Analysis
-
max time kernel
92s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:33
Static task
static1
Behavioral task
behavioral1
Sample
c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exe
Resource
win7-20221111-en
General
-
Target
c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exe
-
Size
2.5MB
-
MD5
8bfb4d6f132b4c45163ce277fc8b5c21
-
SHA1
b999b928443e88819ddddd4ec1a03b944fdc90a2
-
SHA256
c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e
-
SHA512
c68e2109bb60d351da3bc910e8ae94e3737b42a2bd238a12f98027e807dc734e9c3611bdb2ae2c37d80ac9b1149657ca27b8fbd85800758bc86a04d1d2df0eed
-
SSDEEP
49152:h1OsqsNQH0eNGTTOxTnkSM1XN+QMz3p6bOkAk+YetEW6FOCMwEFhjzdUwX:h1OrH0eNGunkt3+1z3p6iVC0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ZiZ5DZCDVRwfOyu.exepid process 1964 ZiZ5DZCDVRwfOyu.exe -
Loads dropped DLL 4 IoCs
Processes:
c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exeZiZ5DZCDVRwfOyu.exeregsvr32.exeregsvr32.exepid process 1776 c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exe 1964 ZiZ5DZCDVRwfOyu.exe 276 regsvr32.exe 516 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
ZiZ5DZCDVRwfOyu.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbcafnnpfkojjoiidcgiembdlcdacahj\3.7\manifest.json ZiZ5DZCDVRwfOyu.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbcafnnpfkojjoiidcgiembdlcdacahj\3.7\manifest.json ZiZ5DZCDVRwfOyu.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbcafnnpfkojjoiidcgiembdlcdacahj\3.7\manifest.json ZiZ5DZCDVRwfOyu.exe -
Installs/modifies Browser Helper Object 2 TTPs 11 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
ZiZ5DZCDVRwfOyu.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} ZiZ5DZCDVRwfOyu.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} ZiZ5DZCDVRwfOyu.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} ZiZ5DZCDVRwfOyu.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ZiZ5DZCDVRwfOyu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ ZiZ5DZCDVRwfOyu.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
ZiZ5DZCDVRwfOyu.exedescription ioc process File created C:\Program Files (x86)\websave\wohs460ufErNmC.tlb ZiZ5DZCDVRwfOyu.exe File opened for modification C:\Program Files (x86)\websave\wohs460ufErNmC.tlb ZiZ5DZCDVRwfOyu.exe File created C:\Program Files (x86)\websave\wohs460ufErNmC.dat ZiZ5DZCDVRwfOyu.exe File opened for modification C:\Program Files (x86)\websave\wohs460ufErNmC.dat ZiZ5DZCDVRwfOyu.exe File created C:\Program Files (x86)\websave\wohs460ufErNmC.x64.dll ZiZ5DZCDVRwfOyu.exe File opened for modification C:\Program Files (x86)\websave\wohs460ufErNmC.x64.dll ZiZ5DZCDVRwfOyu.exe File created C:\Program Files (x86)\websave\wohs460ufErNmC.dll ZiZ5DZCDVRwfOyu.exe File opened for modification C:\Program Files (x86)\websave\wohs460ufErNmC.dll ZiZ5DZCDVRwfOyu.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ZiZ5DZCDVRwfOyu.exepid process 1964 ZiZ5DZCDVRwfOyu.