9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe
Size

2.0MB
MD5

e0e4b004ccf7e392e6de68d0c472e93d
SHA1

80ad5af31bfd46c113bd2771d47cdd1519fe7e07
SHA256

9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9
SHA512

6e226bc3c3dccbab6728b8330be913fe453cc3e64154c11585783f826e448a55032ae03417cfaf45a0c8f04d770c36d8b66e57d3650f0010ff9f3477ce2db663
SSDEEP

49152:5k0TqM6y3oEJO1hqziCkZzh5Ooe2ZrfH/wKMpVo:NqGoPSkZzDOoeifH/wV

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

7wWksB7En.exe

pid process

884 7wWksB7En.exe

pid	process
884	7wWksB7En.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\ZZ3KAvSt.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\InprocServer32	regsvr32.exe

Loads dropped DLL 4 IoCs

Processes:

9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe7wWksB7En.exeregsvr32.exeregsvr32.exe

pid process

1812 9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe
884 7wWksB7En.exe
1712 regsvr32.exe
964 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1812	9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe
884	7wWksB7En.exe
1712	regsvr32.exe
964	regsvr32.exe

Drops Chrome extension 3 IoCs

Processes:

7wWksB7En.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdibkbbkgbppockfcnneohanfigjjcp\2.1\manifest.json	7wWksB7En.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdibkbbkgbppockfcnneohanfigjjcp\2.1\manifest.json	7wWksB7En.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\akdibkbbkgbppockfcnneohanfigjjcp\2.1\manifest.json	7wWksB7En.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe7wWksB7En.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\ = "SaveClicker"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\ = "SaveClicker"	7wWksB7En.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\NoExplorer = "1"	7wWksB7En.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	7wWksB7En.exe

Drops file in System32 directory 4 IoCs

Processes:

7wWksB7En.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	7wWksB7En.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	7wWksB7En.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	7wWksB7En.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	7wWksB7En.exe

Drops file in Program Files directory 8 IoCs

Processes:

7wWksB7En.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.dat	7wWksB7En.exe
File created	C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.x64.dll	7wWksB7En.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.x64.dll	7wWksB7En.exe
File created	C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.dll	7wWksB7En.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.dll	7wWksB7En.exe
File created	C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.tlb	7wWksB7En.exe
File opened for modification	C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.tlb	7wWksB7En.exe
File created	C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.dat	7wWksB7En.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

7wWksB7En.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	7wWksB7En.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	7wWksB7En.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	7wWksB7En.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	7wWksB7En.exe

Modifies registry class 64 IoCs

Processes:

7wWksB7En.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\ = "SaveClicker"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\ProgID	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\CLSID\ = "{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer\ = "SaveClicker.2.1"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer\ = "SaveClicker.2.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\ProgID\ = "SaveClicker.2.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker.2.1\CLSID\ = "{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\VersionIndependentProgID\ = "SaveClicker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7wWksB7En.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\ProgID	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\SaveClicker\\ZZ3KAvSt.tlb"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\SaveClicker"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\InprocServer32\ = "C:\\Program Files (x86)\\SaveClicker\\ZZ3KAvSt.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\Programmable	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\ = "SaveClicker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\Programmable	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\InprocServer32	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	7wWksB7En.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CLSID\ = "{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\CurVer	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\ = "SaveClicker"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\Implemented Categories	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6}\ = "SaveClicker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SaveClicker.SaveClicker\ = "SaveClicker"	7wWksB7En.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	7wWksB7En.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

7wWksB7En.exe

pid process

884 7wWksB7En.exe
884 7wWksB7En.exe
884 7wWksB7En.exe
884 7wWksB7En.exe
884 7wWksB7En.exe
884 7wWksB7En.exe
884 7wWksB7En.exe
884 7wWksB7En.exe

pid	process
884	7wWksB7En.exe
884	7wWksB7En.exe
884	7wWksB7En.exe
884	7wWksB7En.exe
884	7wWksB7En.exe
884	7wWksB7En.exe
884	7wWksB7En.exe
884	7wWksB7En.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7wWksB7En.exe

description	pid	process
Token: SeDebugPrivilege	884	7wWksB7En.exe
Token: SeDebugPrivilege	884	7wWksB7En.exe
Token: SeDebugPrivilege	884	7wWksB7En.exe
Token: SeDebugPrivilege	884	7wWksB7En.exe
Token: SeDebugPrivilege	884	7wWksB7En.exe
Token: SeDebugPrivilege	884	7wWksB7En.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe7wWksB7En.exeregsvr32.exe

