8e357d99c298f6147f43fbd588cfdfdb3e99ad61688acff93a2be84a9fff29da

Analysis

max time kernel
180s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e357d99c298f6147f43fbd588cfdfdb3e99ad61688acff93a2be84a9fff29da.exe
Size

2.1MB
MD5

ece83062db4abcbaf1ef06ceb570582c
SHA1

23cbfad793879943346719e87275aa5897f9d7ca
SHA256

8e357d99c298f6147f43fbd588cfdfdb3e99ad61688acff93a2be84a9fff29da
SHA512

802f52b69336aecb9100c15b55748b5bf1058c2e5ee971cb346f5f98712aad603ac697e57df2c0ba96becd4a60712aa105b110c112499351274a8aa32fdb2922
SSDEEP

49152:gTcw1JeApYbGdrLH0LlMBYFxkuL0uVxCGesEl4+Tbfa:gnJeA0ob0LlTkuLRVxVesCvf

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

x4pPzcF.exe

pid process

4868 x4pPzcF.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\9iBVMO.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

x4pPzcF.exeregsvr32.exeregsvr32.exe

pid process

4868 x4pPzcF.exe
4768 regsvr32.exe
2068 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

x4pPzcF.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iipckhlfckhaffgifbfbjmmpaikahpll\2.1\manifest.json	x4pPzcF.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\iipckhlfckhaffgifbfbjmmpaikahpll\2.1\manifest.json	x4pPzcF.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iipckhlfckhaffgifbfbjmmpaikahpll\2.1\manifest.json	x4pPzcF.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\iipckhlfckhaffgifbfbjmmpaikahpll\2.1\manifest.json	x4pPzcF.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iipckhlfckhaffgifbfbjmmpaikahpll\2.1\manifest.json	x4pPzcF.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exex4pPzcF.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ = "SaveClicker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ = "SaveClicker"	x4pPzcF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\NoExplorer = "1"	x4pPzcF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	x4pPzcF.exe

Drops file in Program Files directory 8 IoCs

Processes:

x4pPzcF.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SaveClicker\9iBVMO.dll	x4pPzcF.exe
File created	C:\Program Files (x86)\SaveClicker\9iBVMO.tlb	x4pPzcF.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\9iBVMO.tlb	x4pPzcF.exe
File created	C:\Program Files (x86)\SaveClicker\9iBVMO.dat	x4pPzcF.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\9iBVMO.dat	x4pPzcF.exe
File created	C:\Program Files (x86)\SaveClicker\9iBVMO.x64.dll	x4pPzcF.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\9iBVMO.x64.dll	x4pPzcF.exe
File created	C:\Program Files (x86)\SaveClicker\9iBVMO.dll	x4pPzcF.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

x4pPzcF.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	x4pPzcF.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	x4pPzcF.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	x4pPzcF.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	x4pPzcF.exe

Modifies registry class 64 IoCs

Processes:

x4pPzcF.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\Programmable	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\InprocServer32	x4pPzcF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\VersionIndependentProgID	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ProgID\ = "SaveClicker.2.1"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ = "SaveClicker"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\VersionIndependentProgID\ = "SaveClicker"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID\ = "{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\CLSID	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	x4pPzcF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ProgID\ = "SaveClicker.2.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SaveClicker\\9iBVMO.tlb"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SaveClicker"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ProgID	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	x4pPzcF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID\ = "{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\ = "SaveClicker"	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ = "SaveClicker"	x4pPzcF.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ProgID	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\CLSID\ = "{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7}"	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	x4pPzcF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	x4pPzcF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	x4pPzcF.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

x4pPzcF.exe

pid	process
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe
4868	x4pPzcF.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

x4pPzcF.exe

description	pid	process
Token: SeDebugPrivilege	4868	x4pPzcF.exe
Token: SeDebugPrivilege	4868	x4pPzcF.exe
Token: SeDebugPrivilege	4868	x4pPzcF.exe
Token: SeDebugPrivilege	4868	x4pPzcF.exe
Token: SeDebugPrivilege	4868	x4pPzcF.exe
Token: SeDebugPrivilege	4868	x4pPzcF.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8e357d99c298f6147f43fbd588cfdfdb3e99ad61688acff93a2be84a9fff29da.exex4pPzcF.exeregsvr32.exe

