fe27c6e73e2a1a7bfeafc239d8b147b52ded5b0256c0889f0d2dde4531dd12e9

Analysis

max time kernel
222s
max time network
243s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe27c6e73e2a1a7bfeafc239d8b147b52ded5b0256c0889f0d2dde4531dd12e9.exe
Size

2.5MB
MD5

3c6acff981e9d8d9320f2168f79fe9ff
SHA1

0eed5bcc91048169a674413e22b8d97cf9bb85ce
SHA256

fe27c6e73e2a1a7bfeafc239d8b147b52ded5b0256c0889f0d2dde4531dd12e9
SHA512

49d3dcadfb5f46d3450b786d810aac4a3fd4fef470f311cb2d50f3abde351ae1fb84616612e14ea8b87edbce27f7322e0301fce97ad0d42d060c2393909d6df9
SSDEEP

49152:h1OssjtPNg3MaK+715e2Yl8Wd7dZcRGzPbXO2mg6P1Ql5PPLKMRnUDa:h1OljVNI71i86pZbz55PPLKMRUu

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

c2dI8MusdAlEKzv.exe

pid process

5052 c2dI8MusdAlEKzv.exe
Loads dropped DLL 3 IoCs

Processes:

c2dI8MusdAlEKzv.exeregsvr32.exeregsvr32.exe

pid process

5052 c2dI8MusdAlEKzv.exe
4476 regsvr32.exe
4608 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
5052	c2dI8MusdAlEKzv.exe

pid	process
5052	c2dI8MusdAlEKzv.exe
4476	regsvr32.exe
4608	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

c2dI8MusdAlEKzv.exe

description	ioc	process
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpgoajokipllhfknkmfkmhopadhpodhl\5.2\manifest.json	c2dI8MusdAlEKzv.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpgoajokipllhfknkmfkmhopadhpodhl\5.2\manifest.json	c2dI8MusdAlEKzv.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpgoajokipllhfknkmfkmhopadhpodhl\5.2\manifest.json	c2dI8MusdAlEKzv.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpgoajokipllhfknkmfkmhopadhpodhl\5.2\manifest.json	c2dI8MusdAlEKzv.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpgoajokipllhfknkmfkmhopadhpodhl\5.2\manifest.json	c2dI8MusdAlEKzv.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exec2dI8MusdAlEKzv.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	c2dI8MusdAlEKzv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	c2dI8MusdAlEKzv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	c2dI8MusdAlEKzv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	c2dI8MusdAlEKzv.exe

Drops file in Program Files directory 8 IoCs

Processes:

c2dI8MusdAlEKzv.exe

description	ioc	process
File created	C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.tlb	c2dI8MusdAlEKzv.exe
File opened for modification	C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.tlb	c2dI8MusdAlEKzv.exe
File created	C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.dat	c2dI8MusdAlEKzv.exe
File opened for modification	C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.dat	c2dI8MusdAlEKzv.exe
File created	C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.x64.dll	c2dI8MusdAlEKzv.exe
File opened for modification	C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.x64.dll	c2dI8MusdAlEKzv.exe
File created	C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.dll	c2dI8MusdAlEKzv.exe
File opened for modification	C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.dll	c2dI8MusdAlEKzv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c2dI8MusdAlEKzv.exe

pid process

5052 c2dI8MusdAlEKzv.exe
5052 c2dI8MusdAlEKzv.exe

pid	process
5052	c2dI8MusdAlEKzv.exe
5052	c2dI8MusdAlEKzv.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fe27c6e73e2a1a7bfeafc239d8b147b52ded5b0256c0889f0d2dde4531dd12e9.exec2dI8MusdAlEKzv.exeregsvr32.exe

description	pid	process	target process
PID 1660 wrote to memory of 5052	1660	fe27c6e73e2a1a7bfeafc239d8b147b52ded5b0256c0889f0d2dde4531dd12e9.exe	c2dI8MusdAlEKzv.exe
PID 1660 wrote to memory of 5052	1660	fe27c6e73e2a1a7bfeafc239d8b147b52ded5b0256c0889f0d2dde4531dd12e9.exe	c2dI8MusdAlEKzv.exe
PID 1660 wrote to memory of 5052	1660	fe27c6e73e2a1a7bfeafc239d8b147b52ded5b0256c0889f0d2dde4531dd12e9.exe	c2dI8MusdAlEKzv.exe
PID 5052 wrote to memory of 4476	5052	c2dI8MusdAlEKzv.exe	regsvr32.exe
PID 5052 wrote to memory of 4476	5052	c2dI8MusdAlEKzv.exe	regsvr32.exe
PID 5052 wrote to memory of 4476	5052	c2dI8MusdAlEKzv.exe	regsvr32.exe
PID 4476 wrote to memory of 4608	4476	regsvr32.exe	regsvr32.exe
PID 4476 wrote to memory of 4608	4476	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\fe27c6e73e2a1a7bfeafc239d8b147b52ded5b0256c0889f0d2dde4531dd12e9.exe
"C:\Users\Admin\AppData\Local\Temp\fe27c6e73e2a1a7bfeafc239d8b147b52ded5b0256c0889f0d2dde4531dd12e9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\c2dI8MusdAlEKzv.exe
.\c2dI8MusdAlEKzv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.dat