description	pid	process	target process
PID 1812 wrote to memory of 884	1812	9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe	7wWksB7En.exe
PID 1812 wrote to memory of 884	1812	9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe	7wWksB7En.exe
PID 1812 wrote to memory of 884	1812	9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe	7wWksB7En.exe
PID 1812 wrote to memory of 884	1812	9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe	7wWksB7En.exe
PID 884 wrote to memory of 1712	884	7wWksB7En.exe	regsvr32.exe
PID 884 wrote to memory of 1712	884	7wWksB7En.exe	regsvr32.exe
PID 884 wrote to memory of 1712	884	7wWksB7En.exe	regsvr32.exe
PID 884 wrote to memory of 1712	884	7wWksB7En.exe	regsvr32.exe
PID 884 wrote to memory of 1712	884	7wWksB7En.exe	regsvr32.exe
PID 884 wrote to memory of 1712	884	7wWksB7En.exe	regsvr32.exe
PID 884 wrote to memory of 1712	884	7wWksB7En.exe	regsvr32.exe
PID 1712 wrote to memory of 964	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 964	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 964	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 964	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 964	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 964	1712	regsvr32.exe	regsvr32.exe
PID 1712 wrote to memory of 964	1712	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

7wWksB7En.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	7wWksB7En.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{10E529FC-E93A-D8B3-E8A2-DD5B67D074C6} = "1"	7wWksB7En.exe

C:\Users\Admin\AppData\Local\Temp\9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe
"C:\Users\Admin\AppData\Local\Temp\9cba8a133d5a2bbbed73a121723f317b9fc31c828694f96b381980b91a4968e9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\20c61d7a\7wWksB7En.exe
"C:\Users\Admin\AppData\Local\Temp/20c61d7a/7wWksB7En.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:884

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.x64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:964

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.dat
Filesize
4KB

MD5
dee31c36f3e1a52de25a12335b9fe5ba

SHA1
5c089b29e78158c572dace3765df345ba4a97c20

SHA256
9431e87e3254745e260c58e6c4d488d7a608755a928ce5ed9e26ff13e7b39c3e

SHA512
df46c9312821993c4d777bab8bb714f5681e5cec405739e0ea52cc0169cb76bf1e006d2ab381458b0545cc9c0866d9d92d13464e86b00fc007df67df633cfed1

Download Submit
C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.tlb
Filesize
3KB

MD5
c3fe366fdd80df31fb51b10ba5844b74

SHA1
ef7ec45e3d8f0c466b0d1ff258ad08cf8537c472

SHA256
3219e6ee8476b58579ca35d16b79b72e078f142a02cabb88c318e9ffd11036cc

SHA512
7b35d8fb0fb3c3d4236a561703a616c77c67229727fcde490c9d160791caf53e4c3c4b8aa4399fc9260db0021716ad51329d187aa154c0fdd699373631136643

Download Submit
C:\Program Files (x86)\SaveClicker\ZZ3KAvSt.x64.dll
Filesize
675KB

MD5
54bea1ed8d787a6aaef927bd42c1d669

SHA1
7d5c1179f08109985c0f63d51f38d2ad79687dcb

SHA256
af312e408ded5c2c0c43e8dfc6ef982860ac1eece0055735446345c34565bf34

SHA512
38e9f2c2a532840fe92b533fd266bfb2a957975ed9199a54659fd227bf7a17b08089d099f550530600c30cfd64786f846762c15bad2d8e99382cd1d78965f5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\7wWksB7En.dat
Filesize
4KB

MD5
dee31c36f3e1a52de25a12335b9fe5ba

SHA1
5c089b29e78158c572dace3765df345ba4a97c20

SHA256
9431e87e3254745e260c58e6c4d488d7a608755a928ce5ed9e26ff13e7b39c3e

SHA512
df46c9312821993c4d777bab8bb714f5681e5cec405739e0ea52cc0169cb76bf1e006d2ab381458b0545cc9c0866d9d92d13464e86b00fc007df67df633cfed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\7wWksB7En.exe
Filesize
647KB

