Analysis
-
max time kernel
44s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:00
Static task
static1
Behavioral task
behavioral1
Sample
cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe
Resource
win7-20220901-en
General
-
Target
cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe
-
Size
2.5MB
-
MD5
bcf20538091ad90b5bb2cdb8ca11edc2
-
SHA1
889ab671b6ce642a4a7c83d5d5e8f06541e7b245
-
SHA256
cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9
-
SHA512
47b081580d7a0aab660823c278b00c0880cce6f0badf14aec24d6f0bcd3d258587eccd48ce37fa806a0c6d56dbbeb4ea4d9b3c6ac751b6b87f3afcf95aa1073a
-
SSDEEP
49152:h1OsVSQeb71DLvFzAqRmyyVchO4apKHcHhXa3FXWlPC1IS5zf:h1OQSQY1DCqkck4apyLqE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
28RZ320aOn5CpAw.exepid process 1752 28RZ320aOn5CpAw.exe -
Loads dropped DLL 4 IoCs
Processes:
cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe28RZ320aOn5CpAw.exeregsvr32.exeregsvr32.exepid process 1464 cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe 1752 28RZ320aOn5CpAw.exe 1316 regsvr32.exe 1472 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
28RZ320aOn5CpAw.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljlanobcfihpgocmapdpbhiabdnkdee\2.0\manifest.json 28RZ320aOn5CpAw.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljlanobcfihpgocmapdpbhiabdnkdee\2.0\manifest.json 28RZ320aOn5CpAw.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljlanobcfihpgocmapdpbhiabdnkdee\2.0\manifest.json 28RZ320aOn5CpAw.exe -
Installs/modifies Browser Helper Object 2 TTPs 11 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exe28RZ320aOn5CpAw.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 28RZ320aOn5CpAw.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 28RZ320aOn5CpAw.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 28RZ320aOn5CpAw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ 28RZ320aOn5CpAw.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 28RZ320aOn5CpAw.exe -
Drops file in Program Files directory 8 IoCs
Processes:
28RZ320aOn5CpAw.exedescription ioc process File opened for modification C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.tlb 28RZ320aOn5CpAw.exe File created C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.dat 28RZ320aOn5CpAw.exe File opened for modification C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.dat 28RZ320aOn5CpAw.exe File created C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.x64.dll 28RZ320aOn5CpAw.exe File opened for modification C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.x64.dll 28RZ320aOn5CpAw.exe File created C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.dll 28RZ320aOn5CpAw.exe File opened for modification C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.dll 28RZ320aOn5CpAw.exe File created C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.tlb 28RZ320aOn5CpAw.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
28RZ320aOn5CpAw.exepid process 1752 28RZ320aOn5CpAw.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe28RZ320aOn5CpAw.exeregsvr32.exedescription pid process target process PID 1464 wrote to memory of 1752 1464 cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe 28RZ320aOn5CpAw.exe PID 1464 wrote to memory of 1752 1464 cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe 28RZ320aOn5CpAw.exe PID 1464 wrote to memory of 1752 1464 cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe 28RZ320aOn5CpAw.exe PID 1464 wrote to memory of 1752 1464 cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe 28RZ320aOn5CpAw.exe PID 1752 wrote to memory of 1316 1752 28RZ320aOn5CpAw.exe regsvr32.exe PID 1752 wrote to memory of 1316 1752 28RZ320aOn5CpAw.exe regsvr32.exe PID 1752 wrote to memory of 1316 1752 28RZ320aOn5CpAw.exe regsvr32.exe PID 1752 wrote to memory of 1316 1752 28RZ320aOn5CpAw.exe regsvr32.exe PID 1752 wrote to memory of 1316 1752 28RZ320aOn5CpAw.exe regsvr32.exe PID 1752 wrote to memory of 1316 1752 28RZ320aOn5CpAw.exe regsvr32.exe PID 1752 wrote to memory of 1316 1752 28RZ320aOn5CpAw.exe regsvr32.exe PID 1316 wrote to memory of 1472 1316 regsvr32.exe regsvr32.exe PID 1316 wrote to memory of 1472 1316 regsvr32.exe regsvr32.exe PID 1316 wrote to memory of 1472 1316 regsvr32.exe regsvr32.exe PID 1316 wrote to memory of 1472 1316 regsvr32.exe regsvr32.exe PID 1316 wrote to memory of 1472 1316 regsvr32.exe regsvr32.exe PID 1316 wrote to memory of 1472 1316 regsvr32.exe regsvr32.exe PID 1316 wrote to memory of 1472 1316 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe"C:\Users\Admin\AppData\Local\Temp\cf0b69e92e81598cd18324826bac7c81e3e0d4628dadd3b4a319bf3684684df9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\28RZ320aOn5CpAw.exe.\28RZ320aOn5CpAw.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.datFilesize
6KB
MD5400bf2d063efe57bcdc82c035524f308
SHA1c60894a481424db0b71fb034554d4835bcb24299
SHA256e3521dee798e0a2d3a53f42ce63a5789a87c1beb04419b258576b38de212dd2c
SHA5124861962f59cf4666142bf0942b6a80853bb388b12a457d332b868012a13bcf6a3d7cfadf709f2e4374659edc89e7e7fb8af229b97582424bc049782fd3e2ea83
-
C:\Program Files (x86)\GoSave\kF66QAcRmRHa5l.x64.dllFilesize
886KB
MD51433d7e71196529644716ffc72c261b2
SHA1f35147e7dc56f4e92856061b48c9f7a872e10385
SHA2562ae79c724f8c2a134c125315fc6ee929b7ce09260e80b61c9a9e915571103e3f
SHA512c363a35bd82214350439dcf6aaf9048b29f10aaeb3b1c3a69222792a94fab1009a5f6b6528df102ae082c129cce50ae7d646abc1dbd8ff9e788a9d05828c272c
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\28RZ320aOn5CpAw.datFilesize
6KB
MD5400bf2d063efe57bcdc82c035524f308
SHA1c60894a481424db0b71fb034554d4835bcb24299
SHA256e3521dee798e0a2d3a53f42ce63a5789a87c1beb04419b258576b38de212dd2c
SHA5124861962f59cf4666142bf0942b6a80853bb388b12a457d332b868012a13bcf6a3d7cfadf709f2e4374659edc89e7e7fb8af229b97582424bc049782fd3e2ea83
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\28RZ320aOn5CpAw.exeFilesize
770KB
MD5b4c30381dd37fea1c1c69bcb3ad48b32
SHA1869eca61396754586f7e85ebf65a334e01856740
SHA25666481ba6d9cbf3c7662fc7cfd867739077256f60f4165f76dfdcd9461500ae50
SHA5121e7bbdd7a75b748ff9a5f70b46766b0108effc84e0cc7c5d8a1f32e56136181060a4363ed2cbd6ed14d195a2379cf8148680380256f31b809bb77d1fe0bf064f
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\28RZ320aOn5CpAw.exeFilesize
770KB
MD5b4c30381dd37fea1c1c69bcb3ad48b32
SHA1869eca61396754586f7e85ebf65a334e01856740
SHA25666481ba6d9cbf3c7662fc7cfd867739077256f60f4165f76dfdcd9461500ae50
SHA5121e7bbdd7a75b748ff9a5f70b46766b0108effc84e0cc7c5d8a1f32e56136181060a4363ed2cbd6ed14d195a2379cf8148680380256f31b809bb77d1fe0bf064f
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\O2@m.net\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\O2@m.net\chrome.manifestFilesize
35B
MD537c5726c9c97bb2ef1dfd2a732eaabd3
SHA17708c1d2a2a456d83f48d1e6de51b6fc1089b8a6
SHA2566ea0533403ff8714da7f2f290dc8fadc182fbb002559a08682656573c0d59736
SHA512d0717935cd131bd842549c0c26748a42d09d4828e1748011cab4fac162abe998064bf5dc469bafe91a80a53ed3e71e645f99251089f0fb9b38f10e93285471bf
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\O2@m.net\content\bg.jsFilesize
7KB
MD5b3cdccd6fcdfc20d6a228c84f805732d
SHA1edf542fd748df47269eb5794399ffcf0c424b972
SHA2563d101e1f362c49faa1d02b6b5aa454f1d3bce9aa36f8df9e5bfccebf5cffce27
SHA51215e13f65f847e7ce113dfbb69fe5738e2fd7410bcb67feb9c6f58179ab1f488195c6057f066484ad87209abb0a33753b01664e1de02905cc8c7bff5ba6d31ba3
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\O2@m.net\install.rdfFilesize
590B
MD5c87446f8320d17addaf249e877ae2e6d
SHA1c61dd85250ed3e961da4c5d419a50f786df001c6
SHA256e458d31d93e37b9d5979898bd08d8059d141dd9c9417db4485f17557b9067db7
SHA5121fe65b4131763d6876fa583bdf47b7d78ac6b61aac0e6bcb8588cd5a62fa187e95430ce2fd7edb3a0b33c4f4a1b9ebac8e4f644679e2b953748cb63d5f3fe9fc
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\kF66QAcRmRHa5l.dllFilesize
745KB
MD5ce27e078a917088b7459c44570637b9d
SHA14d9e95fc9b97a1f21221f96ea8fbee55132e82b7
SHA2568804ae047c9ba998964a359f278f54fa1d671ed245b7dfe117625f1ce0d5e84f
SHA512492fdacef00a45dfe6d9db9c80b908bd0d9ebb4bf75c1f4053a8e281cfad5279646754a711484709de6f571487276ec19f71552522dc218fba8331bf6358f9ce
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\kF66QAcRmRHa5l.tlbFilesize
3KB
MD5f636475c74627ddf7b3b6b6dfaa8d491
SHA1fb3a63977f8b0e07f18d313ace3e1f1223dc423b
SHA256e6e330d72d59551c9ba78464c4081280510901a82f66d94c84cc94ca4594e4b2
SHA512ba788afd76700c60fa8d899ea6ebc1c69594b09d9099c7cb4d408e290575c9ed89b0288df1a1ca9f1562564eb65f51f8add17f4c57eea7fe890b38592560fb96
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\kF66QAcRmRHa5l.x64.dllFilesize
886KB
MD51433d7e71196529644716ffc72c261b2
SHA1f35147e7dc56f4e92856061b48c9f7a872e10385
SHA2562ae79c724f8c2a134c125315fc6ee929b7ce09260e80b61c9a9e915571103e3f
SHA512c363a35bd82214350439dcf6aaf9048b29f10aaeb3b1c3a69222792a94fab1009a5f6b6528df102ae082c129cce50ae7d646abc1dbd8ff9e788a9d05828c272c
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\lljlanobcfihpgocmapdpbhiabdnkdee\background.htmlFilesize
139B
MD501598e90d332e608e1a8a12baadf296d
SHA18ece46ea4416236d31989fbb7ce9c318ed89a29f
SHA256208099c79a4b8187eebc9e77f8068e7d938467cd9c1dc4173ae393d6f28b671b
SHA512d6a59e52b3f9f2cc69501440d4a0a63a6839122c1698e864e16eb765d2ca3b3c590ce618e3026a59e055db0162ced028f62a7248795664883c9c8b3b57aeab71
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\lljlanobcfihpgocmapdpbhiabdnkdee\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\lljlanobcfihpgocmapdpbhiabdnkdee\hL.jsFilesize
5KB
MD52a9929170667e9d847ccc98c42d61093
SHA173a9a8f381e2693ab509f5b91c746538525c3fca
SHA256de1cc22a4485db020d9d4e2908c555036251b883aef327667f6de9dd280d52c0
SHA512ac565dbabe77b6c2e50ed28ab153fd9323c3115b47fdd2a38d9a390e2cdb9cf1548469b57101be9bc996fc2b3b97f074848aa440d054c6a230a994a04279a94a
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\lljlanobcfihpgocmapdpbhiabdnkdee\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\lljlanobcfihpgocmapdpbhiabdnkdee\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
\Program Files (x86)\GoSave\kF66QAcRmRHa5l.dllFilesize
745KB
MD5ce27e078a917088b7459c44570637b9d
SHA14d9e95fc9b97a1f21221f96ea8fbee55132e82b7
SHA2568804ae047c9ba998964a359f278f54fa1d671ed245b7dfe117625f1ce0d5e84f
SHA512492fdacef00a45dfe6d9db9c80b908bd0d9ebb4bf75c1f4053a8e281cfad5279646754a711484709de6f571487276ec19f71552522dc218fba8331bf6358f9ce
-
\Program Files (x86)\GoSave\kF66QAcRmRHa5l.x64.dllFilesize
886KB
MD51433d7e71196529644716ffc72c261b2
SHA1f35147e7dc56f4e92856061b48c9f7a872e10385
SHA2562ae79c724f8c2a134c125315fc6ee929b7ce09260e80b61c9a9e915571103e3f
SHA512c363a35bd82214350439dcf6aaf9048b29f10aaeb3b1c3a69222792a94fab1009a5f6b6528df102ae082c129cce50ae7d646abc1dbd8ff9e788a9d05828c272c
-
\Program Files (x86)\GoSave\kF66QAcRmRHa5l.x64.dllFilesize
886KB
MD51433d7e71196529644716ffc72c261b2
SHA1f35147e7dc56f4e92856061b48c9f7a872e10385
SHA2562ae79c724f8c2a134c125315fc6ee929b7ce09260e80b61c9a9e915571103e3f
SHA512c363a35bd82214350439dcf6aaf9048b29f10aaeb3b1c3a69222792a94fab1009a5f6b6528df102ae082c129cce50ae7d646abc1dbd8ff9e788a9d05828c272c
-
\Users\Admin\AppData\Local\Temp\7zS23E6.tmp\28RZ320aOn5CpAw.exeFilesize
770KB
MD5b4c30381dd37fea1c1c69bcb3ad48b32
SHA1869eca61396754586f7e85ebf65a334e01856740
SHA25666481ba6d9cbf3c7662fc7cfd867739077256f60f4165f76dfdcd9461500ae50
SHA5121e7bbdd7a75b748ff9a5f70b46766b0108effc84e0cc7c5d8a1f32e56136181060a4363ed2cbd6ed14d195a2379cf8148680380256f31b809bb77d1fe0bf064f
-
memory/1316-73-0x0000000000000000-mapping.dmp
-
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmpFilesize
8KB
-
memory/1472-77-0x0000000000000000-mapping.dmp
-
memory/1472-78-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmpFilesize
8KB
-
memory/1752-56-0x0000000000000000-mapping.dmp