Overview

overview

8

Static

static

9a2aaa4e13...17.exe

windows7-x64

8

9a2aaa4e13...17.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 21:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

  • Size

    4.6MB

  • MD5

    6be2684284b3812ca845422cbbb46b8e

  • SHA1

    4fa46e361d16c889ad0fd4b5403508fb7f06c289

  • SHA256

    9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117

  • SHA512

    acf16e65939a1b219447fc564785c97ac1dbe63dec68c045ab28fcf1cd01da38727f9e0d9ca73a3ccb0e2618b68ccb7a3c85f03a97dfb5492422f0b0afaea4aa

  • SSDEEP

    98304:IB5ZQZz8FK10bOlT84AkxqYmZHj3E7vqiVDBXptM+cD:o5eHAkxAuNVRoD

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
    "C:\Users\Admin\AppData\Local\Temp\9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2276
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4692
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1048
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:4744
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:4860

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Browser Extensions

      1
      T1176

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.dat
        Filesize

        4KB

        MD5

        a4f167657a330f71ae072a3759b23884

        SHA1

        a499678870603d2c5c7598a586c06c4dc6e986cf

        SHA256

        5420f281d8c94dc4e8c1a2aa6616036e4d53c710c50cf6a8111daefd80ae562a

        SHA512

        51f0ac99d128f7ffebf8aea0861c78519ce186c3e5f128c03e37179b24c7a0f83350c210dd4de4b28cfdb6291dfb05b014d819f7ad772c3cfcd77db9196bff5b

        Download Submit
      • C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.dll
        Filesize

        741KB

        MD5

        0f2db92a7d763af605b6273a4aa18382

        SHA1

        c9e6e9eb3c2050c86afa1b79e437ea8c8252573f

        SHA256

        ebdf480f55d619da9a5f23810ef174f5e789d81899bf4f63371cfd95e402658a

        SHA512

        824230a31cd7e7410c369dae190c1a3bec7498f52740b484e5d09c76265dbd71fb989f5ce889ca8a4f1ae28eb740e39d020b9581aa0496ae394d6ff3874038e5

        Download Submit
      • C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.tlb
        Filesize

        3KB

        MD5

        b826030b97202e2efa7f7a60493c61a7

        SHA1

        8145289ac846d579df907dc43fa79fa5866f2930

        SHA256

        df318425290a57dbdaffd19be838eb1317d38d00be224272168375251cb2f83f

        SHA512

        246becba94b93fa2e79e9938efe94fd325e18ecd1ce93f642e184ba89d230a5cdf5596272e6ace3a7e9440e5aa9eb153bb8bc5ab6f3bc518fca9b790d4f8d6db

        Download Submit
      • C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll
        Filesize

        879KB

        MD5

        0b282547d65c4597ac0f2c5cc09c3b37

        SHA1

        43a626f01c7ead04cee4b8523b02ee7248271051

        SHA256

        c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

        SHA512

        541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

        Download Submit
      • C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll
        Filesize

        879KB

        MD5

        0b282547d65c4597ac0f2c5cc09c3b37

        SHA1

        43a626f01c7ead04cee4b8523b02ee7248271051

        SHA256

        c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

        SHA512

        541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

        Download Submit
      • C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll
        Filesize

        879KB

        MD5

        0b282547d65c4597ac0f2c5cc09c3b37

        SHA1

        43a626f01c7ead04cee4b8523b02ee7248271051

        SHA256

        c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

        SHA512

        541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

        Download Submit
      • memory/1048-141-0x0000000000000000-mapping.dmp
        Download
      • memory/2276-132-0x0000000002F70000-0x0000000003037000-memory.dmp
        Filesize

        796KB

        Download
      • memory/4692-138-0x0000000000000000-mapping.dmp
        Download