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exeZiZ5DZCDVRwfOyu.exeregsvr32.exedescription pid process target process PID 1776 wrote to memory of 1964 1776 c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exe ZiZ5DZCDVRwfOyu.exe PID 1776 wrote to memory of 1964 1776 c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exe ZiZ5DZCDVRwfOyu.exe PID 1776 wrote to memory of 1964 1776 c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exe ZiZ5DZCDVRwfOyu.exe PID 1776 wrote to memory of 1964 1776 c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exe ZiZ5DZCDVRwfOyu.exe PID 1964 wrote to memory of 276 1964 ZiZ5DZCDVRwfOyu.exe regsvr32.exe PID 1964 wrote to memory of 276 1964 ZiZ5DZCDVRwfOyu.exe regsvr32.exe PID 1964 wrote to memory of 276 1964 ZiZ5DZCDVRwfOyu.exe regsvr32.exe PID 1964 wrote to memory of 276 1964 ZiZ5DZCDVRwfOyu.exe regsvr32.exe PID 1964 wrote to memory of 276 1964 ZiZ5DZCDVRwfOyu.exe regsvr32.exe PID 1964 wrote to memory of 276 1964 ZiZ5DZCDVRwfOyu.exe regsvr32.exe PID 1964 wrote to memory of 276 1964 ZiZ5DZCDVRwfOyu.exe regsvr32.exe PID 276 wrote to memory of 516 276 regsvr32.exe regsvr32.exe PID 276 wrote to memory of 516 276 regsvr32.exe regsvr32.exe PID 276 wrote to memory of 516 276 regsvr32.exe regsvr32.exe PID 276 wrote to memory of 516 276 regsvr32.exe regsvr32.exe PID 276 wrote to memory of 516 276 regsvr32.exe regsvr32.exe PID 276 wrote to memory of 516 276 regsvr32.exe regsvr32.exe PID 276 wrote to memory of 516 276 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exe"C:\Users\Admin\AppData\Local\Temp\c51929c72e39559710614b7ffacb4f12df0e29398155937b385b9ce94d765f9e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\ZiZ5DZCDVRwfOyu.exe.\ZiZ5DZCDVRwfOyu.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\websave\wohs460ufErNmC.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\websave\wohs460ufErNmC.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\websave\wohs460ufErNmC.datFilesize
6KB
MD518bf0e81b08ed344e2e52c65b45c8d8b
SHA1d7a4a49a67ca2835849a6b57876a879db9babb24
SHA256159cdb7a75c36bb927ec5989d455a3b65b24e1ec5c6f81d2ea95a5f47cc03910
SHA512079bf5c12711c074d5335b913c8860d038bbe0850346768fd2facd1db8d768f1d96f0335420d2119ea8c469ea3ed7129ac55ffbe0848983776b58385caec88ba
-
C:\Program Files (x86)\websave\wohs460ufErNmC.x64.dllFilesize
891KB
MD5bef492ffc032769cde00802f48a17fab
SHA1a91e733c1269eb785f8e23dc475acac7432f0563
SHA256473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d
SHA5124f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\ZiZ5DZCDVRwfOyu.datFilesize
6KB
MD518bf0e81b08ed344e2e52c65b45c8d8b
SHA1d7a4a49a67ca2835849a6b57876a879db9babb24
SHA256159cdb7a75c36bb927ec5989d455a3b65b24e1ec5c6f81d2ea95a5f47cc03910
SHA512079bf5c12711c074d5335b913c8860d038bbe0850346768fd2facd1db8d768f1d96f0335420d2119ea8c469ea3ed7129ac55ffbe0848983776b58385caec88ba
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\ZiZ5DZCDVRwfOyu.exeFilesize
774KB
