fc24269e0ab6a0129ecc38c2967f6328d5978b73051b09246c2f2c652603ceb1

Analysis

max time kernel
104s
max time network
400s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc24269e0ab6a0129ecc38c2967f6328d5978b73051b09246c2f2c652603ceb1.exe
Size

2.5MB
MD5

289033e1bb13643cb77843ed0f87dabf
SHA1

dcacd21cf010bd733dda6d1a67fd69320632f163
SHA256

fc24269e0ab6a0129ecc38c2967f6328d5978b73051b09246c2f2c652603ceb1
SHA512

c2f5d807d60549be9d757d8d80dcd267b6e75784c45e7ba994b8652719dd9df77b1eb1b7de833b985c4570479a87b7342d687c7bf6ee5529271da86bf2562d63
SSDEEP

49152:h1OsnQjO6HHzayGBe/7rzNsVa5WfDm48PhGThdNjnoi:h1OCzMHcBUsc5Wf3dVj

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

0dwDGYEDsxqTAUQ.exe

pid process

2020 0dwDGYEDsxqTAUQ.exe
Loads dropped DLL 3 IoCs

Processes:

0dwDGYEDsxqTAUQ.exeregsvr32.exeregsvr32.exe

pid process

2020 0dwDGYEDsxqTAUQ.exe
4564 regsvr32.exe
2380 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2020	0dwDGYEDsxqTAUQ.exe

pid	process
2020	0dwDGYEDsxqTAUQ.exe
4564	regsvr32.exe
2380	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

0dwDGYEDsxqTAUQ.exe

description	ioc	process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkoiadknidkjhocmpgmgcmbhonknmpfp\5.2\manifest.json	0dwDGYEDsxqTAUQ.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkoiadknidkjhocmpgmgcmbhonknmpfp\5.2\manifest.json	0dwDGYEDsxqTAUQ.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkoiadknidkjhocmpgmgcmbhonknmpfp\5.2\manifest.json	0dwDGYEDsxqTAUQ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkoiadknidkjhocmpgmgcmbhonknmpfp\5.2\manifest.json	0dwDGYEDsxqTAUQ.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kkoiadknidkjhocmpgmgcmbhonknmpfp\5.2\manifest.json	0dwDGYEDsxqTAUQ.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

0dwDGYEDsxqTAUQ.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	0dwDGYEDsxqTAUQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	0dwDGYEDsxqTAUQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	0dwDGYEDsxqTAUQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	0dwDGYEDsxqTAUQ.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

0dwDGYEDsxqTAUQ.exe

description	ioc	process
File created	C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.dll	0dwDGYEDsxqTAUQ.exe
File opened for modification	C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.dll	0dwDGYEDsxqTAUQ.exe
File created	C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.tlb	0dwDGYEDsxqTAUQ.exe
File opened for modification	C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.tlb	0dwDGYEDsxqTAUQ.exe
File created	C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.dat	0dwDGYEDsxqTAUQ.exe
File opened for modification	C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.dat	0dwDGYEDsxqTAUQ.exe
File created	C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.x64.dll	0dwDGYEDsxqTAUQ.exe
File opened for modification	C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.x64.dll	0dwDGYEDsxqTAUQ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0dwDGYEDsxqTAUQ.exe

pid process

2020 0dwDGYEDsxqTAUQ.exe
2020 0dwDGYEDsxqTAUQ.exe

pid	process
2020	0dwDGYEDsxqTAUQ.exe
2020	0dwDGYEDsxqTAUQ.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fc24269e0ab6a0129ecc38c2967f6328d5978b73051b09246c2f2c652603ceb1.exe0dwDGYEDsxqTAUQ.exeregsvr32.exe

