Analysis
-
max time kernel
141s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:38
Static task
static1
Behavioral task
behavioral1
Sample
e4034fbd2d94958402e01f381a7be72328227e4dee15d480ececa3c0fc9d5a8a.exe
Resource
win7-20220812-en
General
-
Target
e4034fbd2d94958402e01f381a7be72328227e4dee15d480ececa3c0fc9d5a8a.exe
-
Size
2.1MB
-
MD5
3361c39bae905cf64fc952a49e650c7a
-
SHA1
ee3bf39f1a2431bbb7cf05d05a0302a2d58fe6f1
-
SHA256
e4034fbd2d94958402e01f381a7be72328227e4dee15d480ececa3c0fc9d5a8a
-
SHA512
3b7dfda84d94839d30e23bfa4a12c050abe1dc5fb6eae9e8918f93229c10e27806eaf7972b9723ed8ea9742335afc7b996a5c3fa1438b39b2cbd841bda45db7a
-
SSDEEP
24576:h1OYdaOw7QJkxGYNiu6+HRxMBMBtqCnd2Hoi1FLVHHD6gwDxvbZmPw5wea5nYGh:h1OsfGGYj/MOpd2H1BVgmPJ1nJh
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
3lKRNYsmGIRxLR4.exepid process 884 3lKRNYsmGIRxLR4.exe -
Loads dropped DLL 3 IoCs
Processes:
3lKRNYsmGIRxLR4.exeregsvr32.exeregsvr32.exepid process 884 3lKRNYsmGIRxLR4.exe 4940 regsvr32.exe 1520 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
Processes:
3lKRNYsmGIRxLR4.exedescription ioc process File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffekfiglnlpdlnmfcmjeljdbdeplaomg\2.0\manifest.json 3lKRNYsmGIRxLR4.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffekfiglnlpdlnmfcmjeljdbdeplaomg\2.0\manifest.json 3lKRNYsmGIRxLR4.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffekfiglnlpdlnmfcmjeljdbdeplaomg\2.0\manifest.json 3lKRNYsmGIRxLR4.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffekfiglnlpdlnmfcmjeljdbdeplaomg\2.0\manifest.json 3lKRNYsmGIRxLR4.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffekfiglnlpdlnmfcmjeljdbdeplaomg\2.0\manifest.json 3lKRNYsmGIRxLR4.exe -
Installs/modifies Browser Helper Object 2 TTPs 9 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
3lKRNYsmGIRxLR4.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 3lKRNYsmGIRxLR4.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 3lKRNYsmGIRxLR4.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 3lKRNYsmGIRxLR4.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ 3lKRNYsmGIRxLR4.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe -
Drops file in System32 directory 4 IoCs
Processes:
3lKRNYsmGIRxLR4.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 3lKRNYsmGIRxLR4.exe File opened for modification C:\Windows\System32\GroupPolicy 3lKRNYsmGIRxLR4.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 3lKRNYsmGIRxLR4.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 3lKRNYsmGIRxLR4.exe -
Drops file in Program Files directory 8 IoCs
Processes:
3lKRNYsmGIRxLR4.exedescription ioc process File created C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.dat 3lKRNYsmGIRxLR4.exe File opened for modification C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.dat 3lKRNYsmGIRxLR4.exe File created C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.x64.dll 3lKRNYsmGIRxLR4.exe File opened for modification C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.x64.dll 3lKRNYsmGIRxLR4.exe File created C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.dll 3lKRNYsmGIRxLR4.exe File opened for modification C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.dll 3lKRNYsmGIRxLR4.exe File created C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.tlb 3lKRNYsmGIRxLR4.exe File opened for modification C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.tlb 3lKRNYsmGIRxLR4.