MD5fac681323e2e0ea322ef16fa551cf1e8
SHA1744f89e591a6ced737cfe9214ce09c263de50211
SHA256537f2df71a2f21f943a39d1c6d093a442e7ee975ed3e29b733b8bc5bf646793c
SHA51222626bd0e79edac062b61d64234f563e3a8218703276a19a0b01749e2cad8387c8bd39bfe13810b787fb9e4c7f1669ea542e36bbf63c7c243fc68bb6fdf5c7b2
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\ZiZ5DZCDVRwfOyu.exeFilesize
774KB
MD5fac681323e2e0ea322ef16fa551cf1e8
SHA1744f89e591a6ced737cfe9214ce09c263de50211
SHA256537f2df71a2f21f943a39d1c6d093a442e7ee975ed3e29b733b8bc5bf646793c
SHA51222626bd0e79edac062b61d64234f563e3a8218703276a19a0b01749e2cad8387c8bd39bfe13810b787fb9e4c7f1669ea542e36bbf63c7c243fc68bb6fdf5c7b2
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\gbcafnnpfkojjoiidcgiembdlcdacahj\Ch2lbJNa.jsFilesize
5KB
MD59b890818ec1dc7032f700b944d56df2a
SHA1aa8f436c7a0a0f13958ce486b623e9c3019f0d96
SHA256b6dcd11300e446297f8a404ee1ee81504a83176b6d79acd6153eab1d07fe3e20
SHA5120bee736deb3d50ce5cb2bcf820bb804c3939f37cc6d1c93973685e564c6e4beea558c0e4a8029707349a530a86c8befba50dfb70f74732253e83c756ccfe290e
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\gbcafnnpfkojjoiidcgiembdlcdacahj\background.htmlFilesize
145B
MD5e83d22705f6b7c60a1e4f6d2fe410ea8
SHA1d389c995d3ae44636ccf36117b61a1e8305bef43
SHA25674b47bda5508b2a3a12409039b1ebdeffb35d3bd6f81a75d1d7bad06ff5406da
SHA5124a2e5647aec49de9950a0f5e7ef4b5fe469c205017c2c8b2623413c2e92a8b107029d943cdb7bb7e56d10444e173f50dc472bb1b7820bf7efa7c0f65a1d59818
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\gbcafnnpfkojjoiidcgiembdlcdacahj\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\gbcafnnpfkojjoiidcgiembdlcdacahj\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\gbcafnnpfkojjoiidcgiembdlcdacahj\manifest.jsonFilesize
499B
MD5f6da34f727bd43075d13ea3c24cc5faf
SHA18aede51366d86e39b14718228831c1c198b4355c
SHA25691b8694c1ec2c0408c90ac98e8c40e4c08f1a04365163d44b1507a0d7838d221
SHA5120326e0734db861ce2404f6b338e517ae2ec6c3cf0bdb62764ccd1fa4e710750ecb2622bdb1d45c737bfaf210227b229d8e87d99942088a8ee0ed4ca39c013527
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\[email protected]\chrome.manifestFilesize
35B
MD59e46882a8f23d82ebfe29f32a830b95c
SHA120b2e241f577295ef85ec7a56b52e589c9e05a01
SHA256de79eee2fddda0fef138a3f00e4c4cf8cb915070a2d636227d0c163194749e3c
SHA5127dca0f68b1a9b99065d92a59c3d1b22d9ec1c01d9a75e62583442380953cb3e4b49ec371b96d5409ea007e2a7f74c3091f211ffa423221a291f3579a10741da0
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\[email protected]\content\bg.jsFilesize
7KB
MD5f1cce27ffd8b5fbb2618b4baf0935a16
SHA13895b74185542d739a863180f7f3d8095d4ae39a
SHA256bc3e2c7a6a60b23c09c9ee0dbc9ec77081c1107c350b187ae78dc504793f6fa4
SHA512186bb29d109c514a57509a700899d3271d95bfb04e714d4effae9f4f0c8299e3a2982163fa68b1976c6ec8eedf1249d9be63381d0d72a8f7b3bb0352f93122da
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\[email protected]\install.rdfFilesize
595B
MD5e98dca25ea63ba8d515a25510500984c
