2a5fc40f055118d4d51942a15f6d53bc4d6f11781f97f5d5ec96a2e2546fef8d

Analysis

max time kernel
139s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a5fc40f055118d4d51942a15f6d53bc4d6f11781f97f5d5ec96a2e2546fef8d.exe
Size

2.1MB
MD5

e5effd8912fe4f9840da1e853f42d8f0
SHA1

b78f51bcb68a38b6b6c4ec1d444a38d8fe61125b
SHA256

2a5fc40f055118d4d51942a15f6d53bc4d6f11781f97f5d5ec96a2e2546fef8d
SHA512

c3daf6b05af7fb2a17a76475d65c534d0b670fea27cf561e2f2b91569ab3d3947f50d2929d91fa001318f9ba1d5760f555f4165da43b1c14f3543af3b4c486fd
SSDEEP

49152:EoGJzjpzE3iqXD3aQDJLPSiffStg6XLNNNIq+9yCy2rC6GpSq3Ij2tm:ES5XD3FZSiHeb3NQoCy2rrGZ1m

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

9_SlS.exe

pid process

3612 9_SlS.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\onEq.x64.dll"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

9_SlS.exeregsvr32.exeregsvr32.exe

pid process

3612 9_SlS.exe
1192 regsvr32.exe
3092 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

9_SlS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iijmkbeliinpmmieilbkkpnaclpcimec\2.1\manifest.json	9_SlS.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\iijmkbeliinpmmieilbkkpnaclpcimec\2.1\manifest.json	9_SlS.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iijmkbeliinpmmieilbkkpnaclpcimec\2.1\manifest.json	9_SlS.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\iijmkbeliinpmmieilbkkpnaclpcimec\2.1\manifest.json	9_SlS.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\iijmkbeliinpmmieilbkkpnaclpcimec\2.1\manifest.json	9_SlS.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

9_SlS.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\ = "SaveClicker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\ = "SaveClicker"	9_SlS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\NoExplorer = "1"	9_SlS.exe

Drops file in System32 directory 4 IoCs

Processes:

9_SlS.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	9_SlS.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	9_SlS.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	9_SlS.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	9_SlS.exe

Drops file in Program Files directory 8 IoCs

Processes:

9_SlS.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SaveClicker\onEq.tlb	9_SlS.exe
File created	C:\Program Files (x86)\SaveClicker\onEq.dat	9_SlS.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\onEq.dat	9_SlS.exe
File created	C:\Program Files (x86)\SaveClicker\onEq.x64.dll	9_SlS.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\onEq.x64.dll	9_SlS.exe
File created	C:\Program Files (x86)\SaveClicker\onEq.dll	9_SlS.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\onEq.dll	9_SlS.exe
File created	C:\Program Files (x86)\SaveClicker\onEq.tlb	9_SlS.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

9_SlS.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	9_SlS.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}	9_SlS.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}	9_SlS.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	9_SlS.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe9_SlS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\ = "SaveClicker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\onEq.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	9_SlS.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SaveClicker"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID\ = "{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer\ = "SaveClicker.2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer\ = "SaveClicker.2.1"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\ProgID	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\ = "SaveClicker"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\CLSID	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\Programmable	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32\ThreadingModel = "Apartment"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\ProgID\ = "SaveClicker.2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\VersionIndependentProgID\ = "SaveClicker"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\onEq.dll"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SaveClicker\\onEq.tlb"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	9_SlS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\ = "SaveClicker"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\CLSID\ = "{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}"	9_SlS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7}\ProgID\ = "SaveClicker.2.1"	9_SlS.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

9_SlS.exe

pid	process
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe
3612	9_SlS.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