description	pid	process	target process
PID 4708 wrote to memory of 2020	4708	fc24269e0ab6a0129ecc38c2967f6328d5978b73051b09246c2f2c652603ceb1.exe	0dwDGYEDsxqTAUQ.exe
PID 4708 wrote to memory of 2020	4708	fc24269e0ab6a0129ecc38c2967f6328d5978b73051b09246c2f2c652603ceb1.exe	0dwDGYEDsxqTAUQ.exe
PID 4708 wrote to memory of 2020	4708	fc24269e0ab6a0129ecc38c2967f6328d5978b73051b09246c2f2c652603ceb1.exe	0dwDGYEDsxqTAUQ.exe
PID 2020 wrote to memory of 4564	2020	0dwDGYEDsxqTAUQ.exe	regsvr32.exe
PID 2020 wrote to memory of 4564	2020	0dwDGYEDsxqTAUQ.exe	regsvr32.exe
PID 2020 wrote to memory of 4564	2020	0dwDGYEDsxqTAUQ.exe	regsvr32.exe
PID 4564 wrote to memory of 2380	4564	regsvr32.exe	regsvr32.exe
PID 4564 wrote to memory of 2380	4564	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\fc24269e0ab6a0129ecc38c2967f6328d5978b73051b09246c2f2c652603ceb1.exe
"C:\Users\Admin\AppData\Local\Temp\fc24269e0ab6a0129ecc38c2967f6328d5978b73051b09246c2f2c652603ceb1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\0dwDGYEDsxqTAUQ.exe
.\0dwDGYEDsxqTAUQ.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.dat

Filesize
6KB

MD5
24e99d6c7b83632f3e9840091434612a

SHA1
df595b83ec4f47fcc37a33db4b66d023ed9ac8d3

SHA256
d01319d4b5ec9cf9280cbad49668a8f52f950ac78c27a368da692579f3e081ec

SHA512
52ab194113045751e9f39bbe49f9c8cb17f04f8a79ea7b66d4e710cc89478f2d9194aa7a176445e27335cdf69813394aa45c0f9e9c38612c18a6ed1f3f6f82df

Download Submit
C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.dll

Filesize
741KB

MD5
0f2db92a7d763af605b6273a4aa18382

SHA1
c9e6e9eb3c2050c86afa1b79e437ea8c8252573f

SHA256
ebdf480f55d619da9a5f23810ef174f5e789d81899bf4f63371cfd95e402658a

SHA512
824230a31cd7e7410c369dae190c1a3bec7498f52740b484e5d09c76265dbd71fb989f5ce889ca8a4f1ae28eb740e39d020b9581aa0496ae394d6ff3874038e5

Download Submit
C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
C:\Program Files (x86)\PriceLess\AKQyslVETYRuhP.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\0dwDGYEDsxqTAUQ.dat

Filesize
6KB

MD5
24e99d6c7b83632f3e9840091434612a

SHA1
df595b83ec4f47fcc37a33db4b66d023ed9ac8d3

SHA256
d01319d4b5ec9cf9280cbad49668a8f52f950ac78c27a368da692579f3e081ec

SHA512
52ab194113045751e9f39bbe49f9c8cb17f04f8a79ea7b66d4e710cc89478f2d9194aa7a176445e27335cdf69813394aa45c0f9e9c38612c18a6ed1f3f6f82df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\0dwDGYEDsxqTAUQ.exe

Filesize
768KB

MD5
09e156c94b649920c0c6efa8508ada9a

SHA1
8ba966f84a07648613468b06a11d17f2650e8af0

SHA256
2584e4b5077edba37c8e6f97ccdc2e582136ae0144212b37eb97cd4d8685059a

SHA512
1a1d2ff05d413ec1c18735dcb06775f0e652fc778f0ce31a9bdc8e567beb32253df635ee2e9b3bdc430c49f0f5ca6128e44cbd88b2cb712a6712c8327f209375

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\0dwDGYEDsxqTAUQ.exe

Filesize
768KB

MD5
09e156c94b649920c0c6efa8508ada9a

SHA1
8ba966f84a07648613468b06a11d17f2650e8af0

SHA256
2584e4b5077edba37c8e6f97ccdc2e582136ae0144212b37eb97cd4d8685059a

SHA512
1a1d2ff05d413ec1c18735dcb06775f0e652fc778f0ce31a9bdc8e567beb32253df635ee2e9b3bdc430c49f0f5ca6128e44cbd88b2cb712a6712c8327f209375

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\AKQyslVETYRuhP.dll

Filesize
741KB

MD5
0f2db92a7d763af605b6273a4aa18382

SHA1
c9e6e9eb3c2050c86afa1b79e437ea8c8252573f

SHA256
ebdf480f55d619da9a5f23810ef174f5e789d81899bf4f63371cfd95e402658a

SHA512
824230a31cd7e7410c369dae190c1a3bec7498f52740b484e5d09c76265dbd71fb989f5ce889ca8a4f1ae28eb740e39d020b9581aa0496ae394d6ff3874038e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\AKQyslVETYRuhP.tlb

Filesize
3KB

MD5
b826030b97202e2efa7f7a60493c61a7

SHA1
8145289ac846d579df907dc43fa79fa5866f2930

SHA256
df318425290a57dbdaffd19be838eb1317d38d00be224272168375251cb2f83f

SHA512
246becba94b93fa2e79e9938efe94fd325e18ecd1ce93f642e184ba89d230a5cdf5596272e6ace3a7e9440e5aa9eb153bb8bc5ab6f3bc518fca9b790d4f8d6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\AKQyslVETYRuhP.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
9719badeea107acf00b7df9a4de18f39

SHA1
23be228a9d915691796272bf652f416aeb38e4ce

SHA256
f711ab0dd58a8e30093915e0267ad3d59b7594ba6cc0cd90710ad063c89c75c3

SHA512
95597f4541f50e352be01c86c96b0506d40b82994aa3051d834a54481ab49f01b33859c2c48d3d84097c19abd203cb593cdf04dcca00400c29404352995ae359

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
3218d370104889d80335314eb7110d32

SHA1
eb558689fd6807ddd1974f3e7fa057b19c35673c

SHA256
abe901674f70e3e98e50816396f88ad3f9612d96803d3859f9e6c97832da5c9e

SHA512
fac438d653857f852624e780cf7b52b9790bcc126a21d404f2d28c8353cee08bb71c0ba0a46ac4fcbb71f592e9ec6b6652715db9229f45d8e7c4ecdde4323382

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\[email protected]\install.rdf

Filesize
594B

MD5
600c7988495871b41580741413599b2f

SHA1
9849fbfe45cb84a9d32816921acd33befae66c75

SHA256
c5410e9c6f426a54d6705691ffa3fe8cc144d093c67a1cc31a2e7c2a2cdc04dc

SHA512
27c58e205c8859994e44fcfe3198109125bc7d0efda20aac52c03499d12183c3ca829aa057c24f26915f860deaa5a5740ac5d900994edf978ef0352eb7d9470f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\kkoiadknidkjhocmpgmgcmbhonknmpfp\background.html

Filesize
141B

MD5
f0bd2e7287ad811aa5916033e32694cf

SHA1
3a2775c231e4a04567960d2d68b1ce4bdc79fa59

SHA256
51539cb393b126b1340dd3b0addc52c25e2c00bbb2245a8cb3b0694eeb8834f6

SHA512
06e406813482ac15b3b4bc366ccdda2af400c048ccb9b233de0efb6393812bd694da42b2b8a2cd48f9f6f8d9b2d599727dc96cedddb73b9c146178808db0ad00

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\kkoiadknidkjhocmpgmgcmbhonknmpfp\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\kkoiadknidkjhocmpgmgcmbhonknmpfp\eTAk.js

Filesize
5KB

MD5
a7dd84997a397544501dc70ff4e11fe8

SHA1
fc05e8eb1bcb286ace06d1a4f0edf84d00abff13

SHA256
072196af2e3056f07433ca141af534a68993ad69c717906412b3975541071f65

SHA512
97208623c1f750eccae1ca786e8eb5105aef28d024650ded20b9733dbafff82a68b0f5b577660d2214dd562eb32f32cb33db93b15928bc038cf7b042c6b62f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\kkoiadknidkjhocmpgmgcmbhonknmpfp\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6156.tmp\kkoiadknidkjhocmpgmgcmbhonknmpfp\manifest.json

Filesize
501B

MD5
9d9d74bfa8e9ace025b834b96419d05e

SHA1
f5e56a100b0208b88335859cec692d867ffb572b

SHA256
a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265

SHA512
4c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512

Download Submit
memory/2020-132-0x0000000000000000-mapping.dmp

Download
memory/2380-152-0x0000000000000000-mapping.dmp

Download
memory/4564-149-0x0000000000000000-mapping.dmp

Download