a86d96d903c9be785a901a279a1926e3d8dc0681d0bf18516271ff43dc116f94

Analysis

max time kernel
180s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a86d96d903c9be785a901a279a1926e3d8dc0681d0bf18516271ff43dc116f94.exe
Size

2.1MB
MD5

995a2e1714a66152c53355aec24ae755
SHA1

12c5745ef59c273397702d8b276875251aee2ea7
SHA256

a86d96d903c9be785a901a279a1926e3d8dc0681d0bf18516271ff43dc116f94
SHA512

f7f7a650a76f48886584968f4f824a181e4b52b42bde48ef2e2232061a2751ffc4e350b3fca41789c3e47876c4378a984206a5db1189f10f2084ce8ecbffab35
SSDEEP

49152:h1Osil9RJLu6vcW6hGkaVR7QSiN/tObJmZcqYUuRTC:h1OzrVOhGRkSixtKDM

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NAvp47u2Z0fewVg.exe

pid process

4916 NAvp47u2Z0fewVg.exe
Loads dropped DLL 3 IoCs

Processes:

NAvp47u2Z0fewVg.exeregsvr32.exeregsvr32.exe

pid process

4916 NAvp47u2Z0fewVg.exe
3392 regsvr32.exe
3576 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4916	NAvp47u2Z0fewVg.exe

pid	process
4916	NAvp47u2Z0fewVg.exe
3392	regsvr32.exe
3576	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

NAvp47u2Z0fewVg.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkckidglbmfgbhdhfmimakhlbejlgjh\5.2\manifest.json	NAvp47u2Z0fewVg.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkckidglbmfgbhdhfmimakhlbejlgjh\5.2\manifest.json	NAvp47u2Z0fewVg.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkckidglbmfgbhdhfmimakhlbejlgjh\5.2\manifest.json	NAvp47u2Z0fewVg.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkckidglbmfgbhdhfmimakhlbejlgjh\5.2\manifest.json	NAvp47u2Z0fewVg.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkckidglbmfgbhdhfmimakhlbejlgjh\5.2\manifest.json	NAvp47u2Z0fewVg.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

NAvp47u2Z0fewVg.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	NAvp47u2Z0fewVg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	NAvp47u2Z0fewVg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	NAvp47u2Z0fewVg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	NAvp47u2Z0fewVg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

NAvp47u2Z0fewVg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.dll	NAvp47u2Z0fewVg.exe
File created	C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.tlb	NAvp47u2Z0fewVg.exe
File opened for modification	C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.tlb	NAvp47u2Z0fewVg.exe
File created	C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.dat	NAvp47u2Z0fewVg.exe
File opened for modification	C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.dat	NAvp47u2Z0fewVg.exe
File created	C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.x64.dll	NAvp47u2Z0fewVg.exe
File opened for modification	C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.x64.dll	NAvp47u2Z0fewVg.exe
File created	C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.dll	NAvp47u2Z0fewVg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

NAvp47u2Z0fewVg.exe

pid process

4916 NAvp47u2Z0fewVg.exe
4916 NAvp47u2Z0fewVg.exe

pid	process
4916	NAvp47u2Z0fewVg.exe
4916	NAvp47u2Z0fewVg.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a86d96d903c9be785a901a279a1926e3d8dc0681d0bf18516271ff43dc116f94.exeNAvp47u2Z0fewVg.exeregsvr32.exe