9_SlS.exe

description	pid	process
Token: SeDebugPrivilege	3612	9_SlS.exe
Token: SeDebugPrivilege	3612	9_SlS.exe
Token: SeDebugPrivilege	3612	9_SlS.exe
Token: SeDebugPrivilege	3612	9_SlS.exe
Token: SeDebugPrivilege	3612	9_SlS.exe
Token: SeDebugPrivilege	3612	9_SlS.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2a5fc40f055118d4d51942a15f6d53bc4d6f11781f97f5d5ec96a2e2546fef8d.exe9_SlS.exeregsvr32.exe

description	pid	process	target process
PID 4076 wrote to memory of 3612	4076	2a5fc40f055118d4d51942a15f6d53bc4d6f11781f97f5d5ec96a2e2546fef8d.exe	9_SlS.exe
PID 4076 wrote to memory of 3612	4076	2a5fc40f055118d4d51942a15f6d53bc4d6f11781f97f5d5ec96a2e2546fef8d.exe	9_SlS.exe
PID 4076 wrote to memory of 3612	4076	2a5fc40f055118d4d51942a15f6d53bc4d6f11781f97f5d5ec96a2e2546fef8d.exe	9_SlS.exe
PID 3612 wrote to memory of 1192	3612	9_SlS.exe	regsvr32.exe
PID 3612 wrote to memory of 1192	3612	9_SlS.exe	regsvr32.exe
PID 3612 wrote to memory of 1192	3612	9_SlS.exe	regsvr32.exe
PID 1192 wrote to memory of 3092	1192	regsvr32.exe	regsvr32.exe
PID 1192 wrote to memory of 3092	1192	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

9_SlS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E443E121-BEA0-3BE1-3A8E-B45B5F8589C7} = "1"	9_SlS.exe

C:\Users\Admin\AppData\Local\Temp\2a5fc40f055118d4d51942a15f6d53bc4d6f11781f97f5d5ec96a2e2546fef8d.exe
"C:\Users\Admin\AppData\Local\Temp\2a5fc40f055118d4d51942a15f6d53bc4d6f11781f97f5d5ec96a2e2546fef8d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\1f3d6619\9_SlS.exe
"C:\Users\Admin\AppData\Local\Temp/1f3d6619/9_SlS.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3612

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SaveClicker\onEq.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SaveClicker\onEq.x64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SaveClicker\onEq.dat
Filesize
4KB

MD5
ee443d6fcf5744bf7b7ced6714205f12

SHA1
8f3e26f2cc3020a81328250d8971c8eaba7d85af

SHA256
972b19effebf4637a5909d44d102a0ffb34894f96caaa7287f0ec06159c96781

SHA512
9853cffe35dd4872775cacf2d6f474f3c37206139d0b929e210d4df6cd89a8931c502b853ee6f1e3d14cb3fcfdab59902cb6266de2fe5af6a38459050db3da3d

Download Submit
C:\Program Files (x86)\SaveClicker\onEq.dll
Filesize
614KB

MD5
7a6503afb25c45f108cc25779df13240

SHA1
cd11e0566111c914bd321a01b2846304a81ffc45

SHA256
7543599a23dc137b6ec12aa93de68f214462f3ab59621c8249d844324d855b73

SHA512
33245cc86e9ac88a0ee1f4981e6d9063a9804692312741ba3e473abb594a6a33ddd3ccc9379ef899cda3520038e086cd9904722740edc8cfce634f91bae21824

Download Submit
C:\Program Files (x86)\SaveClicker\onEq.tlb
Filesize
3KB

MD5
194bbaecc44b458f945e60916c93198a

SHA1
3441cf65288def3cd82bd5f89c7b515d7baa8e84

SHA256
3389de10b4693194b58d55d4ada35ece9eb0215f7359bb4aa352168bbb9eec54

SHA512
b3c5e44ffb0c9100bac1a59a22111aa2eb220f23ca314558b602fc24bf95a8dd170853dc22fdcdb4f07661069fd8fd4897949c39b0c1281d37f1aee7b62821d8

Download Submit
C:\Program Files (x86)\SaveClicker\onEq.x64.dll
Filesize
692KB

MD5
ef226cfa8c9914027b5346886c1ca86a

SHA1
772bbc213bcf59627addabc2ae732a03f7e14df0

SHA256
e5cf829308d2be84d208756e6e2b4bcc2a8803be77570127541eb1d776a666c9

SHA512
33e78d357d3a609c5cebbc1e8ce18844e87fe3e5e9cd6c12e65e56f91e66c130e827b5e43ec7b8cde0a4e8d2738f9652ae1f6898fbf416ae42b3ac4c98c959f6