Filesize
6KB

MD5
db83ba6417a4f672d67d52ca27b0e6e9

SHA1
f2556c67784805fa3211cb60891b2f0614929b21

SHA256
dfe402718dbdedfb989e5af314a7fa8b6fd89d648cf98889d51c110ec823f31b

SHA512
cf9ee04db33e391c9c610f92b9a6215558304e5728f7fe097ed9d794460b0641413b4c2395cf9ec04160efa205de3104a59af2671309bbbad5847e920f1324f8

Download Submit
C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.dll

Filesize
741KB

MD5
02955857b45fa9ddd4229b9d67f65d93

SHA1
a5fe5c71d62bd9648ab25660d7cae6eff98af3ed

SHA256
839e59c1dd9fa6ce4ed8b4b964b32a3afdd5b6b621580c47cdad754868abe753

SHA512
0b0c6a7754abead8aec777a1ee4330f4c5ee90aebde30266e6ad93f356f91abbe4a2bc3fdc924556edb82c3b4bd0f97191e72d6039bed14975d5e5b940af3261

Download Submit
C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.x64.dll

Filesize
879KB

MD5
f60a9be9218f7d3c329205bd4f585ee7

SHA1
8b31e1d5b92ff6642cc5fb707ec76596ce84002c

SHA256
7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

SHA512
a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

Download Submit
C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.x64.dll

Filesize
879KB

MD5
f60a9be9218f7d3c329205bd4f585ee7

SHA1
8b31e1d5b92ff6642cc5fb707ec76596ce84002c

SHA256
7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

SHA512
a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

Download Submit
C:\Program Files (x86)\PriceLess\w0PWCG2XvHAldj.x64.dll

Filesize
879KB

MD5
f60a9be9218f7d3c329205bd4f585ee7

SHA1
8b31e1d5b92ff6642cc5fb707ec76596ce84002c

SHA256
7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

SHA512
a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
8ca81e9bbd61452e3c040145724482e8

SHA1
7a5e3c792b851950397d39bc7a93e544c2ff0ee5

SHA256
b46b0c69187a2137674de8bb05f4988cb451677d1bb090d80e13ebc5a2ac1ac1

SHA512
d40da9bbae506fb7db30029305e002c55a86e217a39a1943d4e70cc832a5044ca150cc25a085b505387b5aac94dbc6d5dedc3d62fa2405f075ba0117d74ad1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
20d9eacfba26db4002da1a0721be1a1f

SHA1
44f9259a2ed6bf11d1ad5432f876874c9a99138a

SHA256
19775d703a5aa3879cf282fdcfc31120dd1634269e0d5de07ac907f81976e09c

SHA512
ea8f6bc16a2d67a1e902e3b22e2e0bac0de1db1b125cccc5555a587226d97e642d47de3e411f423cd652862445f301ba40bf78211c2b9e4aa6c211f3068cbd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\[email protected]\install.rdf

Filesize
593B

MD5
0d40212ab04943e871740d5bc4fbd75e

SHA1
4a1fec74bf231a4999bb72d35897e278a3f8794e

SHA256
c1a3c54aae13f4a6cc2d16eefbe2218ee3e75eb549be9e2b9cbde5ebd367fdae

SHA512
42cad73b166118daad9658108228016215da6989700eb50e57cc010affbd5627198e5c5615eb4a5d243e0dec105aebf289c0526d8fdf016fb07f28e596157f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\c2dI8MusdAlEKzv.dat

Filesize
6KB

MD5
db83ba6417a4f672d67d52ca27b0e6e9

SHA1
f2556c67784805fa3211cb60891b2f0614929b21

SHA256
dfe402718dbdedfb989e5af314a7fa8b6fd89d648cf98889d51c110ec823f31b

SHA512
cf9ee04db33e391c9c610f92b9a6215558304e5728f7fe097ed9d794460b0641413b4c2395cf9ec04160efa205de3104a59af2671309bbbad5847e920f1324f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\c2dI8MusdAlEKzv.exe

Filesize
783KB

MD5
e5f19b8f3fa9ba590482ee5d1c7ed005

SHA1
e3d599ca32f07024e281f26e764ef09697aba822

SHA256
688036044c4521a1841e9fb5a704d505bfc47c4fc80be111e9a321869a56f9b9

SHA512
dde4cd947a2820da9a70c584ad136fc87bf68e272e3b5842967580165a602225fcb754966f2f5d3e66db87026c68f61055893b4d2033183ab5b35fe96d4e16ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\c2dI8MusdAlEKzv.exe

Filesize
783KB

MD5
e5f19b8f3fa9ba590482ee5d1c7ed005

SHA1
e3d599ca32f07024e281f26e764ef09697aba822

SHA256
688036044c4521a1841e9fb5a704d505bfc47c4fc80be111e9a321869a56f9b9

SHA512
dde4cd947a2820da9a70c584ad136fc87bf68e272e3b5842967580165a602225fcb754966f2f5d3e66db87026c68f61055893b4d2033183ab5b35fe96d4e16ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\hpgoajokipllhfknkmfkmhopadhpodhl\background.html

Filesize
144B

MD5
9d45ec4895770b81281bf826f9278909

SHA1
cb870d1ef769a928d3db84689c29a9f52da6cf8e

SHA256
7aeeb6dcaa2139dd766a9457b865adff8f13a30f93e905ed7ea25220516052b8

SHA512
900ab47a17deb9eb28fa794b38fd570a380715af165d86e586e342e625ded7d2a3665cc46c83fc50dae13c371f75ed9655dce552cfe63eeb769febb74de01378

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\hpgoajokipllhfknkmfkmhopadhpodhl\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\hpgoajokipllhfknkmfkmhopadhpodhl\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\hpgoajokipllhfknkmfkmhopadhpodhl\manifest.json

Filesize
501B

MD5
9d9d74bfa8e9ace025b834b96419d05e

SHA1
f5e56a100b0208b88335859cec692d867ffb572b

SHA256
a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265

SHA512
4c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\hpgoajokipllhfknkmfkmhopadhpodhl\xhTq1tU.js

Filesize
5KB

MD5
1e5f4dc3dbbc8e1c9e58e97bcf05c3a6

SHA1
e6288c819038763dfadf185fb27dfeacc5fc6e29

SHA256
bb44a06c254fa7fb0f62c5b11da53de0858bf3229a6da967742875f03ed44dfd

SHA512
117b72209bd2f05064aeaa080c48f914ce68a944ceb4aa77e60331df8e695c63807fa77eb861e874e7506f25ea17a32c5e99543580415943dd7ccf9c544ea293

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\w0PWCG2XvHAldj.dll

Filesize
741KB

MD5
02955857b45fa9ddd4229b9d67f65d93

SHA1
a5fe5c71d62bd9648ab25660d7cae6eff98af3ed

SHA256
839e59c1dd9fa6ce4ed8b4b964b32a3afdd5b6b621580c47cdad754868abe753

SHA512
0b0c6a7754abead8aec777a1ee4330f4c5ee90aebde30266e6ad93f356f91abbe4a2bc3fdc924556edb82c3b4bd0f97191e72d6039bed14975d5e5b940af3261

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\w0PWCG2XvHAldj.tlb

Filesize
3KB

MD5
75846c93e1f5b9d77fcc4520a65b4936

SHA1
f4631b5f768bfa33063a96c7a0da478c1fb28791

SHA256
c6843974e37a7eb67c2e6550cec7ffd63645d80f4bd9613430e5824b4604b08b

SHA512
a51876207191e351f955e614be727f9b0141cce69d46f7bbf141a632306fe277de3372848c5b707da525d22bafca044b0a73c544a2a670d4056d33f37f7b328c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1CE9.tmp\w0PWCG2XvHAldj.x64.dll

Filesize
879KB

MD5
f60a9be9218f7d3c329205bd4f585ee7

SHA1
8b31e1d5b92ff6642cc5fb707ec76596ce84002c

SHA256
7b08c02a0b7315c5b860b594d6486f85a8c182a1851313e1a6299810b896d394

SHA512
a6a18d63220f92f80881aaf5f7ed936d7e317a50fe2fc0452f5b3c6793b5b6ffac782366c65d91d7cad1b5a68149f5fa9cd82cf57ba0208ea271c792bddee6a7

Download Submit
memory/4476-149-0x0000000000000000-mapping.dmp

Download
memory/4608-152-0x0000000000000000-mapping.dmp

Download
memory/5052-132-0x0000000000000000-mapping.dmp

Download