ba88732738454fb386be25dbfe7a7a2bbecf5360a4a8d75811b53aa29b9b6906

Analysis

max time kernel
16s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ffeff8f7ccb47b9f9b677a705034c0N.exe
Size

490KB
MD5

50ffeff8f7ccb47b9f9b677a705034c0
SHA1

1ac943e62c58ca761b7bb7332614e710bf2656dd
SHA256

ba88732738454fb386be25dbfe7a7a2bbecf5360a4a8d75811b53aa29b9b6906
SHA512

f6e350f8e77cd6689afa99bc39407a31642fd6bea3ec235c55fc890fe9c861ad332ab4b30b9a506833e3a1040a82834312fd94b02f321b1d1f4723d397f918a2
SSDEEP

12288:3h4kaSeDv3jbFNu405oV4z222TNx0g+c/fSDOMkdAM/I77vM:qSeL3FgrOQ2TNyc/q3DeI770

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00050000000187a7-51.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2188	sqlite3.exe
1112	updater.exe

Loads dropped DLL 18 IoCs

pid	Process
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
792	regsvr32.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000187a7-51.dat	upx
behavioral1/memory/2416-53-0x00000000744B0000-0x00000000744BA000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjildcbkilmkddbbpbjljljdmmlfeppl\5.0_0\manifest.json	50ffeff8f7ccb47b9f9b677a705034c0N.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52FC3D7C-F0C2-4C49-B3D7-55999F7750DD}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{52FC3D7C-F0C2-4C49-B3D7-55999F7750DD}\NoExplorer = "1"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50ffeff8f7ccb47b9f9b677a705034c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2392	taskkill.exe
2348	taskkill.exe
2864	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52FC3D7C-F0C2-4C49-B3D7-55999F7750DD}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\getsav-in\\ie\\getsav-in_1372268101.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52FC3D7C-F0C2-4C49-B3D7-55999F7750DD}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52FC3D7C-F0C2-4C49-B3D7-55999F7750DD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52FC3D7C-F0C2-4C49-B3D7-55999F7750DD}\ = "getsav-in 5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52FC3D7C-F0C2-4C49-B3D7-55999F7750DD}\InProcServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe
2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2392	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	30
PID 2416 wrote to memory of 2392	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	30
PID 2416 wrote to memory of 2392	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	30
PID 2416 wrote to memory of 2392	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	30
PID 2416 wrote to memory of 2348	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	33
PID 2416 wrote to memory of 2348	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	33
PID 2416 wrote to memory of 2348	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	33
PID 2416 wrote to memory of 2348	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	33
PID 2416 wrote to memory of 2864	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	35
PID 2416 wrote to memory of 2864	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	35
PID 2416 wrote to memory of 2864	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	35
PID 2416 wrote to memory of 2864	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	35
PID 2416 wrote to memory of 2188	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	39
PID 2416 wrote to memory of 2188	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	39
PID 2416 wrote to memory of 2188	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	39
PID 2416 wrote to memory of 2188	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	39
PID 2416 wrote to memory of 900	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	41
PID 2416 wrote to memory of 900	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	41
PID 2416 wrote to memory of 900	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	41
PID 2416 wrote to memory of 900	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	41
PID 2416 wrote to memory of 900	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	41
PID 2416 wrote to memory of 900	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	41
PID 2416 wrote to memory of 900	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	41
PID 900 wrote to memory of 792	900	regsvr32.exe	42
PID 900 wrote to memory of 792	900	regsvr32.exe	42
PID 900 wrote to memory of 792	900	regsvr32.exe	42
PID 900 wrote to memory of 792	900	regsvr32.exe	42
PID 900 wrote to memory of 792	900	regsvr32.exe	42
PID 900 wrote to memory of 792	900	regsvr32.exe	42
PID 900 wrote to memory of 792	900	regsvr32.exe	42
PID 2416 wrote to memory of 1112	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	44
PID 2416 wrote to memory of 1112	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	44
PID 2416 wrote to memory of 1112	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	44
PID 2416 wrote to memory of 1112	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	44
PID 2416 wrote to memory of 1112	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	44
PID 2416 wrote to memory of 1112	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	44
PID 2416 wrote to memory of 1112	2416	50ffeff8f7ccb47b9f9b677a705034c0N.exe	44