Download Submit
C:\Program Files (x86)\SaveClicker\onEq.x64.dll
Filesize
692KB

MD5
ef226cfa8c9914027b5346886c1ca86a

SHA1
772bbc213bcf59627addabc2ae732a03f7e14df0

SHA256
e5cf829308d2be84d208756e6e2b4bcc2a8803be77570127541eb1d776a666c9

SHA512
33e78d357d3a609c5cebbc1e8ce18844e87fe3e5e9cd6c12e65e56f91e66c130e827b5e43ec7b8cde0a4e8d2738f9652ae1f6898fbf416ae42b3ac4c98c959f6

Download Submit
C:\Program Files (x86)\SaveClicker\onEq.x64.dll
Filesize
692KB

MD5
ef226cfa8c9914027b5346886c1ca86a

SHA1
772bbc213bcf59627addabc2ae732a03f7e14df0

SHA256
e5cf829308d2be84d208756e6e2b4bcc2a8803be77570127541eb1d776a666c9

SHA512
33e78d357d3a609c5cebbc1e8ce18844e87fe3e5e9cd6c12e65e56f91e66c130e827b5e43ec7b8cde0a4e8d2738f9652ae1f6898fbf416ae42b3ac4c98c959f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\9_SlS.dat
Filesize
4KB

MD5
ee443d6fcf5744bf7b7ced6714205f12

SHA1
8f3e26f2cc3020a81328250d8971c8eaba7d85af

SHA256
972b19effebf4637a5909d44d102a0ffb34894f96caaa7287f0ec06159c96781

SHA512
9853cffe35dd4872775cacf2d6f474f3c37206139d0b929e210d4df6cd89a8931c502b853ee6f1e3d14cb3fcfdab59902cb6266de2fe5af6a38459050db3da3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\9_SlS.exe
Filesize
639KB

MD5
cf1e1f637f92c99cdfb2dcf389da002a

SHA1
dde6bcf86d6886a06f9fb2c1ed93f385b73f1274

SHA256
b690220cd82fae4c41a446f2d2c91dca168885c30369ea44079474dafdc0b761

SHA512
a3fb73207e2dabea84483a320755545bb62cfca0130cab34498d85bc6cf0c00612b47631018c314eeb6f2f65fe93f5ebcdfed699c7efb0debcc6e1560e152f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\9_SlS.exe
Filesize
639KB

MD5
cf1e1f637f92c99cdfb2dcf389da002a

SHA1
dde6bcf86d6886a06f9fb2c1ed93f385b73f1274

SHA256
b690220cd82fae4c41a446f2d2c91dca168885c30369ea44079474dafdc0b761

SHA512
a3fb73207e2dabea84483a320755545bb62cfca0130cab34498d85bc6cf0c00612b47631018c314eeb6f2f65fe93f5ebcdfed699c7efb0debcc6e1560e152f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\iijmkbeliinpmmieilbkkpnaclpcimec\PTSO.js
Filesize
5KB

MD5
b9b5870b7e9d201fc3b3b7a7e702a2c0

SHA1
64b26db884b96f1755517ed0339e24df89fc3f33

SHA256
55322d4671161b16de5f062bf83014236c6a26efd9e487c87b0fdb3427ff80f9

SHA512
e187ab327a16b345bdac32f50f9e4e48ae0015e3e7ff2ef30248e9b15a64d11d2beb9e8063fd9fcb424a3b28aaa8019fde5cc6ea45c4a43779cc53a990b0f35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\iijmkbeliinpmmieilbkkpnaclpcimec\background.html
Filesize
141B

MD5
9d7cb9b02fe464aabe1698326e38bdf9

SHA1
bb4e642fc14a2db7a74c12082564632629aa00e8

SHA256
8dcdb892a54d9acd46f30601ac7119deb14a4fba25dd52c8ef4cd7759d2a380f

SHA512
cd8645fc4c013870de2ac74c1c73005a56df7df4b3b1a1a47bcc283ebe7ab17c490180dd9d2f46d7058f0a88be8588c30bbe2171a9988412853de48e5f137757