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3lKRNYsmGIRxLR4.exepid process 884 3lKRNYsmGIRxLR4.exe 884 3lKRNYsmGIRxLR4.exe 884 3lKRNYsmGIRxLR4.exe 884 3lKRNYsmGIRxLR4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e4034fbd2d94958402e01f381a7be72328227e4dee15d480ececa3c0fc9d5a8a.exe3lKRNYsmGIRxLR4.exeregsvr32.exedescription pid process target process PID 4976 wrote to memory of 884 4976 e4034fbd2d94958402e01f381a7be72328227e4dee15d480ececa3c0fc9d5a8a.exe 3lKRNYsmGIRxLR4.exe PID 4976 wrote to memory of 884 4976 e4034fbd2d94958402e01f381a7be72328227e4dee15d480ececa3c0fc9d5a8a.exe 3lKRNYsmGIRxLR4.exe PID 4976 wrote to memory of 884 4976 e4034fbd2d94958402e01f381a7be72328227e4dee15d480ececa3c0fc9d5a8a.exe 3lKRNYsmGIRxLR4.exe PID 884 wrote to memory of 4940 884 3lKRNYsmGIRxLR4.exe regsvr32.exe PID 884 wrote to memory of 4940 884 3lKRNYsmGIRxLR4.exe regsvr32.exe PID 884 wrote to memory of 4940 884 3lKRNYsmGIRxLR4.exe regsvr32.exe PID 4940 wrote to memory of 1520 4940 regsvr32.exe regsvr32.exe PID 4940 wrote to memory of 1520 4940 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4034fbd2d94958402e01f381a7be72328227e4dee15d480ececa3c0fc9d5a8a.exe"C:\Users\Admin\AppData\Local\Temp\e4034fbd2d94958402e01f381a7be72328227e4dee15d480ececa3c0fc9d5a8a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\3lKRNYsmGIRxLR4.exe.\3lKRNYsmGIRxLR4.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:4852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.datFilesize
7KB
MD5af0c6b7a64b47bde2018221777681825
SHA182aca77a37421c12d17f53a437c6f9490dca6775
SHA2567bddac6e81215d2207c0d7364a316d1872c8d69c4672ac8a169bcca029d66ce4
SHA5129ade58342cd4c39ab09580fe35b789d74a958af54559057826fad763597391864af2f18d01baf6633e50d4fe5dc8512865238409cdc6e43679d82b422a587a6c
-
C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.dllFilesize
619KB
MD5d87bbe9d29b88e94ba03b16567033ddf
SHA119102742808244a23ca403d983dfd9f7088fffe3
SHA256fdbce4dd2b45ac64620fc875bd12d8706a197bc3def75cdc33b9984f039da5b5
SHA51224ea28c1104ee07604124842a99e359a53644e7693515dcf1b9a4dc7c8258c9d1bdc8b78b7018582521b6d41aebb96a1a38b6994fe83a12e29418bb011c69d03
-
C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.x64.dllFilesize
699KB
MD51fe3d25ff48d168cb86094de5401cab0
SHA1c6e746f4c629185d8ef71d275845e1d072483923
SHA2565cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04
SHA512ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4
-
C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.x64.dllFilesize
699KB
MD51fe3d25ff48d168cb86094de5401cab0
SHA1c6e746f4c629185d8ef71d275845e1d072483923
SHA2565cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04
SHA512ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4
-
C:\Program Files (x86)\GoSave\BKaTFP7SBwVkZW.x64.dllFilesize
699KB
MD51fe3d25ff48d168cb86094de5401cab0
SHA1c6e746f4c629185d8ef71d275845e1d072483923
SHA2565cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04
SHA512ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\3lKRNYsmGIRxLR4.datFilesize
7KB
MD5af0c6b7a64b47bde2018221777681825
SHA182aca77a37421c12d17f53a437c6f9490dca6775
SHA2567bddac6e81215d2207c0d7364a316d1872c8d69c4672ac8a169bcca029d66ce4
SHA5129ade58342cd4c39ab09580fe35b789d74a958af54559057826fad763597391864af2f18d01baf6633e50d4fe5dc8512865238409cdc6e43679d82b422a587a6c
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\3lKRNYsmGIRxLR4.exeFilesize
632KB
MD5c40cbd955bd3bbbf7de8218b95004eeb
SHA1fe5fccf0a2166f1fc11812de679d77475e9deb36
SHA25676dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398
SHA5126fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\3lKRNYsmGIRxLR4.exeFilesize
632KB
MD5c40cbd955bd3bbbf7de8218b95004eeb
SHA1fe5fccf0a2166f1fc11812de679d77475e9deb36
SHA25676dbb3388f2339883bb20fdf6330e77b12f4493976ec5b2649d7427429c92398
