91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31

General

Target

91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Size

2.0MB
MD5

14468adc550ec8d3dbf92ef9ed243b30
SHA1

f3aa18d5cebd5a6861b52f84959cdda23234267d
SHA256

91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31
SHA512

cc80e5201e33fe982f83f770e3512b7585f04067a34a325850ae6c63f38deaf78dceeda6b9274db6f2b031986ec000c2c74886689be42b586aa761bf54458915
SSDEEP

49152:ES+vPDX6j/DsEcP+9qtyN5AvkU4mmQE8nqP/AoJ15vVW/P:ES+v4/DsEcPbtfkU4dQECk/AsvVW/

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\InprocServer32\ = "C:\\Program Files (x86)\\PPrricechOp\\Q2NoNpBDvCn1N7.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exeregsvr32.exeregsvr32.exe

pid process

1764 91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
1336 regsvr32.exe
960 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1764	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
1336	regsvr32.exe
960	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\ = "PPrricechOp"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\ = "PPrricechOp"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\NoExplorer = "1"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe

Drops file in Program Files directory 8 IoCs

Processes:

91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe

description	ioc	process
File created	C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.dll	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
File opened for modification	C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.dll	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
File created	C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.tlb	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
File opened for modification	C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.tlb	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
File created	C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.dat	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
File opened for modification	C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.dat	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
File created	C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.x64.dll	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
File opened for modification	C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.x64.dll	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5E41454F-C0B0-45FB-B38B-46C5564CF2C0}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5E41454F-C0B0-45FB-B38B-46C5564CF2C0}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pricechop.pricechop\CLSID	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E41454F-C0B0-45FB-B38B-46C5564CF2C0}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E41454F-C0B0-45FB-B38B-46C5564CF2C0}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\PPrricechOp\\Q2NoNpBDvCn1N7.tlb"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\VersionIndependentProgID\ = "pricechop"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\ = "PPrricechOp"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pricechop.pricechop\CurVer\ = "pricechop.9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\InprocServer32\ThreadingModel = "Apartment"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pricechop.pricechop.9\CLSID\ = "{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pricechop.pricechop.9\ = "PPrricechOp"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pricechop.pricechop\CurVer	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pricechop.pricechop\CLSID\ = "{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\ = "PPrricechOp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\ProgID\ = "pricechop.9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E41454F-C0B0-45FB-B38B-46C5564CF2C0}\Implemented Categories	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PPrricechOp"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pricechop.pricechop.9\CLSID\ = "{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\ProgID\ = "pricechop.9"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\InprocServer32\ = "C:\\Program Files (x86)\\PPrricechOp\\Q2NoNpBDvCn1N7.dll"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\Programmable	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pricechop.pricechop\CLSID\ = "{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\Programmable	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\ProgID	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E41454F-C0B0-45FB-B38B-46C5564CF2C0}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E41454F-C0B0-45FB-B38B-46C5564CF2C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E41454F-C0B0-45FB-B38B-46C5564CF2C0}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exeregsvr32.exe

description	pid	process	target process
PID 1764 wrote to memory of 1336	1764	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe	regsvr32.exe
PID 1764 wrote to memory of 1336	1764	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe	regsvr32.exe
PID 1764 wrote to memory of 1336	1764	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe	regsvr32.exe
PID 1764 wrote to memory of 1336	1764	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe	regsvr32.exe
PID 1764 wrote to memory of 1336	1764	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe	regsvr32.exe
PID 1764 wrote to memory of 1336	1764	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe	regsvr32.exe
PID 1764 wrote to memory of 1336	1764	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe	regsvr32.exe
PID 1336 wrote to memory of 960	1336	regsvr32.exe	regsvr32.exe
PID 1336 wrote to memory of 960	1336	regsvr32.exe	regsvr32.exe
PID 1336 wrote to memory of 960	1336	regsvr32.exe	regsvr32.exe
PID 1336 wrote to memory of 960	1336	regsvr32.exe	regsvr32.exe
PID 1336 wrote to memory of 960	1336	regsvr32.exe	regsvr32.exe
PID 1336 wrote to memory of 960	1336	regsvr32.exe	regsvr32.exe
PID 1336 wrote to memory of 960	1336	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5e41454f-c0b0-45fb-b38b-46c5564cf2c0} = "1"	91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe

C:\Users\Admin\AppData\Local\Temp\91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe
"C:\Users\Admin\AppData\Local\Temp\91fa6d5951cc15e398422527defbc110332e68c687645496ed1a933d00e2da31.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1764

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.dat

Filesize
4KB

MD5
78dc305a8b19f91fc37be6a49743c1cf

SHA1
d6891ba53c566d4af12494bc0c522ed9edaddba2

SHA256
94120624a79713b2c6725af44fa5c4d6073107b8f308dc9a3bbd28d5ed21294a

SHA512
9cd2adac31d1e5ab6293ccc6d224e782255bd6a40f1bb7817f0e0c7b6dd07e5e0e2814a334662c92e52c2894f00c0836b2d4a1b7571d3f2bcb0d43f4757d3041

Download Submit
C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.tlb

Filesize
3KB

MD5
b4d00d304c72ef9bc43c16b84823fb89

SHA1
86a5d31b4d542e33b2a819632234f0543464d0c7

SHA256
5bbb1a3795b6c31dac793761c3844aa2f5bb52458fb0014e4afe18b92be5598d

SHA512
9eb6b4ef6b37b82f83e224dfa273fd06991969731ab7dc8463172fd919970700d8538248024a4204c6be85f04f24bb9380376f14b784ca7096ceb215df26a813

Download Submit
C:\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.x64.dll

Filesize
500KB

MD5
54e21b7dae36a033b7e663765a15b095

SHA1
b56a5511bf5713584b83863e6a7fea9bb3f36fd9

SHA256
167b1316ac4c3cd69fc330761be15805939b7ade91349693e6ddacee6fc1ea65

SHA512
aecbb56b9293e1ea2e401fefdd794cea617f03c529304585c8dcff87b064c48551be9093b2a1484ea9698750536fb7d6adb162c0eab6852c346fcd83bc2c51a9

Download Submit
\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.dll

Filesize
441KB

MD5
374367ba293ed2c64cb7bfc4d1fe1417

SHA1
c0f4bcb661e0283f19dd86b5a8f6a3f9b7eb02b6

SHA256
320fdcf6ac910e1b67eb1379736348a887f43eb544dba49e8e909bc4f593eb51

SHA512
ab60c2fb82b1cc4de766a7b07c71e59e06d7c471e2e27c82088d9e9908a463835a80c2228fbb021d2740f6b583ccd43167902cf1557166b47592a8e9c131cfc1

Download Submit
\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.x64.dll

Filesize
500KB

MD5
54e21b7dae36a033b7e663765a15b095

SHA1
b56a5511bf5713584b83863e6a7fea9bb3f36fd9

SHA256
167b1316ac4c3cd69fc330761be15805939b7ade91349693e6ddacee6fc1ea65

SHA512
aecbb56b9293e1ea2e401fefdd794cea617f03c529304585c8dcff87b064c48551be9093b2a1484ea9698750536fb7d6adb162c0eab6852c346fcd83bc2c51a9

Download Submit
\Program Files (x86)\PPrricechOp\Q2NoNpBDvCn1N7.x64.dll

Filesize
500KB

MD5
54e21b7dae36a033b7e663765a15b095

SHA1
b56a5511bf5713584b83863e6a7fea9bb3f36fd9

SHA256
167b1316ac4c3cd69fc330761be15805939b7ade91349693e6ddacee6fc1ea65

SHA512
aecbb56b9293e1ea2e401fefdd794cea617f03c529304585c8dcff87b064c48551be9093b2a1484ea9698750536fb7d6adb162c0eab6852c346fcd83bc2c51a9

Download Submit
memory/960-83-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

Filesize
8KB

Download
memory/960-82-0x0000000000000000-mapping.dmp

Download
memory/1336-78-0x0000000000000000-mapping.dmp

Download
memory/1764-65-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-76-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-69-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-70-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-71-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-72-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-73-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-74-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-75-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-68-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-67-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-66-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1764-64-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-63-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-62-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-60-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-61-0x00000000003A2000-0x00000000003A6000-memory.dmp

Filesize
16KB

Download
memory/1764-55-0x00000000023A0000-0x0000000002449000-memory.dmp

Filesize
676KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads