Overview

overview

8

Static

static

c26784d1c8...a7.exe

windows7-x64

8

c26784d1c8...a7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    66s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2022, 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c26784d1c853fff5177bce854dc0167c65e6e09f22746c604bc6be5f39e5d3a7.exe

  • Size

    2.7MB

  • MD5

    3434822ba5c6baac5d4d21fc597459ef

  • SHA1

    66bec51022cd4b8561be78bafd3e46298be4ee43

  • SHA256

    c26784d1c853fff5177bce854dc0167c65e6e09f22746c604bc6be5f39e5d3a7

  • SHA512

    bc959abf2cea1154508e81fa71b97e896a38e6e22f629c3f79dc7a7c4e5dc37d97b8884673c7fc7957bb5620a138372ab13b286c7a76a199a66698d611fcc5ba

  • SSDEEP

    49152:UNncBswipQo/bDGT+TDN8c3uKjETvjrK6oVhC+4XJ1ViGyLrs:UNGIX/bD2Cac3uKjErnBoXV4XJGGyLr

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c26784d1c853fff5177bce854dc0167c65e6e09f22746c604bc6be5f39e5d3a7.exe
    "C:\Users\Admin\AppData\Local\Temp\c26784d1c853fff5177bce854dc0167c65e6e09f22746c604bc6be5f39e5d3a7.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2028
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\SaveClicker\9.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\SaveClicker\9.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\SaveClicker\9.dat
    Filesize

    4KB

    MD5

    5290c0b321ceed090c16196db81f9f8f

    SHA1

    5e4892098265c856b8e7d428ad3dc79afab62800

    SHA256

    5270a3a5e01f9b0588488de0fb0affcdfe6700cd044241907470c13b7cda5bab

    SHA512

    74e058ef55c94ec4e94423f5872c46d8cab2a5ed39bec8d9feb29a451c5280c7c7ba5425083f414d6cc2a84f2db41691ab4b7dc296144891e2304e30db04d72f

    Download Submit

  • C:\Program Files (x86)\SaveClicker\9.tlb
    Filesize

    3KB

    MD5

    a427d4cc85a7d2e62e97c234e6304597

    SHA1

    6ba1d3b846cbe67daa07caded3a46da7f9c4ee91

    SHA256

    2e39d21ac98c29add9b0a98c317c728094f063b95d9a3700f22c16d2b8ab628f

    SHA512

    2b45da0a4cd9d537781f05457cf9c352fa28eaddd3ab8fe29568968a54bf5c98d49a8afade0446faac763f8899f478a3be3e4718b57454f93a91ed009efe343f

    Download Submit

  • C:\Program Files (x86)\SaveClicker\9.x64.dll
    Filesize

    582KB

    MD5

    4df8c9f68762b3ccec4c0be60c087164

    SHA1

    35bc9fb6184f60258d8244c4356edbac97f92165

    SHA256

    1873e3d4010599c081d32901bedf7fe17c7e9b36d5b72eb7d50443cbf73ae261

    SHA512

    2e93b40580b97f846b95b7440607d0db3bf1592ec8e669ba1f3cd71f4e190037686c74fe59a17161f77209b52169c054cb25c4822e7af235048e2da3e08ad8d9

    Download Submit

  • \Program Files (x86)\SaveClicker\9.dll
    Filesize

    540KB

    MD5

    b52317f9d1842c7ba1437645cf55c35d

    SHA1

    0a736d5ffc92b620ea2dbcb7cd0ae79069126035

    SHA256

    3ae7393a21db5c1b7697360cb1b9a53e934721fd79aa02eadd9ec5ad600cc5ec

    SHA512

    6bd84fd8f9b617dbfa2d3984c42789dc89a4d4f520cd684f74fc32030b69c50a3aadc3123990d0625c55578dd510be50cd6ac7593bdb52677b0b70400f6ec2bd

    Download Submit

  • \Program Files (x86)\SaveClicker\9.x64.dll
    Filesize

    582KB

    MD5

    4df8c9f68762b3ccec4c0be60c087164

    SHA1

    35bc9fb6184f60258d8244c4356edbac97f92165

    SHA256

    1873e3d4010599c081d32901bedf7fe17c7e9b36d5b72eb7d50443cbf73ae261

    SHA512

    2e93b40580b97f846b95b7440607d0db3bf1592ec8e669ba1f3cd71f4e190037686c74fe59a17161f77209b52169c054cb25c4822e7af235048e2da3e08ad8d9

    Download Submit

  • \Program Files (x86)\SaveClicker\9.x64.dll
    Filesize

    582KB

    MD5

    4df8c9f68762b3ccec4c0be60c087164

    SHA1

    35bc9fb6184f60258d8244c4356edbac97f92165

    SHA256

    1873e3d4010599c081d32901bedf7fe17c7e9b36d5b72eb7d50443cbf73ae261

    SHA512

    2e93b40580b97f846b95b7440607d0db3bf1592ec8e669ba1f3cd71f4e190037686c74fe59a17161f77209b52169c054cb25c4822e7af235048e2da3e08ad8d9

    Download Submit

  • memory/1956-81-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-64-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-66-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-69-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-70-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-71-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-72-0x0000000000736000-0x0000000000739000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2028-73-0x0000000000736000-0x0000000000739000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2028-74-0x0000000000736000-0x0000000000739000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2028-67-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-68-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-65-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-54-0x0000000076651000-0x0000000076653000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-63-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-62-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-61-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-60-0x0000000000732000-0x0000000000736000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2028-55-0x0000000000330000-0x00000000003D5000-memory.dmp

    Filesize

    660KB

    Download