MD5
d86ab18b460f573a41eca3cd184b3829

SHA1
3a218c39603ec88e3895c6c15ff859b2e7925f91

SHA256
9ce86e20aaa3e2db7e9760078799cc85f0cabfd488ca9e5f337904bee385e123

SHA512
f287bef76b937f469ceb05ac9627d0f116f8278b236b003f77aa5499af6818e961c019011d1d81163b418809c5ddeb2a26f686ca934e8caeb3d42134f3debc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\7wWksB7En.exe
Filesize
647KB

MD5
d86ab18b460f573a41eca3cd184b3829

SHA1
3a218c39603ec88e3895c6c15ff859b2e7925f91

SHA256
9ce86e20aaa3e2db7e9760078799cc85f0cabfd488ca9e5f337904bee385e123

SHA512
f287bef76b937f469ceb05ac9627d0f116f8278b236b003f77aa5499af6818e961c019011d1d81163b418809c5ddeb2a26f686ca934e8caeb3d42134f3debc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\ZZ3KAvSt.dll
Filesize
599KB

MD5
ddce2e1419bfc3decdd2cf4e54c24c02

SHA1
4d2d8c5d5e44c12e38447249b4768163bc61138d

SHA256
97ec0fe8f4880541c1a2da5c193cb97ae48a6479d4837ae53477f7ffa4c764a2

SHA512
9323f7dd0756fe03b9cda5f670cb9885d3f2f5e5d8f0eda1a19bbadeac2652fa54501079e3ada7bbe27f9fb9c3db2bf8d0373e7fb5725f050ff75f61d002fe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\ZZ3KAvSt.tlb
Filesize
3KB

MD5
c3fe366fdd80df31fb51b10ba5844b74

SHA1
ef7ec45e3d8f0c466b0d1ff258ad08cf8537c472

SHA256
3219e6ee8476b58579ca35d16b79b72e078f142a02cabb88c318e9ffd11036cc

SHA512
7b35d8fb0fb3c3d4236a561703a616c77c67229727fcde490c9d160791caf53e4c3c4b8aa4399fc9260db0021716ad51329d187aa154c0fdd699373631136643

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\ZZ3KAvSt.x64.dll
Filesize
675KB

MD5
54bea1ed8d787a6aaef927bd42c1d669

SHA1
7d5c1179f08109985c0f63d51f38d2ad79687dcb

SHA256
af312e408ded5c2c0c43e8dfc6ef982860ac1eece0055735446345c34565bf34

SHA512
38e9f2c2a532840fe92b533fd266bfb2a957975ed9199a54659fd227bf7a17b08089d099f550530600c30cfd64786f846762c15bad2d8e99382cd1d78965f5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\akdibkbbkgbppockfcnneohanfigjjcp\background.html
Filesize
147B

MD5
a6ceb5df33e971be8de1b055c24c1997

SHA1
805a9ee960607fcfd9388298f50b13c94dc630ef

SHA256
4662821384865d30a02ba783ead323fb5ad7e22fe19478b1afa932aa5b140b4e

SHA512
ba1e2bf690b053c7ad3caffa008bf603ee7ae0411d6186afcce348e97e6e5a43c87be009050db15df8f97801f8942c7baf8ccb897f85572b29e100f97f472106

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\akdibkbbkgbppockfcnneohanfigjjcp\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\akdibkbbkgbppockfcnneohanfigjjcp\dZCfIt69ds.js
Filesize
5KB

MD5
30916f70fec33faf3e738b2804bdad94

SHA1
8c1e23154d5fa3503016ad10951c409fb6ffd448

SHA256
2d35df93890d45a8baf6b7ebe98e7d9944a5eb6bf346256037da9dd2bf7f7bc4

SHA512
abf5daa38b678ab6eeedb7498ab8874483f336f1d108a0b7cd50033adc8dc482bdbd804760d600350e4de16f44c8a0a3436c97dfff9e48e78f6e949856da9a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\akdibkbbkgbppockfcnneohanfigjjcp\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\akdibkbbkgbppockfcnneohanfigjjcp\manifest.json
Filesize
503B

MD5
aa6fc24e028b07a032fbc6f859819dca

SHA1
166f2c578c4f164da313ece0e914e56e053418c2

SHA256
2f026100e6faf41a63ea0c5d289914bfceba28094b32c9a3566a4932b7c71038

SHA512
4f5328b27ace6ec4d786e7369b8a071fedf46f30e0b1d223d8fa9332d1df60914f22b84725e3055c894f027f79f05dd91d47ae5c22bebaad34c0af440f634701

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\[email protected]\chrome.manifest
Filesize
29B

