Analysis
-
max time kernel
164s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 16:39
Static task
static1
Behavioral task
behavioral1
Sample
f9f2bd2251695de76cf3b4eae7b4489d7fe2f3f2bc9199a89cab2b0a05bdb879.exe
Resource
win7-20220812-en
General
-
Target
f9f2bd2251695de76cf3b4eae7b4489d7fe2f3f2bc9199a89cab2b0a05bdb879.exe
-
Size
2.5MB
-
MD5
d6b826bf9c31ce5f72cc231761fcd315
-
SHA1
846b3fd6bf67763d9c4605e3cc847312fe7cfcca
-
SHA256
f9f2bd2251695de76cf3b4eae7b4489d7fe2f3f2bc9199a89cab2b0a05bdb879
-
SHA512
325f4b8cc12117a5d8a3c9e85fa6dc00d602de5caf9a18fd27cdb608d3ec9a803010017707c31d8b6dd85399aee2e10b873b2021b932e423e961ecf60eafec90
-
SSDEEP
49152:h1OsQ+QK3xQpjajXKioFMpYphqd3ArqvFUmEaDxEAxh4UR9TEd:h1OWQCjbKioVg3ArKh40U
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WhwKbBbqiv2wFti.exepid process 3096 WhwKbBbqiv2wFti.exe -
Loads dropped DLL 3 IoCs
Processes:
WhwKbBbqiv2wFti.exeregsvr32.exeregsvr32.exepid process 3096 WhwKbBbqiv2wFti.exe 3728 regsvr32.exe 3112 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
WhwKbBbqiv2wFti.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\abajpomkliiekaiimhchipeanjocjfok\2.0\manifest.json WhwKbBbqiv2wFti.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\abajpomkliiekaiimhchipeanjocjfok\2.0\manifest.json WhwKbBbqiv2wFti.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\abajpomkliiekaiimhchipeanjocjfok\2.0\manifest.json WhwKbBbqiv2wFti.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\abajpomkliiekaiimhchipeanjocjfok\2.0\manifest.json WhwKbBbqiv2wFti.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\abajpomkliiekaiimhchipeanjocjfok\2.0\manifest.json WhwKbBbqiv2wFti.exe -
Installs/modifies Browser Helper Object 2 TTPs 9 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exeWhwKbBbqiv2wFti.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} WhwKbBbqiv2wFti.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} WhwKbBbqiv2wFti.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects WhwKbBbqiv2wFti.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ WhwKbBbqiv2wFti.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
WhwKbBbqiv2wFti.exedescription ioc process File created C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.x64.dll WhwKbBbqiv2wFti.exe File opened for modification C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.x64.dll WhwKbBbqiv2wFti.exe File created C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.dll WhwKbBbqiv2wFti.exe File opened for modification C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.dll WhwKbBbqiv2wFti.exe File created C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.tlb WhwKbBbqiv2wFti.exe File opened for modification C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.tlb WhwKbBbqiv2wFti.exe File created C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.dat WhwKbBbqiv2wFti.exe File opened for modification C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.dat WhwKbBbqiv2wFti.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WhwKbBbqiv2wFti.exepid process 3096 WhwKbBbqiv2wFti.exe 3096 WhwKbBbqiv2wFti.