SHA5126fee70cceeee8ba54d3fcda5e94ef3a98f1c51c79673b46081fd00793ad0f99fe0111bdcb7fee2e13aa10a1d51d94a5b41a1426389bc0c6ce0297b93ba3f13ba
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\BKaTFP7SBwVkZW.dllFilesize
619KB
MD5d87bbe9d29b88e94ba03b16567033ddf
SHA119102742808244a23ca403d983dfd9f7088fffe3
SHA256fdbce4dd2b45ac64620fc875bd12d8706a197bc3def75cdc33b9984f039da5b5
SHA51224ea28c1104ee07604124842a99e359a53644e7693515dcf1b9a4dc7c8258c9d1bdc8b78b7018582521b6d41aebb96a1a38b6994fe83a12e29418bb011c69d03
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\BKaTFP7SBwVkZW.tlbFilesize
3KB
MD5fb73184b9c1bfaa44e6cbdb593fd2909
SHA14585af18986a5e24c544fcecd9e02e3006f440d1
SHA256c89fa0e13aa5c8930b6f28648653b815d4a93cd13e8d7d0f1bf8bf1a49920edb
SHA5122e130f61d2211b7d2799905937b78d5119c3b22580c467dcfe757d8ac5b1e86c33fb69e3c67a6267f4db0a2730dc7cc399b8020d077b30d77428f54ec03523ed
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\BKaTFP7SBwVkZW.x64.dllFilesize
699KB
MD51fe3d25ff48d168cb86094de5401cab0
SHA1c6e746f4c629185d8ef71d275845e1d072483923
SHA2565cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04
SHA512ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\ffekfiglnlpdlnmfcmjeljdbdeplaomg\Gz1.jsFilesize
6KB
MD5e539b12159efb7f3c06d2a8bf4d0449d
SHA1b1c77b7ae2ce2b55f6f1009e6ec07ebc68b46c34
SHA256ccb9191782649be3bd93fbc4935f937f41690e43e7d44d098563d0a83f32d848
SHA51288cd1d027c97c31a70c319de83932ddf1de1986cd148381b2a8bddf3278a143863da962eaa9ddb54c18dd87b6ac088fd7735dbbb356472802d2e02ac40b26bda
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\ffekfiglnlpdlnmfcmjeljdbdeplaomg\background.htmlFilesize
140B
MD54a82b1ea6433aeee7cdde0217230d166
SHA1007f303c4f9dce5a259945d7caf1adde9cc367be
SHA2560a79dbfc9311df4915fb8c4f75cfa9c308c551301ce2c618fd307e3610fc14dc
SHA51212fd97f51769a72c78192aacd51ff6ea61d5f517d009610a92d247c67ded725b329d7dc8f558220d322ab19a28e77e593872c8d183c2483cb784bbd1ce5b1083
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\ffekfiglnlpdlnmfcmjeljdbdeplaomg\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\ffekfiglnlpdlnmfcmjeljdbdeplaomg\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\ffekfiglnlpdlnmfcmjeljdbdeplaomg\manifest.jsonFilesize
498B
MD5640199ea4621e34510de919f6a54436f
SHA1dc65dbfad02bd2688030bd56ca1cab85917a9937
SHA256e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af
SHA512d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\[email protected]\chrome.manifestFilesize
35B
MD5a4f06ab8ae4b5252c1f93b60547eafd5
SHA124c00e4803bf2487b731782b48476a68670b3985
SHA2568add14afd69f00a73cdb9c9fa2c11de7c7be2105e816dcb57cb55006a0cf1c41
SHA512c47daa23a9992dbdbc5a4afc7f0543fdc3a94c1c9f011f847d8a1bd189409f429959dd60cfea9e2f8995102a15f3dcefbbac4753b609cb8ef6fda5510a4e8bd3
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\[email protected]\content\bg.jsFilesize
8KB
MD56bb102b11fb26060e76719e618e1c9e5
SHA1ef4d2f14aaf84435adb2390cd5ad990571d7fea1
SHA256542f09835ce1055abcd3206c714c6c857d81bdac0263f4d7cf014e92c289b52e
SHA512f42991d81de2c470cafc9d4abf9cf1b918209b58d589ceb70ba8cc3625652de094f442657ba71a3c710ef446c72581b55a478afa5c1e846e6a3da4a8fe19f0d0
-
C:\Users\Admin\AppData\Local\Temp\7zS18E7.tmp\[email protected]\install.rdfFilesize
597B
MD5828636f157404d2d7c3af8357ba608af
SHA1d40f52709c3b27cacdcce0995e71035a8812ae4b
SHA2562c674dd041addf2df341ea5a97c06ac73000def507b351387b52f614110fc8bd
SHA5120c39ea5dff197a601267107bdc5b068024fc99d3c034f9ec9daa530c5c0befc374e166a5d53f7c26f1ef153019ac4c31ad68ca5d9fd5f81ed0153122f62fafae
-
memory/884-132-0x0000000000000000-mapping.dmp
-
memory/1520-152-0x0000000000000000-mapping.dmp
-
memory/4940-149-0x0000000000000000-mapping.dmp