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	50ffeff8f7ccb47b9f9b677a705034c0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	50ffeff8f7ccb47b9f9b677a705034c0N.exe

C:\Users\Admin\AppData\Local\Temp\50ffeff8f7ccb47b9f9b677a705034c0N.exe
"C:\Users\Admin\AppData\Local\Temp\50ffeff8f7ccb47b9f9b677a705034c0N.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im firefox.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im iexplore.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Users\Admin\AppData\Local\getsav-in\sqlite3.exe
  "C:\Users\Admin\AppData\Local\getsav-in\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.Admin\extensions.sqlite" "select max(internal_id) from main.addon;"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /n /i:UserInstall /s "C:\Users\Admin\AppData\Local\getsav-in\ie\getsav-in_1372268101.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\regsvr32.exe
    /n /i:UserInstall /s "C:\Users\Admin\AppData\Local\getsav-in\ie\getsav-in_1372268101.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:792
- C:\Users\Admin\AppData\Local\getsav-in\updater.exe
  "C:\Users\Admin\AppData\Local\getsav-in\updater.exe" browserprotect.exe 3
  2⤵
  - Executes dropped EXE
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\getsav-in\ie\getsav-in_1372268101.dll

Filesize
76KB

MD5
e4e14c9e18650ce9b2ed5468a98ace38

SHA1
73d73ca5cdba1cb00b9248b4a7b12f3b55ba7a53

SHA256
b2f72db4c4ff6c6c97bb14721f07c6b07c1fee9a5a08f36fa342317de7c82e6c

SHA512
0130ba26db5550cfb008c839d38c308b947d4f18d0ba862e33d2544135e7faa6bd38de2675a22efb88137ca72d3b558b680f19e0727a7d8ab36ce0542658b098

Download Submit
C:\Users\Admin\AppData\Local\getsav-in\updater.exe

Filesize
92KB

MD5
279a20be2a91ee083fe06407ee370a23

SHA1
84e197ed04bca36b8035a6ff5044b2cb806d7d99

SHA256
4067c4ce3b3cfcb4be9ed0654e40986ba6e98f23c4f272ac53bd49537eb30c45

SHA512
6a5ad56f5d964dcda8cc6df6ce1803d8746fc76b4e0fe0c57fdc2091f366037d2ee04bfe2adf48c697d886356a22994a4a8f1a4666f0bd78f45c675c4915699c

Download Submit
\Users\Admin\AppData\Local\Temp\nstC87F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nstC87F.tmp\inetc.dll

Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nstC87F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstC87F.tmp\nsJSON.dll

Filesize
6KB

MD5
292aa9f95a7f081625056c497078159a

SHA1
72076f3eb146ab7ea2b3dd0ef6a63c06f86d64f1

SHA256
18f2b2f20c65a022a1c8aaf776b4c9be6c193b73c2079d9d65d56b802fcadfb5

SHA512
87f83c3bbcfedd98364b5d0209f912e66c72d43eb887438ad9735c078e6d1f6ea12566a75f0b652602bbd9f0608ce7148dc1703821f2ab6b366f061b8a58d910

Download Submit
\Users\Admin\AppData\Local\Temp\nstC87F.tmp\nsisFile.dll

Filesize
5KB

MD5
a35adabef191a1d5870096543ffc18ec

SHA1
76a77d50b8f0be5a77fdb7b71a661a356ead1b7f

SHA256
bb5be80416d8e381fbcb0f03ea3433d94a75786e3842e8cfe1b7b8bd57354457

SHA512
97eb8186abc0ae5a6c1858b78042c41fa377dea33ea0bae3c6957b7a22486ba0f1e0a4a43d817627bbba85d5de786c82e05d7505dc7df62bff51439fd0f8401c

Download Submit
\Users\Admin\AppData\Local\getsav-in\sqlite3.exe

Filesize
481KB

MD5
82771129b12517cf5c6e2244d14e8360

SHA1
4e2a55e517f0e1324d3e8840e7db41f3883e4a01

SHA256
3441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc

SHA512
862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46

Download Submit
memory/1112-210-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2188-190-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2416-53-0x00000000744B0000-0x00000000744BA000-memory.dmp

Filesize
40KB

Download
memory/2416-81-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2416-223-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download