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\iijmkbeliinpmmieilbkkpnaclpcimec\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\iijmkbeliinpmmieilbkkpnaclpcimec\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\iijmkbeliinpmmieilbkkpnaclpcimec\manifest.json
Filesize
503B

MD5
aa6fc24e028b07a032fbc6f859819dca

SHA1
166f2c578c4f164da313ece0e914e56e053418c2

SHA256
2f026100e6faf41a63ea0c5d289914bfceba28094b32c9a3566a4932b7c71038

SHA512
4f5328b27ace6ec4d786e7369b8a071fedf46f30e0b1d223d8fa9332d1df60914f22b84725e3055c894f027f79f05dd91d47ae5c22bebaad34c0af440f634701

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\onEq.dll
Filesize
614KB

MD5
7a6503afb25c45f108cc25779df13240

SHA1
cd11e0566111c914bd321a01b2846304a81ffc45

SHA256
7543599a23dc137b6ec12aa93de68f214462f3ab59621c8249d844324d855b73

SHA512
33245cc86e9ac88a0ee1f4981e6d9063a9804692312741ba3e473abb594a6a33ddd3ccc9379ef899cda3520038e086cd9904722740edc8cfce634f91bae21824

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\onEq.tlb
Filesize
3KB

MD5
194bbaecc44b458f945e60916c93198a

SHA1
3441cf65288def3cd82bd5f89c7b515d7baa8e84

SHA256
3389de10b4693194b58d55d4ada35ece9eb0215f7359bb4aa352168bbb9eec54

SHA512
b3c5e44ffb0c9100bac1a59a22111aa2eb220f23ca314558b602fc24bf95a8dd170853dc22fdcdb4f07661069fd8fd4897949c39b0c1281d37f1aee7b62821d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\onEq.x64.dll
Filesize
692KB

MD5
ef226cfa8c9914027b5346886c1ca86a

SHA1
772bbc213bcf59627addabc2ae732a03f7e14df0

SHA256
e5cf829308d2be84d208756e6e2b4bcc2a8803be77570127541eb1d776a666c9

SHA512
33e78d357d3a609c5cebbc1e8ce18844e87fe3e5e9cd6c12e65e56f91e66c130e827b5e43ec7b8cde0a4e8d2738f9652ae1f6898fbf416ae42b3ac4c98c959f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\[email protected]\chrome.manifest
Filesize
25B

MD5
e9caab266cb2e7c16daeaad97a622eef

SHA1
47a12377dde15e0860ede82b316c32e63e3107bf

SHA256
bd43a41e12e08a61fc59f5b20bc2558aa6f2d2f3ef2960676ae04ececbe55740

SHA512
bb224a3b2e747cafed0e5c4c28bee28a7855d1c21f756eaf73095ab62fb797ddae9af6977bff9564d29a9aac745c50270832c5057f74a18add58c69032284d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\[email protected]\content\bg.js
Filesize
7KB

MD5
94eed0d2abefe3345d30b9fc36135520

SHA1
ab34f65455832fe6b52809d3741974e845bf68be

SHA256
ccc3f0b3262a62e9534f5125792314e07ac78623c346b9ae1a8cc4d6b2fc46e5

SHA512
6ab30b4ea4f4c6b19f7f271992370952e4c4150ef500e47c736e53f48b5006f58e51b65d8595fc86632ed207c8fabb9093571475d6758735fea67be16788eed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f3d6619\[email protected]\install.rdf
Filesize
599B

MD5
4610b54c7760444673c534c735c29f15

SHA1
82e1fdcbd7e7256ff0e81b1be6bac78f9045534b

SHA256
d50821bd25d451999955863e31052499b26d648ded7e4c15cf1c4addce733de4

SHA512
07afcc5195399788215d412b7d42399ff65a570a5b2a9ee0191fbfc159c675eab61ff5bf9d9209d1ca2a072f43dabf717808dfce4792d7d126f0fd85e92ff4bf

Download Submit
memory/1192-149-0x0000000000000000-mapping.dmp

Download
memory/3092-152-0x0000000000000000-mapping.dmp

Download
memory/3612-132-0x0000000000000000-mapping.dmp

Download