description	pid	process	target process
PID 4864 wrote to memory of 4868	4864	8e357d99c298f6147f43fbd588cfdfdb3e99ad61688acff93a2be84a9fff29da.exe	x4pPzcF.exe
PID 4864 wrote to memory of 4868	4864	8e357d99c298f6147f43fbd588cfdfdb3e99ad61688acff93a2be84a9fff29da.exe	x4pPzcF.exe
PID 4864 wrote to memory of 4868	4864	8e357d99c298f6147f43fbd588cfdfdb3e99ad61688acff93a2be84a9fff29da.exe	x4pPzcF.exe
PID 4868 wrote to memory of 4768	4868	x4pPzcF.exe	regsvr32.exe
PID 4868 wrote to memory of 4768	4868	x4pPzcF.exe	regsvr32.exe
PID 4868 wrote to memory of 4768	4868	x4pPzcF.exe	regsvr32.exe
PID 4768 wrote to memory of 2068	4768	regsvr32.exe	regsvr32.exe
PID 4768 wrote to memory of 2068	4768	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

x4pPzcF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1E655AB8-FAAB-FCCE-781F-A6521D2F10A7} = "1"	x4pPzcF.exe

C:\Users\Admin\AppData\Local\Temp\8e357d99c298f6147f43fbd588cfdfdb3e99ad61688acff93a2be84a9fff29da.exe
"C:\Users\Admin\AppData\Local\Temp\8e357d99c298f6147f43fbd588cfdfdb3e99ad61688acff93a2be84a9fff29da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Users\Admin\AppData\Local\Temp\24ab4bd6\x4pPzcF.exe
"C:\Users\Admin\AppData\Local\Temp/24ab4bd6/x4pPzcF.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4868

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SaveClicker\9iBVMO.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SaveClicker\9iBVMO.x64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SaveClicker\9iBVMO.dat
Filesize
3KB

MD5
02f9aa149e6f5c560cfcea47934365f5

SHA1
89855f75180cd49c5bdfa2e632fcddb8dd23d3ba

SHA256
12e0ae0432d5135fa2f749102a792605a4aa0f3e9f46cb13019f331f88b478b7

SHA512
ee68b0e14a9332b0d4fde06ab66b9016728f8576b2493650ad2771d1af64906362fa6a226ed53fb43c00f9965940c3ed4efebbe4ac87dfb010b2487cc98de60c

Download Submit
C:\Program Files (x86)\SaveClicker\9iBVMO.dll
Filesize
615KB

MD5
9f0d6a9b64003f8cc28b79fa1faa8dc7

SHA1
0215789269141424a68be4cf74ac83a5ef0ea00e

SHA256
05548a4dd98e8e6e322e1b0185ef405487b14d4a26c4143b8f399374737b93af

SHA512
70bfd44d872ae9d54d8bf85349f6ada797af2105da066c3afcb92ae5bd2c82b42bdb4f24fbe495a4b0d9a776f491972fabde7862e27416a19c7b1fdd651a2895

Download Submit
C:\Program Files (x86)\SaveClicker\9iBVMO.tlb
Filesize
3KB

MD5
af1f269c3d74370cd975f822f6043553

SHA1
52bcd6830319eaee82b5d64ef8b9093bbdf05494

SHA256
91392c65b78c0edca152c84156c3eae84487b28a07325ef5b6b5ce2c2acafb65

SHA512
9354e72315d050cdda03e5ec39f15c4f500c6c7ba84ece31e389fd4cf752652d176e5415c6a51622ec625e94b613327d7ac2022350ed32388c82238f8f368d26

Download Submit
C:\Program Files (x86)\SaveClicker\9iBVMO.x64.dll
Filesize
695KB

MD5
7921a9d3c2356ea0c385dabb37afdb41

SHA1
c484e58b96f93aa899976f059868e47fd9fa5121

SHA256
baab2876aa27b66a98be1b2dd95a358f33787e6973092fb5496f0557b547ff8f

SHA512
191051bb6dcd5d40865153159fc922501080970571d58a54adfce923520c23bf232ff3568bd8b835cb0cd7ff074f1469db8c369d625d35b8454ad45e6d4cb3c9

