Overview

overview

8

Static

static

479372fc1b...52.exe

windows7-x64

8

479372fc1b...52.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    97s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    479372fc1bf9dd58afdbf1adbe9d39287a173a3bbcf06cc67236c8f581bc8c52.exe

  • Size

    3.5MB

  • MD5

    bf59f13e9a054a5ab9498e05d2d8a00e

  • SHA1

    3ee2f7e75a0a177304608bbdd5631861d5af3b36

  • SHA256

    479372fc1bf9dd58afdbf1adbe9d39287a173a3bbcf06cc67236c8f581bc8c52

  • SHA512

    ca7582edb1a07b1fb91fcba68745c8147b20fdf57ae52b6b958413680c7a4ed792b8cd42f624bcb92ab45a4c64001b2067b5de2fc441cb1b9a8520c19d5d33b3

  • SSDEEP

    49152:IcRYRlGdLKeURmULP0Q6hnQ9nkyb3BeKiEdQY7tXyMB6KWY5i8LA0rIDS4vLrgwp:V6RlGWPeEiEqYJOKWYdLT8DBvL0w5g

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\479372fc1bf9dd58afdbf1adbe9d39287a173a3bbcf06cc67236c8f581bc8c52.exe
    "C:\Users\Admin\AppData\Local\Temp\479372fc1bf9dd58afdbf1adbe9d39287a173a3bbcf06cc67236c8f581bc8c52.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1320
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\GoSaVe\_Y2c0.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\GoSaVe\_Y2c0.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Browser Extensions

1
T1176

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\GoSaVe\_Y2c0.dat
    Filesize

    4KB

    MD5

    06bbc58791dd74ac4368bbf5ba4b4bcd

    SHA1

    bf0a03b3d8a178eca5904157e3c86fa656156d63

    SHA256

    7d15307034f0d6d22cfea5f7cf1942e47f7c61c4f25492ab9cb040d93939b313

    SHA512

    26fa60a575bc48439be82857c5f9fb4925bc09431e0dd02da1207884c26872612bd681f0a60cf64435e957ae2c87d32008d728a132d8e4a9b4d4550dfa60ab00

    Download Submit
  • C:\Program Files (x86)\GoSaVe\_Y2c0.tlb
    Filesize

    3KB

    MD5

    69f83b6fbfb0b8bcd41fd7526c15f0f8

    SHA1

    6e77c6a9db881c687513fca345f7014a34581fbd

    SHA256

    138bbb7b27e2101e06fd2ee40807bf0cf5092c706b63f20275cb0acd5ca4ddd4

    SHA512

    e266fc64bd30a7e070089c2a0dca878a482c49b6069adf2fbe08e87584298d75960846845c1f207d2784a652e34908997aabcdacfd11956cca21df42bc13fcdd

    Download Submit
  • C:\Program Files (x86)\GoSaVe\_Y2c0.x64.dll
    Filesize

    704KB

    MD5

    b006dc4fc0353a50f457e148a8783482

    SHA1

    df404fe8ca7df2a6cf389db2e64cbde87da702ea

    SHA256

    11f47eb93788cb172f91b1edd66d590011bde04c328733f18fd93e7391b0e116

    SHA512

    345128159a96f6e085a212cd9b81a17487c2bf3c0e57e70683a498aa79cd012b40349cd4414622094d6b425cd99070e2d43a9052b8c65bffd75a374e585d0e05

    Download Submit
  • \Program Files (x86)\GoSaVe\_Y2c0.dll
    Filesize

    623KB

    MD5

    2f700827f71ba8d02b87b1145bde267e

    SHA1

    a3264aa5c20eea8279b82283d98410f9c3491865

    SHA256

    1d5544b85315e47c0dfbf7bf6a037ed4c66f7f3ac192da07352d574526393b1f

    SHA512

    ff50314ff77b859688dad9c8a73de194d05fc56f11ed6b4996d61f85f3fa138d13270f8f0283f88642d5886e15fc7a2924f0c42da2d40b8f4b563a29ed15b181

    Download Submit
  • \Program Files (x86)\GoSaVe\_Y2c0.x64.dll
    Filesize

    704KB

    MD5

    b006dc4fc0353a50f457e148a8783482

    SHA1

    df404fe8ca7df2a6cf389db2e64cbde87da702ea

    SHA256

    11f47eb93788cb172f91b1edd66d590011bde04c328733f18fd93e7391b0e116

    SHA512

    345128159a96f6e085a212cd9b81a17487c2bf3c0e57e70683a498aa79cd012b40349cd4414622094d6b425cd99070e2d43a9052b8c65bffd75a374e585d0e05

    Download Submit
  • \Program Files (x86)\GoSaVe\_Y2c0.x64.dll
    Filesize

    704KB

    MD5

    b006dc4fc0353a50f457e148a8783482

    SHA1

    df404fe8ca7df2a6cf389db2e64cbde87da702ea

    SHA256

    11f47eb93788cb172f91b1edd66d590011bde04c328733f18fd93e7391b0e116

    SHA512

    345128159a96f6e085a212cd9b81a17487c2bf3c0e57e70683a498aa79cd012b40349cd4414622094d6b425cd99070e2d43a9052b8c65bffd75a374e585d0e05

    Download Submit
  • memory/580-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1320-54-0x0000000076301000-0x0000000076303000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1320-55-0x0000000000790000-0x0000000000834000-memory.dmp
    Filesize

    656KB

    Download
  • memory/1656-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1656-66-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp
    Filesize

    8KB

    Download