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f9f2bd2251695de76cf3b4eae7b4489d7fe2f3f2bc9199a89cab2b0a05bdb879.exeWhwKbBbqiv2wFti.exeregsvr32.exedescription pid process target process PID 5116 wrote to memory of 3096 5116 f9f2bd2251695de76cf3b4eae7b4489d7fe2f3f2bc9199a89cab2b0a05bdb879.exe WhwKbBbqiv2wFti.exe PID 5116 wrote to memory of 3096 5116 f9f2bd2251695de76cf3b4eae7b4489d7fe2f3f2bc9199a89cab2b0a05bdb879.exe WhwKbBbqiv2wFti.exe PID 5116 wrote to memory of 3096 5116 f9f2bd2251695de76cf3b4eae7b4489d7fe2f3f2bc9199a89cab2b0a05bdb879.exe WhwKbBbqiv2wFti.exe PID 3096 wrote to memory of 3728 3096 WhwKbBbqiv2wFti.exe regsvr32.exe PID 3096 wrote to memory of 3728 3096 WhwKbBbqiv2wFti.exe regsvr32.exe PID 3096 wrote to memory of 3728 3096 WhwKbBbqiv2wFti.exe regsvr32.exe PID 3728 wrote to memory of 3112 3728 regsvr32.exe regsvr32.exe PID 3728 wrote to memory of 3112 3728 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9f2bd2251695de76cf3b4eae7b4489d7fe2f3f2bc9199a89cab2b0a05bdb879.exe"C:\Users\Admin\AppData\Local\Temp\f9f2bd2251695de76cf3b4eae7b4489d7fe2f3f2bc9199a89cab2b0a05bdb879.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\7zS29DF.tmp\WhwKbBbqiv2wFti.exe.\WhwKbBbqiv2wFti.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\GoSave\zjZS65MrLKnm80.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:3112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD56fb56e9c31d78c1a22d95188a0a6060d
SHA1e80b4354f8cb4c5537fb2f68068b7bc4fa88f5c8
SHA256c51f6d749ac83d021b1c55fecc4bf24aae0538dadb8549e1b47c7b1e27188058
SHA5123a7ef12a5bc053a077aa929e9f67b17ce43ceb8915e15d8535018eff99de801b0c3054eac990143319bb23e757a03b63f720c8059cc322d5976827dadedd8b84
-
Filesize
748KB
MD5c4836ef373cdfa7eac3738c59ae9fb83
SHA12f019c1b3357e3be378ac804acfc98ec4f80b576
SHA2565c7ba1a9e0bf346f3b4baa8e6965981b0ff412eabc879ecc531e98f268c34e3e
SHA512e459aeba63802639c8e7245afc139d86e75a805e14b90318b926ff00fe384d14ac209dc76fb88319218c89fe1562c737ed4c5847cd92e698d529ba6737c2fb4d
-
Filesize
887KB
MD5fe714aa952e86e33b2cc1652e0f7f6cb
SHA125927512b7bef5f0586f7edab4d4804ec43409aa
SHA256c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579
SHA512fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7
-
Filesize
887KB
MD5fe714aa952e86e33b2cc1652e0f7f6cb
SHA125927512b7bef5f0586f7edab4d4804ec43409aa
SHA256c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579
SHA512fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7
-
Filesize
887KB
MD5fe714aa952e86e33b2cc1652e0f7f6cb
SHA125927512b7bef5f0586f7edab4d4804ec43409aa
SHA256c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579
SHA512fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7
-
Filesize
6KB
MD56fb56e9c31d78c1a22d95188a0a6060d
SHA1e80b4354f8cb4c5537fb2f68068b7bc4fa88f5c8
SHA256c51f6d749ac83d021b1c55fecc4bf24aae0538dadb8549e1b47c7b1e27188058
SHA5123a7ef12a5bc053a077aa929e9f67b17ce43ceb8915e15d8535018eff99de801b0c3054eac990143319bb23e757a03b63f720c8059cc322d5976827dadedd8b84
-
Filesize
765KB
MD5102dfa10cc29d7f1ded876dfd7274280
SHA1f26e57d916bf7c5c3a4b49a2edaf30e945b0b44e
SHA25667d9ee9e36b29e081ff2084dc488b0b6c4120e791a5c33ce6027cf89718e4bb3
SHA512c3b7bb463873420f1582880308acca440c24fefaf45c9ad75319665e07c0f4548bd6fe07fabec48edd138a495a2607297773b16400e351e68a7462b45fb2c0c2
-
Filesize
765KB
MD5102dfa10cc29d7f1ded876dfd7274280