Download Submit
C:\Program Files (x86)\SaveClicker\9iBVMO.x64.dll
Filesize
695KB

MD5
7921a9d3c2356ea0c385dabb37afdb41

SHA1
c484e58b96f93aa899976f059868e47fd9fa5121

SHA256
baab2876aa27b66a98be1b2dd95a358f33787e6973092fb5496f0557b547ff8f

SHA512
191051bb6dcd5d40865153159fc922501080970571d58a54adfce923520c23bf232ff3568bd8b835cb0cd7ff074f1469db8c369d625d35b8454ad45e6d4cb3c9

Download Submit
C:\Program Files (x86)\SaveClicker\9iBVMO.x64.dll
Filesize
695KB

MD5
7921a9d3c2356ea0c385dabb37afdb41

SHA1
c484e58b96f93aa899976f059868e47fd9fa5121

SHA256
baab2876aa27b66a98be1b2dd95a358f33787e6973092fb5496f0557b547ff8f

SHA512
191051bb6dcd5d40865153159fc922501080970571d58a54adfce923520c23bf232ff3568bd8b835cb0cd7ff074f1469db8c369d625d35b8454ad45e6d4cb3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\9iBVMO.dll
Filesize
615KB

MD5
9f0d6a9b64003f8cc28b79fa1faa8dc7

SHA1
0215789269141424a68be4cf74ac83a5ef0ea00e

SHA256
05548a4dd98e8e6e322e1b0185ef405487b14d4a26c4143b8f399374737b93af

SHA512
70bfd44d872ae9d54d8bf85349f6ada797af2105da066c3afcb92ae5bd2c82b42bdb4f24fbe495a4b0d9a776f491972fabde7862e27416a19c7b1fdd651a2895

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\9iBVMO.tlb
Filesize
3KB

MD5
af1f269c3d74370cd975f822f6043553

SHA1
52bcd6830319eaee82b5d64ef8b9093bbdf05494

SHA256
91392c65b78c0edca152c84156c3eae84487b28a07325ef5b6b5ce2c2acafb65

SHA512
9354e72315d050cdda03e5ec39f15c4f500c6c7ba84ece31e389fd4cf752652d176e5415c6a51622ec625e94b613327d7ac2022350ed32388c82238f8f368d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\9iBVMO.x64.dll
Filesize
695KB

MD5
7921a9d3c2356ea0c385dabb37afdb41

SHA1
c484e58b96f93aa899976f059868e47fd9fa5121

SHA256
baab2876aa27b66a98be1b2dd95a358f33787e6973092fb5496f0557b547ff8f

SHA512
191051bb6dcd5d40865153159fc922501080970571d58a54adfce923520c23bf232ff3568bd8b835cb0cd7ff074f1469db8c369d625d35b8454ad45e6d4cb3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\[email protected]\chrome.manifest
Filesize
27B

MD5
bd931b022aa806e188fb0f7ebd496878

SHA1
c69d11c69a00ec400494310c425774657b42de48

SHA256
cd1b1aa9c29c73a6537b2edb9b8f51a4626b2e43ec830fd2d3c882792af0b2a8

SHA512
8f0351af4b9fd3831e54ac0aaff0887efb199554ebd0945e9d45d3bae8de4b9d70cb1d52483e53ce7d2b22e1af03d680bb79f5d110c2ca4a9a3e68a153e84571

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\[email protected]\content\bg.js
Filesize
7KB

MD5
ef9740f23273bb5c1fcfc36a13365963

SHA1
9f3cefe1f49cac71634e33538043357990f19230

SHA256
bd53bd3f19a283d2948920a25f0c2229edc264242edbc7daa450863b00380800

SHA512
e495d1bb5112eec8ba31cb15b7f1925d7010a4f1c2c49bd594fd5612baf2d045a52e9ff7ad8c382ca48557c10614cfe2186425d1625c6af2ad1c30fecac0ff5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\[email protected]\install.rdf
Filesize
605B