MD5
bb0901b41f9e6f2eb723ab5924a07597

SHA1
53887daee8aa0dc3fd098ebf679f6953fddd3f45

SHA256
f91b0a91b24bc5e6197ea85264b75aa146d3d72779900df1210e9a9f22485747

SHA512
822ff66d09a812bdd19c7fb0ff0955077f10301c70fcfc029e3f12c91edd26f17ba1ccd01281d0651129301c4e0bededdb838d6edb3158ef27ca6055461bd6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\[email protected]\content\bg.js
Filesize
7KB

MD5
7ee99daff99174abf9ff0c7ce2f8fe94

SHA1
f3bc56586c6cfe8522c5ca0c762aa0e29f40c547

SHA256
a2e1095646b6c630f3b7a4b38c445712de661d751479915bed08f24a487de9e7

SHA512
d2c7c6f0d238487e843cd95e2dfae43f905798ec084562ebd09cdd73b8307fbddf49006eec6308eedfcbd725865c8327b14f63701ec2c8020173361267dd066c

Download Submit
C:\Users\Admin\AppData\Local\Temp\20c61d7a\[email protected]\install.rdf
Filesize
601B

MD5
d25e1666a057ddd0966eb9ff9410a03a

SHA1
e220c89404acb4b49e6a47258302ce671133b5af

SHA256
d49691b3816d783a50715dc1ec6de567a4df4d66ddf3fa7d7af573614a409356

SHA512
b38939fb2553bd0417e210e8d7ba95ead70da10e2a53c6cb50e29354bad396e88408e1fa745172bfc8e3672a90e72f0a3b5928dbeb1df588948bc5dd35b44469

Download Submit
\Program Files (x86)\SaveClicker\ZZ3KAvSt.dll
Filesize
599KB

MD5
ddce2e1419bfc3decdd2cf4e54c24c02

SHA1
4d2d8c5d5e44c12e38447249b4768163bc61138d

SHA256
97ec0fe8f4880541c1a2da5c193cb97ae48a6479d4837ae53477f7ffa4c764a2

SHA512
9323f7dd0756fe03b9cda5f670cb9885d3f2f5e5d8f0eda1a19bbadeac2652fa54501079e3ada7bbe27f9fb9c3db2bf8d0373e7fb5725f050ff75f61d002fe4a

Download Submit
\Program Files (x86)\SaveClicker\ZZ3KAvSt.x64.dll
Filesize
675KB

MD5
54bea1ed8d787a6aaef927bd42c1d669

SHA1
7d5c1179f08109985c0f63d51f38d2ad79687dcb

SHA256
af312e408ded5c2c0c43e8dfc6ef982860ac1eece0055735446345c34565bf34

SHA512
38e9f2c2a532840fe92b533fd266bfb2a957975ed9199a54659fd227bf7a17b08089d099f550530600c30cfd64786f846762c15bad2d8e99382cd1d78965f5f0

Download Submit
\Program Files (x86)\SaveClicker\ZZ3KAvSt.x64.dll
Filesize
675KB

MD5
54bea1ed8d787a6aaef927bd42c1d669

SHA1
7d5c1179f08109985c0f63d51f38d2ad79687dcb

SHA256
af312e408ded5c2c0c43e8dfc6ef982860ac1eece0055735446345c34565bf34

SHA512
38e9f2c2a532840fe92b533fd266bfb2a957975ed9199a54659fd227bf7a17b08089d099f550530600c30cfd64786f846762c15bad2d8e99382cd1d78965f5f0

Download Submit
\Users\Admin\AppData\Local\Temp\20c61d7a\7wWksB7En.exe
Filesize
647KB

MD5
d86ab18b460f573a41eca3cd184b3829

SHA1
3a218c39603ec88e3895c6c15ff859b2e7925f91

SHA256
9ce86e20aaa3e2db7e9760078799cc85f0cabfd488ca9e5f337904bee385e123

SHA512
f287bef76b937f469ceb05ac9627d0f116f8278b236b003f77aa5499af6818e961c019011d1d81163b418809c5ddeb2a26f686ca934e8caeb3d42134f3debc5f

Download Submit
memory/884-56-0x0000000000000000-mapping.dmp

Download
memory/964-77-0x0000000000000000-mapping.dmp

Download
memory/964-78-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1712-73-0x0000000000000000-mapping.dmp

Download
memory/1812-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads