Analysis
-
max time kernel
14s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:33
Static task
static1
Behavioral task
behavioral1
Sample
c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe
Resource
win7-20221111-en
General
-
Target
c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe
-
Size
2.5MB
-
MD5
f2a759fc65a37fa53b4d8e8fe56132f0
-
SHA1
f5c4c76b98b66ba33624d4904f2c5c8adfa528a3
-
SHA256
c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19
-
SHA512
1f7d3281c6e353061762b13b8b9a8b41b35d35aece6d21d6e48326b4a408f0f91f22f7b47d7bcd0d4806a04cf8330b32978395fe74aa2eda829e621b8b378a32
-
SSDEEP
49152:h1Os+dKF7UldNUwSMQRcXL3Bp9y14pkO/MPQpVPaytn5hbdTfg:h1ONQc/PXVp9yqIodg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pY7aBeT1Imd4ojw.exepid process 1308 pY7aBeT1Imd4ojw.exe -
Loads dropped DLL 4 IoCs
Processes:
c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exepY7aBeT1Imd4ojw.exeregsvr32.exeregsvr32.exepid process 1376 c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe 1308 pY7aBeT1Imd4ojw.exe 612 regsvr32.exe 1692 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
pY7aBeT1Imd4ojw.exedescription ioc process File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kklhplffdmpioipbilcmlajfmdjkjicb\5.2\manifest.json pY7aBeT1Imd4ojw.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kklhplffdmpioipbilcmlajfmdjkjicb\5.2\manifest.json pY7aBeT1Imd4ojw.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kklhplffdmpioipbilcmlajfmdjkjicb\5.2\manifest.json pY7aBeT1Imd4ojw.exe -
Installs/modifies Browser Helper Object 2 TTPs 11 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exepY7aBeT1Imd4ojw.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} pY7aBeT1Imd4ojw.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects pY7aBeT1Imd4ojw.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} pY7aBeT1Imd4ojw.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} pY7aBeT1Imd4ojw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ pY7aBeT1Imd4ojw.exe -
Drops file in Program Files directory 8 IoCs
Processes:
pY7aBeT1Imd4ojw.exedescription ioc process File opened for modification C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dat pY7aBeT1Imd4ojw.exe File created C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll pY7aBeT1Imd4ojw.exe File opened for modification C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll pY7aBeT1Imd4ojw.exe File created C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dll pY7aBeT1Imd4ojw.exe File opened for modification C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dll pY7aBeT1Imd4ojw.exe File created C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.tlb pY7aBeT1Imd4ojw.exe File opened for modification C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.tlb pY7aBeT1Imd4ojw.exe File created C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dat pY7aBeT1Imd4ojw.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
pY7aBeT1Imd4ojw.exepid process 1308 pY7aBeT1Imd4ojw.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exepY7aBeT1Imd4ojw.exeregsvr32.exedescription pid process target process PID 1376 wrote to memory of 1308 1376 c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe pY7aBeT1Imd4ojw.exe PID 1376 wrote to memory of 1308 1376 c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe pY7aBeT1Imd4ojw.exe PID 1376 wrote to memory of 1308 1376 c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe pY7aBeT1Imd4ojw.exe PID 1376 wrote to memory of 1308 1376 c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe pY7aBeT1Imd4ojw.exe PID 1308 wrote to memory of 612 1308 pY7aBeT1Imd4ojw.exe regsvr32.exe PID 1308 wrote to memory of 612 1308 pY7aBeT1Imd4ojw.exe regsvr32.exe PID 1308 wrote to memory of 612 1308 pY7aBeT1Imd4ojw.exe regsvr32.exe PID 1308 wrote to memory of 612 1308 pY7aBeT1Imd4ojw.exe regsvr32.exe PID 1308 wrote to memory of 612 1308 pY7aBeT1Imd4ojw.exe regsvr32.exe PID 1308 wrote to memory of 612 1308 pY7aBeT1Imd4ojw.exe regsvr32.exe PID 1308 wrote to memory of 612 1308 pY7aBeT1Imd4ojw.exe regsvr32.exe PID 612 wrote to memory of 1692 612 regsvr32.exe regsvr32.exe PID 612 wrote to memory of 1692 612 regsvr32.exe regsvr32.exe PID 612 wrote to memory of 1692 612 regsvr32.exe regsvr32.exe PID 612 wrote to memory of 1692 612 regsvr32.exe regsvr32.exe PID 612 wrote to memory of 1692 612 regsvr32.exe regsvr32.exe PID 612 wrote to memory of 1692 612 regsvr32.exe regsvr32.exe PID 612 wrote to memory of 1692 612 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe"C:\Users\Admin\AppData\Local\Temp\c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\pY7aBeT1Imd4ojw.exe.\pY7aBeT1Imd4ojw.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.datFilesize