description	pid	process	target process
PID 1428 wrote to memory of 4916	1428	a86d96d903c9be785a901a279a1926e3d8dc0681d0bf18516271ff43dc116f94.exe	NAvp47u2Z0fewVg.exe
PID 1428 wrote to memory of 4916	1428	a86d96d903c9be785a901a279a1926e3d8dc0681d0bf18516271ff43dc116f94.exe	NAvp47u2Z0fewVg.exe
PID 1428 wrote to memory of 4916	1428	a86d96d903c9be785a901a279a1926e3d8dc0681d0bf18516271ff43dc116f94.exe	NAvp47u2Z0fewVg.exe
PID 4916 wrote to memory of 3392	4916	NAvp47u2Z0fewVg.exe	regsvr32.exe
PID 4916 wrote to memory of 3392	4916	NAvp47u2Z0fewVg.exe	regsvr32.exe
PID 4916 wrote to memory of 3392	4916	NAvp47u2Z0fewVg.exe	regsvr32.exe
PID 3392 wrote to memory of 3576	3392	regsvr32.exe	regsvr32.exe
PID 3392 wrote to memory of 3576	3392	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\a86d96d903c9be785a901a279a1926e3d8dc0681d0bf18516271ff43dc116f94.exe
"C:\Users\Admin\AppData\Local\Temp\a86d96d903c9be785a901a279a1926e3d8dc0681d0bf18516271ff43dc116f94.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\NAvp47u2Z0fewVg.exe
.\NAvp47u2Z0fewVg.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:3576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.dat

Filesize
6KB

MD5
36f7129a0a7f2c6310beb5d7422c4cd6

SHA1
441cee8e36bcbb48b03b91b166c6c562dcff7922

SHA256
d25ed588acfc52d721d04751c4e260a5eac4137737018b8666e4fedb8fe34213

SHA512
1e1e8c3e98dd4eb792aab20da084655a9ce2b8c739fbd05af9cbb355427d6594bac59f4cffcbe2a29042e201f37391ffc9fb2afc361ffbd491325353cf3861a9

Download Submit
C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Program Files (x86)\PriceLess\bxtMo6mor6QEQ8.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
b36f430f99d3cbaadeb66b5c1f1206d2

SHA1
a2fcbbd889cba2abdb31e83aa18b530629be9515

SHA256
a87d22701b434c42fba6def908ef437d6273462c96637f50bb64051a4ee01f76

SHA512
988f0c2cd453d7254a72156993e0ac9bc0788f86c9ef849f78901c96761fb015630ff3da545d12358a27d836bda233f6274c077085981db47fcf90a4079fcfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
6764dc6afdffed13d8df0aca9524dea5

SHA1
65ddd6b9f97cd90261135e3d0fe8c5a15a939184

SHA256
6af73318af521817c9ab94cb019f5a74cd019da7f70e28949e1cb2eff48f099e

SHA512
e5822cdf5117e1aba6fa8b4585e72d6df669486668569301942cf90ed6905cf2e5a8d0d40517fe1349498a1bf3de0b8e3a03c87532b8714e1f39a2c2a662bfb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\[email protected]\install.rdf

Filesize
594B

MD5
c3ecc3eccf4ca9342e2b7f4a964a3152

SHA1
24f6aebfab0af14c1652de9a4b2078b9ddcdb7b2

SHA256
46633e7b4399ebc70248fed766161b5f6eb86c7a7e479db789e4239f7ac8dfd1

SHA512
97cf46d3ca5700068349d9d313243259fd09bf69149a1029b4d585ed3b8708cddabacf1b7b67381faab628348ecd24de881081f437b6dd86fc7ab559abd32b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\NAvp47u2Z0fewVg.dat

Filesize
6KB

MD5
36f7129a0a7f2c6310beb5d7422c4cd6

SHA1
441cee8e36bcbb48b03b91b166c6c562dcff7922

SHA256
d25ed588acfc52d721d04751c4e260a5eac4137737018b8666e4fedb8fe34213

SHA512
1e1e8c3e98dd4eb792aab20da084655a9ce2b8c739fbd05af9cbb355427d6594bac59f4cffcbe2a29042e201f37391ffc9fb2afc361ffbd491325353cf3861a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\NAvp47u2Z0fewVg.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\NAvp47u2Z0fewVg.exe

