Overview

overview

8

Static

static

c2eaba771a...ad.exe

windows7-x64

8

c2eaba771a...ad.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    35s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2eaba771a3068479afba2a80235d5bf1abc1d7da002538ab4387219ef7c92ad.exe

  • Size

    4.3MB

  • MD5

    b5353e70b290d8367234836bbd0a059d

  • SHA1

    51ac2489a6b83380c90b93965fe13e3b89e19f1c

  • SHA256

    c2eaba771a3068479afba2a80235d5bf1abc1d7da002538ab4387219ef7c92ad

  • SHA512

    666ce8863ed18de526270a4944c332714041a9eaf77635b81ba7bd4d6b5076ae80e272ab5bc801e78f6f1560688d1a7d500c128be5cd29acc72c6fe209b40ffc

  • SSDEEP

    98304:Ek25ebO53eJdc1FMh6ZBrdHFAuPdC7hnq54q60AO41S44NEWFGva3Y/5h5HQDdx+:EbOwsdcHrdRXP+U33Bg3

Score
8/10
adwarediscoverypersistencestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2eaba771a3068479afba2a80235d5bf1abc1d7da002538ab4387219ef7c92ad.exe
    "C:\Users\Admin\AppData\Local\Temp\c2eaba771a3068479afba2a80235d5bf1abc1d7da002538ab4387219ef7c92ad.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2012
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\GoSaVE\GS901T.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\GoSaVE\GS901T.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\GoSaVE\GS901T.dat
    Filesize

    4KB

    MD5

    db0f45ff5623aef30345875b31110926

    SHA1

    b81493648947437f4af16762db1359fb303ebfc1

    SHA256

    5623394a60b4944fc514a0496d940b65ddd1daadf248f910d3a77517e7dce544

    SHA512

    a488833b61ac683ab043d41dc3c61fd371f77c964eed031cd3cb6c973324b97c8e592d8c4b37de53dc5b01fd9450ba6c26e445c03ca4e2b7ee8209ffb6a9b53a

    Download Submit
  • C:\Program Files (x86)\GoSaVE\GS901T.tlb
    Filesize

    3KB

    MD5

    fb73184b9c1bfaa44e6cbdb593fd2909

    SHA1

    4585af18986a5e24c544fcecd9e02e3006f440d1

    SHA256

    c89fa0e13aa5c8930b6f28648653b815d4a93cd13e8d7d0f1bf8bf1a49920edb

    SHA512

    2e130f61d2211b7d2799905937b78d5119c3b22580c467dcfe757d8ac5b1e86c33fb69e3c67a6267f4db0a2730dc7cc399b8020d077b30d77428f54ec03523ed

    Download Submit
  • C:\Program Files (x86)\GoSaVE\GS901T.x64.dll
    Filesize

    699KB

    MD5

    1fe3d25ff48d168cb86094de5401cab0

    SHA1

    c6e746f4c629185d8ef71d275845e1d072483923

    SHA256

    5cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04

    SHA512

    ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4

    Download Submit
  • \Program Files (x86)\GoSaVE\GS901T.dll
    Filesize

    619KB

    MD5

    d87bbe9d29b88e94ba03b16567033ddf

    SHA1

    19102742808244a23ca403d983dfd9f7088fffe3

    SHA256

    fdbce4dd2b45ac64620fc875bd12d8706a197bc3def75cdc33b9984f039da5b5

    SHA512

    24ea28c1104ee07604124842a99e359a53644e7693515dcf1b9a4dc7c8258c9d1bdc8b78b7018582521b6d41aebb96a1a38b6994fe83a12e29418bb011c69d03

    Download Submit
  • \Program Files (x86)\GoSaVE\GS901T.x64.dll
    Filesize

    699KB

    MD5

    1fe3d25ff48d168cb86094de5401cab0

    SHA1

    c6e746f4c629185d8ef71d275845e1d072483923

    SHA256

    5cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04

    SHA512

    ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4

    Download Submit
  • \Program Files (x86)\GoSaVE\GS901T.x64.dll
    Filesize

    699KB

    MD5

    1fe3d25ff48d168cb86094de5401cab0

    SHA1

    c6e746f4c629185d8ef71d275845e1d072483923

    SHA256

    5cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04

    SHA512

    ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4

    Download Submit
  • memory/912-65-0x0000000000000000-mapping.dmp
    Download
  • memory/912-66-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1500-61-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-54-0x0000000075E81000-0x0000000075E83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2012-55-0x0000000000880000-0x0000000000924000-memory.dmp
    Filesize

    656KB

    Download