SHA1f26e57d916bf7c5c3a4b49a2edaf30e945b0b44e
SHA25667d9ee9e36b29e081ff2084dc488b0b6c4120e791a5c33ce6027cf89718e4bb3
SHA512c3b7bb463873420f1582880308acca440c24fefaf45c9ad75319665e07c0f4548bd6fe07fabec48edd138a495a2607297773b16400e351e68a7462b45fb2c0c2
-
Filesize
5KB
MD5f100f77e7f593239da554549db7d34c0
SHA19b7e0a9ab00fbbc1b45c584f60274fb07c9f3cb6
SHA2560524d717e765e867be5d581c566aeb43d19abcc69c796cb09b0ab3c354c0ac55
SHA512c6e6d36f112a1bada06592749690490615d232e84e1bcb84371b25e87e004baa8416b2d63ce46c3d37b793f90ea01b92b438a509282c82436ac243b347b6e9c3
-
Filesize
145B
MD5f9606b930727ca06575fc7bcefe6a537
SHA1bb352575ab64e126ed14928a1bc85dd0e28bce3e
SHA256ac1b4b6d5fb7f18a816c8c0329be7c37512e1f932dc0b6ea9fa8f0a8bdd398d9
SHA512529eb85c653ce0b34b251ad52b608af6923a9fe36d33e8028ec0cd292d1446806f958b17cddc07f01c613f5b58ede5bcf97db79c160af2205a0af3480717d7a0
-
Filesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
Filesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
Filesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
Filesize
748KB
MD5c4836ef373cdfa7eac3738c59ae9fb83
SHA12f019c1b3357e3be378ac804acfc98ec4f80b576
SHA2565c7ba1a9e0bf346f3b4baa8e6965981b0ff412eabc879ecc531e98f268c34e3e
SHA512e459aeba63802639c8e7245afc139d86e75a805e14b90318b926ff00fe384d14ac209dc76fb88319218c89fe1562c737ed4c5847cd92e698d529ba6737c2fb4d
-
Filesize
3KB
MD5f461159d95e1a49a534ad0320ff3984b
SHA1e3363285437846f046b126adbcd8e4789aa1f486
SHA256d6967480d6f6fd4b9d31fb7e38ee6f04c76c36edd2795f852ec3938d984993d6
SHA5122a12587d4a69c967771d8b4ed43e857a81899e177d5ec8ddf8365eaa4e8752032fac8d25b5c3a89ae5efc82b4c6dfd4ba2d26e998b3ad95cc8fdc6ef0c7416ed
-
Filesize
887KB
MD5fe714aa952e86e33b2cc1652e0f7f6cb
SHA125927512b7bef5f0586f7edab4d4804ec43409aa
SHA256c4fc97da6b3393137f1711238c3ac18d36f903d256a9205fd40e71b4c99ce579
SHA512fe5ac276c14bf2f5e59a1c4acccb98404cbbbe0bceed92a69e5860445682c44d8575ef6926706b9d750bcbf8dca539503547c4f693a8b28cb2e3463760c2c5a7
-
C:\Users\Admin\AppData\Local\Temp\7zS29DF.tmp\[email protected]\bootstrap.js
Filesize2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS29DF.tmp\[email protected]\chrome.manifest
Filesize35B
MD5a1a58527c056659456beb32661e6ebe1
SHA1ed0104053103eb1df6f885ed15bf12d4393e9a41
SHA256619b4f6c80c54fd2a582ef33f74c28b835a3c16d6bff7dcb1c94b6f1a82e7672
SHA51205ce2c88e41b5ba91967820379f4e581a05472f80ff2fc2a4836a033fd0a06236fdd3cfb97bfe75a83391939b16baa9f9298ebfaec41a02040c7d447f2937af2
-
C:\Users\Admin\AppData\Local\Temp\7zS29DF.tmp\[email protected]\content\bg.js
Filesize7KB
MD505c8237200bd4c57a773846f9acc4d70
SHA18a4b42a51f2eca504ff2e81d806bddab70fa5fcf
SHA25696ed67a5ca69056e357ef342d8ac5108b6821ad4125179ba9747b5fd6d499c05
SHA512cd44cf0536a0771a4cafcaf613ff866716659f88576c0e25ba6b3b9022de188265ea54c76b5a6fe7dc824f347e2d42d736138454dcdf7f553e49997f79355901
-
C:\Users\Admin\AppData\Local\Temp\7zS29DF.tmp\[email protected]\install.rdf
Filesize597B
MD5da3fc4a85addc820bdda7c2f7d9f2002
SHA1327b116219bb88348aaba6f0c48b1468f80e46c2
SHA2567e3b807250e3fda39f4f4a9b6dfce61676826103cd6aae76f74117fd3e9d090f
SHA51205afd75b0974e38573630b31840ea75e6de5f6fba094efec350fb91ab4f71b3c690c80b2c4ebd9572deccb4b221df76de4dd17b56827234ef306743723d5fde5