x00000000009A3000-memory.dmp

    Filesize

    652KB

    Download