SHA17599b3bf5c4d374b3b61324125a5c4b4e260f069
SHA256d84cd20f49c6c9cbffd3652e1da5d5c89e53664aac775eec03f93789322f03ca
SHA512c5dcc4f3af47d045846c536247867e1749e670bd9c22926bbed347dd6977092e4a474570fe489098ce8ad4faf0c952a7c548d86d1b3bac9e091012ba0384bcca
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\wohs460ufErNmC.dllFilesize
754KB
MD50ea14ffbf9bc129f87d5a633ca028a12
SHA1c91e00a9d6590556a4c13a46cb6c934f84cf2b2b
SHA2569206058e3e04af4fb8d5c05ae8f088cf0a289ea0e4cd692c4f2d76439adb0d47
SHA5120cfd075335346690ead8c5aef2340b56ce07c59d6243ad102fee0053d64f1a7847e56ba27f5bbcac4048f2c1cf70038e7cdffafe1cc28994603fdd65d2bf7bb2
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\wohs460ufErNmC.tlbFilesize
3KB
MD54ab2bba691d66beca01f76ac65546fe8
SHA116f05ce91f3e2fe4b43452e24d56836fc65615af
SHA25612816936003f13a1711de73328e38f311926a4cc9d1a836f46c9ccc02b6fb06f
SHA512f034390bfd57618bbfd218c3df9e465dda8f4fa51fc0445c74e246472a4cde2bc0bfe4607cbc8cb31ac0edff62a84e954179fadddc2b644b8726cfa3e01694a2
-
C:\Users\Admin\AppData\Local\Temp\7zS732E.tmp\wohs460ufErNmC.x64.dllFilesize
891KB
MD5bef492ffc032769cde00802f48a17fab
SHA1a91e733c1269eb785f8e23dc475acac7432f0563
SHA256473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d
SHA5124f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0
-
\Program Files (x86)\websave\wohs460ufErNmC.dllFilesize
754KB
MD50ea14ffbf9bc129f87d5a633ca028a12
SHA1c91e00a9d6590556a4c13a46cb6c934f84cf2b2b
SHA2569206058e3e04af4fb8d5c05ae8f088cf0a289ea0e4cd692c4f2d76439adb0d47
SHA5120cfd075335346690ead8c5aef2340b56ce07c59d6243ad102fee0053d64f1a7847e56ba27f5bbcac4048f2c1cf70038e7cdffafe1cc28994603fdd65d2bf7bb2
-
\Program Files (x86)\websave\wohs460ufErNmC.x64.dllFilesize
891KB
MD5bef492ffc032769cde00802f48a17fab
SHA1a91e733c1269eb785f8e23dc475acac7432f0563
SHA256473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d
SHA5124f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0
-
\Program Files (x86)\websave\wohs460ufErNmC.x64.dllFilesize
891KB
MD5bef492ffc032769cde00802f48a17fab
SHA1a91e733c1269eb785f8e23dc475acac7432f0563
SHA256473507950695ec743b98e5ef4b8970b2c7e6936556903c94f7fa88917265255d
SHA5124f61d5f3a45d20cd00ed7ee6b874bf2dcbf248b8f65dfd8580c7148d6c71c316cace409be675a2ea919e8a12caf8690fafaf14c0f5479df55689401d2432afa0
-
\Users\Admin\AppData\Local\Temp\7zS732E.tmp\ZiZ5DZCDVRwfOyu.exeFilesize
774KB
MD5fac681323e2e0ea322ef16fa551cf1e8
SHA1744f89e591a6ced737cfe9214ce09c263de50211
SHA256537f2df71a2f21f943a39d1c6d093a442e7ee975ed3e29b733b8bc5bf646793c
SHA51222626bd0e79edac062b61d64234f563e3a8218703276a19a0b01749e2cad8387c8bd39bfe13810b787fb9e4c7f1669ea542e36bbf63c7c243fc68bb6fdf5c7b2
-
memory/276-73-0x0000000000000000-mapping.dmp
-
memory/516-78-0x000007FEFB5F1000-0x000007FEFB5F3000-memory.dmpFilesize
8KB
-
memory/516-77-0x0000000000000000-mapping.dmp
-
memory/1776-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1964-56-0x0000000000000000-mapping.dmp