Filesize
622KB

MD5
80fb7c6cb182b769448bd45c28fcc963

SHA1
454ad8e9ee2267c72222e7f8a902b2c19cfab01d

SHA256
9abc0a4bba0b42851bed08efb7c1643105b9f256e8ac53ae21d8d7269f9948b3

SHA512
224e8954fcb850ab2570005aa9ba82e643a65e0efaba70ac29b045ec9aba9d11414a211c7e87a8ba96eba1bd872d7541bc0d32890a87b20c814d573cfcfb0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\bkkckidglbmfgbhdhfmimakhlbejlgjh\background.html

Filesize
144B

MD5
0e4db4c34e0bd3d6bc04b47d0a72eb9e

SHA1
c2f07b55b195635dbc0f36e64a7458f465b9b217

SHA256
fdddc5773289c3dc0f19d6cf99be834181c722fc23c8c14f1affdeede7c2d3b1

SHA512
27cc01a62accaea19b51f4996e7d0c9e0975ac0273af56c3cf3b4b911a65d488d44be66428bb976324babea6ee092f2074d42fee4b5e24b36ea662b2453f4889

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\bkkckidglbmfgbhdhfmimakhlbejlgjh\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\bkkckidglbmfgbhdhfmimakhlbejlgjh\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\bkkckidglbmfgbhdhfmimakhlbejlgjh\mXBS2PJ.js

Filesize
5KB

MD5
dae78e2535f38b6335032ec63342a189

SHA1
c6fcf4c9543140523b1641c9f28d28da7a561a8b

SHA256
00b43ae6aec0307edd21bc0cf5423384e2bc48bb6e61575689b3f104f6f18aaf

SHA512
834b4fe63413754dc4adc18f7cb63fd2a1a095c7616edb0c530b05daca757ff2a1c8d7c06c16c964eb74e0a815570aa5944892de046faf012953244e803c8770

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\bkkckidglbmfgbhdhfmimakhlbejlgjh\manifest.json

Filesize
501B

MD5
9d9d74bfa8e9ace025b834b96419d05e

SHA1
f5e56a100b0208b88335859cec692d867ffb572b

SHA256
a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265

SHA512
4c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\bxtMo6mor6QEQ8.dll

Filesize
621KB

MD5
021d6ecac6ffca37cd098212eb99c22e

SHA1
e662d4f6bcee66df291ee638349bd75d5468e834

SHA256
f9f805536f4f45348b36aa4d60ed1b9869c5fe36acea58c25064dbcdb1a0ee50

SHA512
8fd459ead2ab976a17588f1e5e6c39ffab032d98a1903c1f70ae89dc273eca0a49662f582b6da9e394298ed4f11b7abad50bb51229f77ff2c95502672359572f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\bxtMo6mor6QEQ8.tlb

Filesize
3KB

MD5
38dcedc06ce882652b73038799f369c1

SHA1
09985c74e62920963791808be0765222d2a517d3

SHA256
37996a9f383f824002a73026332578b823bacad0a736f2f4c25401f6e2da307c

SHA512
78b7ab8fc102a0f874d24bb40e7b399befe3eb8788c08b059487770dd83a390daf0011c34d6cd29dd78e3436bfd6587fff2f50bde0c3bed49e6ffe27ef0b4c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6E0C.tmp\bxtMo6mor6QEQ8.x64.dll

Filesize
699KB

MD5
ab6775c5bb7ec35da3edb40a512efc67

SHA1
62d695981e4e91137a52311eda763ab69aa28739

SHA256
329366453e9690aa8bc34a4d2cec6f90e2b0ddac7608fdfa2a59b950e099f48c

SHA512
07497f58eac44f9b626cf02e1d3043bf51779e7e7fe49878cdcf5888c93a1123043e9c5b813a1049922470ec2116d1d60fa66c770162ef778fc182a878b7ce8c

Download Submit
memory/3392-149-0x0000000000000000-mapping.dmp

Download
memory/3576-152-0x0000000000000000-mapping.dmp

Download
memory/4916-132-0x0000000000000000-mapping.dmp

Download