Analysis
-
max time kernel
148s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:48
Static task
static1
Behavioral task
behavioral1
Sample
c086bddcee50c40ea9725d62e585abea75e27b23f539adf5cef0d16a2b71446f.exe
Resource
win7-20220812-en
General
-
Target
c086bddcee50c40ea9725d62e585abea75e27b23f539adf5cef0d16a2b71446f.exe
-
Size
2.5MB
-
MD5
af31705f751372ab2a13f50c3dd1dc61
-
SHA1
a9dde26d18c5e0cd5f1fb4181315e49465588d7e
-
SHA256
c086bddcee50c40ea9725d62e585abea75e27b23f539adf5cef0d16a2b71446f
-
SHA512
ba674204c03ea7c95ac8dcb782fec438a345eec191b77faab9d1868507ce27485b0253ce025d7d76d86c5d0953b054760a865295cdf38d885769dad7966bbc58
-
SSDEEP
49152:h1Osc+EEkBK4albTJZ8ON3rXm3QluLa2Dd7DLFuGVqEIfgao:h1O//EwoJNrXiQ2VLao
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vmptO6KinsVLl0c.exepid process 2040 vmptO6KinsVLl0c.exe -
Loads dropped DLL 3 IoCs
Processes:
vmptO6KinsVLl0c.exeregsvr32.exeregsvr32.exepid process 2040 vmptO6KinsVLl0c.exe 1608 regsvr32.exe 1536 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
vmptO6KinsVLl0c.exedescription ioc process File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\behkangolfiphppknlmkclmlnhhegnnm\2.0\manifest.json vmptO6KinsVLl0c.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\behkangolfiphppknlmkclmlnhhegnnm\2.0\manifest.json vmptO6KinsVLl0c.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\behkangolfiphppknlmkclmlnhhegnnm\2.0\manifest.json vmptO6KinsVLl0c.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\behkangolfiphppknlmkclmlnhhegnnm\2.0\manifest.json vmptO6KinsVLl0c.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\behkangolfiphppknlmkclmlnhhegnnm\2.0\manifest.json vmptO6KinsVLl0c.exe -
Installs/modifies Browser Helper Object 2 TTPs 9 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
vmptO6KinsVLl0c.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} vmptO6KinsVLl0c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} vmptO6KinsVLl0c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ vmptO6KinsVLl0c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects vmptO6KinsVLl0c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
vmptO6KinsVLl0c.exedescription ioc process File opened for modification C:\Program Files (x86)\GoSave\74BAwccRKh4htn.tlb vmptO6KinsVLl0c.exe File created C:\Program Files (x86)\GoSave\74BAwccRKh4htn.dat vmptO6KinsVLl0c.exe File opened for modification C:\Program Files (x86)\GoSave\74BAwccRKh4htn.dat vmptO6KinsVLl0c.exe File created C:\Program Files (x86)\GoSave\74BAwccRKh4htn.x64.dll vmptO6KinsVLl0c.exe File opened for modification C:\Program Files (x86)\GoSave\74BAwccRKh4htn.x64.dll vmptO6KinsVLl0c.exe File created C:\Program Files (x86)\GoSave\74BAwccRKh4htn.dll vmptO6KinsVLl0c.exe File opened for modification C:\Program Files (x86)\GoSave\74BAwccRKh4htn.dll vmptO6KinsVLl0c.exe File created C:\Program Files (x86)\GoSave\74BAwccRKh4htn.tlb vmptO6KinsVLl0c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vmptO6KinsVLl0c.exepid process 2040 vmptO6KinsVLl0c.exe 2040 vmptO6KinsVLl0c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c086bddcee50c40ea9725d62e585abea75e27b23f539adf5cef0d16a2b71446f.exevmptO6KinsVLl0c.exeregsvr32.exedescription pid process target process PID 4356 wrote to memory of 2040 4356 c086bddcee50c40ea9725d62e585abea75e27b23f539adf5cef0d16a2b71446f.exe vmptO6KinsVLl0c.exe PID 4356 wrote to memory of 2040 4356 c086bddcee50c40ea9725d62e585abea75e27b23f539adf5cef0d16a2b71446f.exe vmptO6KinsVLl0c.exe PID 4356 wrote to memory of 2040 4356 c086bddcee50c40ea9725d62e585abea75e27b23f539adf5cef0d16a2b71446f.exe vmptO6KinsVLl0c.exe PID 2040 wrote to memory of 1608 2040 vmptO6KinsVLl0c.exe regsvr32.exe PID 2040 wrote to memory of 1608 2040 vmptO6KinsVLl0c.exe regsvr32.exe PID 2040 wrote to memory of 1608 2040 vmptO6KinsVLl0c.exe regsvr32.exe PID 1608 wrote to memory of 1536 1608 regsvr32.exe regsvr32.exe PID 1608 wrote to memory of 1536 1608 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c086bddcee50c40ea9725d62e585abea75e27b23f539adf5cef0d16a2b71446f.exe"C:\Users\Admin\AppData\Local\Temp\c086bddcee50c40ea9725d62e585abea75e27b23f539adf5cef0d16a2b71446f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\vmptO6KinsVLl0c.exe.\vmptO6KinsVLl0c.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\GoSave\74BAwccRKh4htn.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\GoSave\74BAwccRKh4htn.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GoSave\74BAwccRKh4htn.datFilesize
6KB
MD5796089139a7e3fd8ea60602aadea2444
SHA1bfa8a720b142ae1d95529d306b5c8114c85e1fbc
SHA2563050bc26439b5023a5bd0e3ef8b5c7a12e38ddb450857daff9e16ffb54a01b5f
SHA51211d6860f4a8103f9276c380b07329de3c24fddcb66ff1d5cc5e23556309fe7eb6de908d5e3688d6c4f4cc7e02943fcc23e270ca774a9c704181ce48309f7b21e
-
C:\Program Files (x86)\GoSave\74BAwccRKh4htn.dllFilesize
745KB
MD5d66f0491325da1780176a654178f04fa
SHA182a3b9ba77ccdf5d009604c1a647bc9958ee99d1
SHA25649e40fabf91f0921d511f49877bdf54ce3f64d4d6d13f7d5b80b4c5e31735f2b
SHA51259b30172dec6241da5af867f1f5f5134999277e82631650df8d41169561d118773e59d6dbbda382c50c53e5f2570ef15842b6c2817dc5869997474accd892ff7
-
C:\Program Files (x86)\GoSave\74BAwccRKh4htn.x64.dllFilesize
872KB
MD507a395356a4b77443ed0b44fe9364b72
SHA13e2b2f8e382aaee3cf7cb4b909790974776046b6
SHA25643c82740929ffcf37d4455feb782666b1529457d9e3e6a158096f38df51f4f71
SHA512b37900ed2063085ed0c7fc2459b0675b64a71739af9692bfa9ce18a831f78de3e439728fde6f4c10df550e2df2a0b5f685418472b8028cf9cbc516385667ccf5
-
C:\Program Files (x86)\GoSave\74BAwccRKh4htn.x64.dllFilesize
872KB
MD507a395356a4b77443ed0b44fe9364b72
SHA13e2b2f8e382aaee3cf7cb4b909790974776046b6
SHA25643c82740929ffcf37d4455feb782666b1529457d9e3e6a158096f38df51f4f71
SHA512b37900ed2063085ed0c7fc2459b0675b64a71739af9692bfa9ce18a831f78de3e439728fde6f4c10df550e2df2a0b5f685418472b8028cf9cbc516385667ccf5
-
C:\Program Files (x86)\GoSave\74BAwccRKh4htn.x64.dllFilesize
872KB
MD507a395356a4b77443ed0b44fe9364b72
SHA13e2b2f8e382aaee3cf7cb4b909790974776046b6
SHA25643c82740929ffcf37d4455feb782666b1529457d9e3e6a158096f38df51f4f71
SHA512b37900ed2063085ed0c7fc2459b0675b64a71739af9692bfa9ce18a831f78de3e439728fde6f4c10df550e2df2a0b5f685418472b8028cf9cbc516385667ccf5
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\74BAwccRKh4htn.dllFilesize
745KB
MD5d66f0491325da1780176a654178f04fa
SHA182a3b9ba77ccdf5d009604c1a647bc9958ee99d1
SHA25649e40fabf91f0921d511f49877bdf54ce3f64d4d6d13f7d5b80b4c5e31735f2b
SHA51259b30172dec6241da5af867f1f5f5134999277e82631650df8d41169561d118773e59d6dbbda382c50c53e5f2570ef15842b6c2817dc5869997474accd892ff7
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\74BAwccRKh4htn.tlbFilesize
3KB
MD59a7a72928870ce5593553497de34a50d
SHA1b5487d32d9756a0abbb53adde37879c98c8b2fc6
SHA2569c71fec8a21a01269da67595a67e0effe928d3f6eec23c66fead9500e98b9aef
SHA512db43372b607aef854e05c9bfa4e0b8faa4ebfbef259755c30192f152a3dc5db273f6d9b54b3afd5f74cf1c9ea920f712d91fb956c3fcea61eb8f1e11c2011f4a
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\74BAwccRKh4htn.x64.dllFilesize
872KB
MD507a395356a4b77443ed0b44fe9364b72
SHA13e2b2f8e382aaee3cf7cb4b909790974776046b6
SHA25643c82740929ffcf37d4455feb782666b1529457d9e3e6a158096f38df51f4f71
SHA512b37900ed2063085ed0c7fc2459b0675b64a71739af9692bfa9ce18a831f78de3e439728fde6f4c10df550e2df2a0b5f685418472b8028cf9cbc516385667ccf5
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\[email protected]\chrome.manifestFilesize
35B
MD5931ae5fd79fe53e65313822154892cf3
SHA1f658a9f80857c94863a5d978f1451fffffa66f55
SHA2562f230ef10d8b90bef6669400634dd6356d0f5ff75552293c6d06e83c85cb5b3d
SHA512a932701bf4118f2189a9cc59d867ca62b948ab46c4d445540c3063d196fb7b9e96527075c3bf131a7a9f93445a932f92f9c1068ade1b547878befcbddff297c9
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\[email protected]\content\bg.jsFilesize
7KB
MD51ddda19ca77fbed3bc1c547e5eac6710
SHA1665ab6d5e426ce4e44e54b098bfd63114bd2ecbe
SHA256016c26cea39ea71db3334bccafaada10f13912c8814ca7258f454f85e036543a
SHA512b4954c6309fcb40dc1cc851300cd67c8ba34d81a44acc79676d05da97c4a41aeeb2a3dbc553bb8ade6ee5d9dd269c082d92eb8bc1abb490d5174bad235795c7b
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\[email protected]\install.rdfFilesize
595B
MD58dec82784bba61aac150aacd3da97147
SHA14b41013a7d9a5c0babf518b8cb01e93e8bcba79c
SHA25646ef201e8b897125c6475d0370b81efd04359fbbf0b81eb794bed9b5390a51d1
SHA5126f4683be19f327fee2e253c33d99457f4aa6e1b654548be68ecdeb1a9902eb68bd0d1d472c40349eb255384de189d227ddf3c02161cf81a936b85af8c2a47d76
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\behkangolfiphppknlmkclmlnhhegnnm\EvootQdY5.jsFilesize
5KB
MD542bfa84d108f34233e8216bd5a4f77c4
SHA1450c35946e04a6492d82576e44f26031881294a4
SHA256b2e03742977825d82cb6d4cd25bcc9b26fa5693386d23b8685aab6583373fc89
SHA512d65e132f2520f1cb5c50f7f350cbb963f22ff18ce9e5d9c628122c78abf00e812e86327cc00d3616e1e5887439244137f42512921fdcf91dd02985f542637e71
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\behkangolfiphppknlmkclmlnhhegnnm\background.htmlFilesize
146B
MD5113467da9cbd0d4d37a245981ff37287
SHA1c43a7cb225e268d1f951552756855939ec5131f9
SHA256a26061d7e173cf9248addf6d1861333be1759eea3723c397dc1e29ea6d5a93c6
SHA512f2cb3f877e342e7505f68106b5447ad6b31af6e312c81b161b3a8a49525e6d0449b636bbd1881cc20d4d882c554a287f621684b4e7129bc356e4877151220d3b
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\behkangolfiphppknlmkclmlnhhegnnm\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\behkangolfiphppknlmkclmlnhhegnnm\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\behkangolfiphppknlmkclmlnhhegnnm\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\vmptO6KinsVLl0c.datFilesize
6KB
MD5796089139a7e3fd8ea60602aadea2444
SHA1bfa8a720b142ae1d95529d306b5c8114c85e1fbc
SHA2563050bc26439b5023a5bd0e3ef8b5c7a12e38ddb450857daff9e16ffb54a01b5f
SHA51211d6860f4a8103f9276c380b07329de3c24fddcb66ff1d5cc5e23556309fe7eb6de908d5e3688d6c4f4cc7e02943fcc23e270ca774a9c704181ce48309f7b21e
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\vmptO6KinsVLl0c.exeFilesize
789KB
MD525633a1a9c13fbac717530daba494def
SHA1745ccf13c491297f58fc0968b19b5f03c1999365
SHA256414775c958834ace64105578075f588906e322a645147d4d82fc37a1df216d21
SHA512234f5e055ed377ede53a56d4e374e0f312b6e3ad47f8498c583efd32529216935ca053149b23ca96d0bfce27cdbf5d42711b681712facedd366739ae0c56b089
-
C:\Users\Admin\AppData\Local\Temp\7zSCBE0.tmp\vmptO6KinsVLl0c.exeFilesize
789KB
MD525633a1a9c13fbac717530daba494def
SHA1745ccf13c491297f58fc0968b19b5f03c1999365
SHA256414775c958834ace64105578075f588906e322a645147d4d82fc37a1df216d21
SHA512234f5e055ed377ede53a56d4e374e0f312b6e3ad47f8498c583efd32529216935ca053149b23ca96d0bfce27cdbf5d42711b681712facedd366739ae0c56b089
-
memory/1536-152-0x0000000000000000-mapping.dmp
-
memory/1608-149-0x0000000000000000-mapping.dmp
-
memory/2040-132-0x0000000000000000-mapping.dmp