MD5
39dfabfc4f48bed92063c7c1c1314f34

SHA1
13e6373bb462d2c6898302ff8bfc065cbab574b2

SHA256
5035b9d5ae3fcc9dc72f5c6b760acd7190577ade96ababc963f8c03e29cba2e8

SHA512
5fd421220f9130b0bc21bd078b14bf40cd4f89dfde8f61770dc803aa8b22d3ec8e2cb68df69506d3ec90abca529937eda450940951ade16e9ab240dba4991213

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\iipckhlfckhaffgifbfbjmmpaikahpll\SHyv.js
Filesize
5KB

MD5
967d42981e0e8ab5399affb9ade85bfb

SHA1
7c6b47b0bc4d0786578f2b36725b470f7dca723f

SHA256
cb99e6bdccd5d1342aa0c3bbe475128c5b2219c83c2dc246c71ce8fff902fae8

SHA512
7ca48b5bc7c39483e0aa159f0f499250a60e996d642f29bb85d434f254d3c36ee0a746791c2ba575c3bde867a5418aa10e5fcd55ad7633bef48b67215bd3a86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\iipckhlfckhaffgifbfbjmmpaikahpll\background.html
Filesize
141B

MD5
2eed0641b939eff17ab2c9a5638b1394

SHA1
b3d7b5ef8b53d276be0fb3275c1dc494924d62ac

SHA256
be78c9257af4bdc524705fb364cd02b18a3ce198bc028c164e83227293adb448

SHA512
3d078247cf7871195e5624fa2420b3204f578059aa831432b77e08dc0f47b17897634aacad5bd1ceaf96b11a64a9efdaae3699e417c2e7dd931cc1935c06a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\iipckhlfckhaffgifbfbjmmpaikahpll\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\iipckhlfckhaffgifbfbjmmpaikahpll\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\iipckhlfckhaffgifbfbjmmpaikahpll\manifest.json
Filesize
503B

MD5
aa6fc24e028b07a032fbc6f859819dca

SHA1
166f2c578c4f164da313ece0e914e56e053418c2

SHA256
2f026100e6faf41a63ea0c5d289914bfceba28094b32c9a3566a4932b7c71038

SHA512
4f5328b27ace6ec4d786e7369b8a071fedf46f30e0b1d223d8fa9332d1df60914f22b84725e3055c894f027f79f05dd91d47ae5c22bebaad34c0af440f634701

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\x4pPzcF.dat
Filesize
3KB

MD5
02f9aa149e6f5c560cfcea47934365f5

SHA1
89855f75180cd49c5bdfa2e632fcddb8dd23d3ba

SHA256
12e0ae0432d5135fa2f749102a792605a4aa0f3e9f46cb13019f331f88b478b7

SHA512
ee68b0e14a9332b0d4fde06ab66b9016728f8576b2493650ad2771d1af64906362fa6a226ed53fb43c00f9965940c3ed4efebbe4ac87dfb010b2487cc98de60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\x4pPzcF.exe
Filesize
613KB

MD5
ba176cd9159ea4bbd73061fee73f4484

SHA1
1f82073c585bf3340b8b6deefdfd356908561f9a

SHA256
9f570df19c8ed334e35c10bb79330d15e57648376852f13ca9373b254c6b3e26

SHA512
a4fc9337805750cb04d6686635fcb2016e23b5437c40284ef321da9bc703b26ff18e3fb7a070498a3032e189e223a576855cd293d09c292aa26b7541787df57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ab4bd6\x4pPzcF.exe
Filesize
613KB

MD5
ba176cd9159ea4bbd73061fee73f4484

SHA1
1f82073c585bf3340b8b6deefdfd356908561f9a

SHA256
9f570df19c8ed334e35c10bb79330d15e57648376852f13ca9373b254c6b3e26

SHA512
a4fc9337805750cb04d6686635fcb2016e23b5437c40284ef321da9bc703b26ff18e3fb7a070498a3032e189e223a576855cd293d09c292aa26b7541787df57b

Download Submit
memory/2068-152-0x0000000000000000-mapping.dmp

Download
memory/4768-149-0x0000000000000000-mapping.dmp

Download
memory/4868-132-0x0000000000000000-mapping.dmp

Download