e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471

General

Target

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Size

4.2MB
MD5

884b5415ce92cc79f1e1a7a7d4927e56
SHA1

4ad61004c594cba0a83908b8b8d1413b5a7985f7
SHA256

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471
SHA512

0500fa340b778c618ad020689c69ac0e1e31dfe22e613462fdde793ab21c8d3abceab9b20d82ca7052b782c56a7191554185d5b48c84bcc9417a935c327a8bd1
SSDEEP

98304:41BdYNkfC0ESHaxxfyjIILYJ372F+DlP5Hiyc+sh5Xn6uR3hf:4Va0gxxfyICyc+sh5Xn6uR3h

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\InprocServer32\ = "C:\\Program Files (x86)\\PriceLess\\tNLNI930Qx8m24.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exeregsvr32.exeregsvr32.exe

pid process

936 e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
2000 regsvr32.exe
880 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejlnfcjndckhpdomjlbeenggofpdoboo\5.2\manifest.json	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejlnfcjndckhpdomjlbeenggofpdoboo\5.2\manifest.json	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejlnfcjndckhpdomjlbeenggofpdoboo\5.2\manifest.json	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{686cbec3-104a-4c73-b33c-7a036097e6d2}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ = "PriceLess"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{686cbec3-104a-4c73-b33c-7a036097e6d2}\NoExplorer = "1"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{686cbec3-104a-4c73-b33c-7a036097e6d2}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{686cbec3-104a-4c73-b33c-7a036097e6d2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ = "PriceLess"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{686cbec3-104a-4c73-b33c-7a036097e6d2}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{686cbec3-104a-4c73-b33c-7a036097e6d2}	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

Drops file in Program Files directory 8 IoCs

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

description	ioc	process
File created	C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.tlb	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File opened for modification	C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.tlb	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File created	C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.dat	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File opened for modification	C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.dat	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File created	C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.x64.dll	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File opened for modification	C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.x64.dll	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File created	C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.dll	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
File opened for modification	C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.dll	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{686cbec3-104a-4c73-b33c-7a036097e6d2}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{686CBEC3-104A-4C73-B33C-7A036097E6D2}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{686CBEC3-104A-4C73-B33C-7A036097E6D2}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{686cbec3-104a-4c73-b33c-7a036097e6d2}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

Modifies registry class 64 IoCs

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\PriceLess\\tNLNI930Qx8m24.tlb"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "PriceLess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "PriceLess"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ProgID\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\VersionIndependentProgID	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\Programmable	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\InprocServer32\ThreadingModel = "Apartment"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\InprocServer32	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PriceLess"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ProgID	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686CBEC3-104A-4C73-B33C-7A036097E6D2}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\InprocServer32\ = "C:\\Program Files (x86)\\PriceLess\\tNLNI930Qx8m24.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\InprocServer32\ = "C:\\Program Files (x86)\\PriceLess\\tNLNI930Qx8m24.dll"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ = "PriceLess"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ProgID\ = ".9"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\VersionIndependentProgID	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686CBEC3-104A-4C73-B33C-7A036097E6D2}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ProgID	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686CBEC3-104A-4C73-B33C-7A036097E6D2}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ = "PriceLess"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "PriceLess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{686cbec3-104a-4c73-b33c-7a036097e6d2}"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{686CBEC3-104A-4C73-B33C-7A036097E6D2}\Implemented Categories	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

pid	process
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

description	pid	process
Token: SeDebugPrivilege	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Token: SeDebugPrivilege	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Token: SeDebugPrivilege	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Token: SeDebugPrivilege	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Token: SeDebugPrivilege	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Token: SeDebugPrivilege	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exeregsvr32.exe

description	pid	process	target process
PID 936 wrote to memory of 2000	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe	regsvr32.exe
PID 936 wrote to memory of 2000	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe	regsvr32.exe
PID 936 wrote to memory of 2000	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe	regsvr32.exe
PID 936 wrote to memory of 2000	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe	regsvr32.exe
PID 936 wrote to memory of 2000	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe	regsvr32.exe
PID 936 wrote to memory of 2000	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe	regsvr32.exe
PID 936 wrote to memory of 2000	936	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe	regsvr32.exe
PID 2000 wrote to memory of 880	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 880	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 880	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 880	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 880	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 880	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 880	2000	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{686cbec3-104a-4c73-b33c-7a036097e6d2} = "1"	e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe

C:\Users\Admin\AppData\Local\Temp\e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe
"C:\Users\Admin\AppData\Local\Temp\e3ded1106245b6fba78505755c0e4d5ff6a5ab6937fbb8bfa9c3dec93db5c471.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:936

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.dat
Filesize
3KB

MD5
5dc0647e65407f4b63e4a794b30cf245

SHA1
2ab0332bbc8db7b391df8587c95d7fb8af7f6568

SHA256
483a2a0d2795c03edc4e551f1f3beb1fa0408f0d2d6a16ae5f796b9818d18412

SHA512
2edadefc09eac42786f1e63c9c12490978220e50bdeb228a9820d7dbe499fe1f3a69b11f1264cc23cf37084f8abaea04f69ef89cc46dbb6b42cab0146bc7e6bf

Download Submit
C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.tlb
Filesize
3KB

MD5
0d2aeb4f00b6579ca162c9a79f104dba

SHA1
fbc3019106417014ba01e5703e2729496feb6c39

SHA256
4cbe20901caaa5ec47de0c8e5d5333d219bbc51dadf3ad02083b21a2350fd283

SHA512
083c3b7ec8a01d78880349c2de635e70bc45db1523c6e9962f4d687bd15705b28a4001afd48e7be60e34ab7c2a8bf62ff1b91404c38202cfb51fd7df449e124e

Download Submit
C:\Program Files (x86)\PriceLess\tNLNI930Qx8m24.x64.dll
Filesize
874KB

MD5
1dc66c50cea34da91b5e917e0157ff0d

SHA1
c7ddb2f9d46f1836d7368434db0131619f5e7c08

SHA256
19627221bde386227801b307cb903837ce957f1aa6194ec8bfc7b180434f41d0

SHA512
48e4c5a2603ba68aaa87d03fc1fbd5c9c672c3e3b9c50178a8f00e6296ae8d14ee6bf043c6bdca49f728f1ebda156007902af628af0a41760de22c8204453fef

Download Submit
\Program Files (x86)\PriceLess\tNLNI930Qx8m24.dll
Filesize
744KB

MD5
211ab5ec38ee0ed680e1b90b37916d5b

SHA1
5a8f6d8b08d6ebffd28608766fe73660fe00a781

SHA256
c5de64a026df3c1275ea3e50b3565b8cfc4d17b09eb958a23bcc29557589b409

SHA512
451ee835b2caed20a57529059a9e434b8e9139c45a579cc3d6693c1af5b516d3580abcd94370e916ff9a11e5cb859cee4a1dbbab943909d2a77fbc68a200a125

Download Submit
\Program Files (x86)\PriceLess\tNLNI930Qx8m24.x64.dll
Filesize
874KB

MD5
1dc66c50cea34da91b5e917e0157ff0d

SHA1
c7ddb2f9d46f1836d7368434db0131619f5e7c08

SHA256
19627221bde386227801b307cb903837ce957f1aa6194ec8bfc7b180434f41d0

SHA512
48e4c5a2603ba68aaa87d03fc1fbd5c9c672c3e3b9c50178a8f00e6296ae8d14ee6bf043c6bdca49f728f1ebda156007902af628af0a41760de22c8204453fef

Download Submit
\Program Files (x86)\PriceLess\tNLNI930Qx8m24.x64.dll
Filesize
874KB

MD5
1dc66c50cea34da91b5e917e0157ff0d

SHA1
c7ddb2f9d46f1836d7368434db0131619f5e7c08

SHA256
19627221bde386227801b307cb903837ce957f1aa6194ec8bfc7b180434f41d0

SHA512
48e4c5a2603ba68aaa87d03fc1fbd5c9c672c3e3b9c50178a8f00e6296ae8d14ee6bf043c6bdca49f728f1ebda156007902af628af0a41760de22c8204453fef

Download Submit
memory/880-68-0x0000000000000000-mapping.dmp

Download
memory/880-69-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/936-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/936-55-0x0000000000970000-0x0000000000A3B000-memory.dmp

Filesize
812KB

Download
memory/2000-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads