Overview

overview

8

Static

static

acb1630435...32.exe

windows7-x64

8

acb1630435...32.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    44s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acb1630435a7334c0398ad387228b57f25036e99930a8d12fbfe2602b317ac32.exe

  • Size

    3.0MB

  • MD5

    05b9e1d5d3a017140de1f73e8b877e90

  • SHA1

    0c94c09ea02c8cfeab198dfada6f27907a8a1893

  • SHA256

    acb1630435a7334c0398ad387228b57f25036e99930a8d12fbfe2602b317ac32

  • SHA512

    06493b1fa4238f611350da9ffd50d8db9d77e3f353564b04b76bf48b43f7ec00050e0b94ea0178b115913cfe54143e3711cd5d215d03ce4e62e1a3f792c218a8

  • SSDEEP

    49152:ARw6H1AOhKZC6X6PfX58D+F5yJ7xfpR3KOMBl64tXtxO1ChmFat1:owywZVm58wwXfp5K964I1C

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\acb1630435a7334c0398ad387228b57f25036e99930a8d12fbfe2602b317ac32.exe
    "C:\Users\Admin\AppData\Local\Temp\acb1630435a7334c0398ad387228b57f25036e99930a8d12fbfe2602b317ac32.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1456
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\SauveClicker\fKyOYFoUdeN4Yh.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\SauveClicker\fKyOYFoUdeN4Yh.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1508

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SauveClicker\fKyOYFoUdeN4Yh.dat
    Filesize

    4KB

    MD5

    e92567555663117097e7915ae68c353f

    SHA1

    501e46b72bbe6932a5c77c3b18973d5b81dcdf04

    SHA256

    9fdd5c102df68a3147298effb28e019c74d24313a621706a13f75b9e30110d85

    SHA512

    63b3c03ce6eb88fe7f50cc00ed6a4cffc7fc8bf5097c7900982ceff8e2ca84dd49483d23dd71fc61b0bc4fab9ca13c38da0b25b87298e5e5ed29ba46651b9fe8

    Download Submit
  • C:\Program Files (x86)\SauveClicker\fKyOYFoUdeN4Yh.tlb
    Filesize

    3KB

    MD5

    8975ae080c68d5863e475ebe7a1f6d25

    SHA1

    bf8854718a8704708f0683e9a352b373b5274ddc

    SHA256

    19c44cfa1a172d5a04099e8ee72f14f489c2621f605d5fd804f698a55d6a1b1b

    SHA512

    90e030e61e7d5b0bdf8ba3d24026e2ba0615f0d1a0ca22d8e97fcf6631c43e878a90f4bdbf41b2d561c9b3e93cecd89970ef8a53ac03e9d386591b268006cb5a

    Download Submit
  • C:\Program Files (x86)\SauveClicker\fKyOYFoUdeN4Yh.x64.dll
    Filesize

    694KB

    MD5

    e9f95f5b361b10a8a380911c5fa141b6

    SHA1

    bf049eede0411d0a4d062f16d609c002dccfbd5a

    SHA256

    6e269e9c4dc3ed8305b4055f52b6fb0631fa18f6df60dcb1dec8ad44b790fa1f

    SHA512

    a1c12856a23210fa75361a6e7c0c7ca2fc8ec4fda1b0187eb7f4f578074af8a208a1958f198c35c529a34ab3ea5691c9f3aa5208838deb5249fe81a3b4e952d1

    Download Submit
  • \Program Files (x86)\SauveClicker\fKyOYFoUdeN4Yh.dll
    Filesize

    613KB

    MD5

    08be663045b4c154e774779db71c233d

    SHA1

    12fffa2f8d304aa400edd98b0facd5209d2e70a9

    SHA256

    5aab1d08e4e9943f9e1073fab42c697fc0e390e8597cea073aad7ab56114ef11

    SHA512

    807cfda1ee06ba3550dd9d4c2dc9d329e137f8eba7350dda8b27a473a30c4dfc2e2cc5802cf906794271f5219f636f7e68d2cf491f66440d1ab4933cdca40bc7

    Download Submit
  • \Program Files (x86)\SauveClicker\fKyOYFoUdeN4Yh.x64.dll
    Filesize

    694KB

    MD5

    e9f95f5b361b10a8a380911c5fa141b6

    SHA1

    bf049eede0411d0a4d062f16d609c002dccfbd5a

    SHA256

    6e269e9c4dc3ed8305b4055f52b6fb0631fa18f6df60dcb1dec8ad44b790fa1f

    SHA512

    a1c12856a23210fa75361a6e7c0c7ca2fc8ec4fda1b0187eb7f4f578074af8a208a1958f198c35c529a34ab3ea5691c9f3aa5208838deb5249fe81a3b4e952d1

    Download Submit
  • \Program Files (x86)\SauveClicker\fKyOYFoUdeN4Yh.x64.dll
    Filesize

    694KB

    MD5

    e9f95f5b361b10a8a380911c5fa141b6

    SHA1

    bf049eede0411d0a4d062f16d609c002dccfbd5a

    SHA256

    6e269e9c4dc3ed8305b4055f52b6fb0631fa18f6df60dcb1dec8ad44b790fa1f

    SHA512

    a1c12856a23210fa75361a6e7c0c7ca2fc8ec4fda1b0187eb7f4f578074af8a208a1958f198c35c529a34ab3ea5691c9f3aa5208838deb5249fe81a3b4e952d1

    Download Submit
  • memory/1456-54-0x0000000074B51000-0x0000000074B53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1456-55-0x0000000000E20000-0x0000000000EC2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1508-86-0x0000000000000000-mapping.dmp
    Download
  • memory/1508-87-0x000007FEFB771000-0x000007FEFB773000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-82-0x0000000000000000-mapping.dmp
    Download