6KB
MD57f13e1c406eac64c2213c49beee60e02
SHA1bf7f733250c878103884015dc62f58f65f1542ab
SHA2567a0aa7e5d421ff22ed09441a115d785fbf3ad77ddc7131960f7a570f15e8ea34
SHA512fd111c6a39d698760ac4963a973e03bdc3b4d716bfeb531ecbceb4cd90dc5745e1315c0f1320d3496a739a97770f5f93c6d3047256694d526f68e49ea21f0ef5
-
C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dllFilesize
874KB
MD5315ffb224983b4981895e20bc3a68f75
SHA175f25396fb15f5269198623b604bc456d05d623c
SHA256e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e
SHA5128255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\[email protected]\chrome.manifestFilesize
35B
MD54ec95f3bc026438bd6662eb76bebfdf7
SHA1e7a457e8cf666bca256e398ff8a14fadad72c882
SHA2566f92c992d2f40757595601ae1dec38214991f907a9e33c2ab985a9ca1c04d55a
SHA5125cdf9e63072acf5d920da9612e65a633027e29adf89d09c619cd77f4ed6052eea1e5fd5a2f166ab4003ef3e5817b74e78a3b26dc4c1dbe58c67ed55536832035
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\[email protected]\content\bg.jsFilesize
7KB
MD53065e40d3f1cb319798f050b7fd8810c
SHA168e03b31a1a4d8316b916ad25830886d572e88ae
SHA256791bb2b3b3d14c609a99d14424caa3a6450bd23c92edd6acea28d8984189dfaa
SHA512cc94764ffae9b3eee1c75e2e06e2ae52342e0e2a0da8fdbf6fcf8b741a50631ff98bd411e8e3b825aaf1ed000b8bfaf625ab5150aad7cd364bc984a9c576cb2a
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\[email protected]\install.rdfFilesize
594B
MD58676ed32a2df62ef15521eb2d32ae44a
SHA106e88ffe443fad870f15e0b8ce424e8ef666fbdd
SHA256c979a0634e0abb24b0ea1e3d668699f64f6c20ac33101cd52d569cfe2d39b407
SHA5124c39f0e6aeea3525168a728f39e9d4626d1265e0f2691f11e8aef5e1640a7509b3554c47a9926b13fa4b4dcc04da40efcd3fb2091a3e285e5ab07be3d243fb94
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\background.htmlFilesize
143B
MD5eef7c4fbabc6eb8800be4f7ab81c6078
SHA1c2f888e56f72dffd856e0e11cf96827e53d8ca41
SHA256281e391b7dc058987e926808d97c6b7b308a46128f0d4b09820efcebf968de0f
SHA5126b64addfddab0e4911c63447f0a8511f3d39e454950385629d795fad95ab78657d5f9d09ac867f89c061b1c8f30315dfe1b7833d9dab2e1f0605ad9effce40bf
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\dVMxJ6.jsFilesize
5KB
MD56717e2386e1100f93c2be6c93dc74c14
SHA181b64e425c76eb468d7d874ff756ce33450df5dd
SHA2564c1bb6e51574ab81283afe3aed6310dc10735537fc0907eff35bdac690ef7b8d
SHA512d64a529e65d0f92089305b18b064971eb174650ded979d0aff4cad60e6c7e0ab429095e28a9d6c55529c3ae9aa4e447ac1119030627f080e5215441fe3bbc5ce
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\manifest.jsonFilesize
501B
MD59d9d74bfa8e9ace025b834b96419d05e
SHA1f5e56a100b0208b88335859cec692d867ffb572b
SHA256a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265
SHA5124c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\mBjDOcH9yvRi2h.dllFilesize
745KB
MD59b0bbae1c51f35af98a38950ad9b6902
SHA1abaf6e0d4af36bc020b8948beb95c1d6dd6b4108
SHA256bc3180830a01359e2a0533b58b505a89999861cc6649a597912424d4856404ef
SHA512731cedc519324e24f6649e05678eeff9ed04be8a519a816179c254ad8e1d360037053104c2ab3ed03a50aa1bbe0d3a6562ed871d7943d241f2dbfe184ec6a14b
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\mBjDOcH9yvRi2h.tlbFilesize
3KB
MD5e0d8c71eebc95cf3bd5cf6086938176f
SHA1e24d47c63e459b2d0664b2a1709c8243d5d6ab39
SHA2561c87908f309599a94b048c1571ab271342aee8092d6d3ac22db7a509e22a3779
SHA512d5a9387933d788dbddcb9fcaa7fafef9232d289b287d5fb95666a2b7e0a9838664241a7c6021841f13d2f0b979dd61dcf361c8261b2e78510af298cedd05f92c
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\mBjDOcH9yvRi2h.x64.dllFilesize
874KB
MD5315ffb224983b4981895e20bc3a68f75
SHA175f25396fb15f5269198623b604bc456d05d623c
SHA256e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e
SHA5128255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\pY7aBeT1Imd4ojw.datFilesize
6KB
MD57f13e1c406eac64c2213c49beee60e02
SHA1bf7f733250c878103884015dc62f58f65f1542ab
SHA2567a0aa7e5d421ff22ed09441a115d785fbf3ad77ddc7131960f7a570f15e8ea34
SHA512fd111c6a39d698760ac4963a973e03bdc3b4d716bfeb531ecbceb4cd90dc5745e1315c0f1320d3496a739a97770f5f93c6d3047256694d526f68e49ea21f0ef5
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\pY7aBeT1Imd4ojw.exeFilesize
769KB
MD5291319a3090dccd5eaa32056863ae03e
SHA1af43bfec74b1b1266f52e03cd043dd26c69fd2e9
SHA256093bbafecd0c59ac6495fdd821d8af0d02b167c545cc5d95aa198eeef091115a
SHA512162a3e21247ec4457a9178dd06866e284093aaf6cf366b109e8d0a533be8e099beca9280783874968429f6718e13481c17385daa233a95b8bffe8fdb67094da1
-
C:\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\pY7aBeT1Imd4ojw.exeFilesize
769KB
MD5291319a3090dccd5eaa32056863ae03e
SHA1af43bfec74b1b1266f52e03cd043dd26c69fd2e9
SHA256093bbafecd0c59ac6495fdd821d8af0d02b167c545cc5d95aa198eeef091115a
SHA512162a3e21247ec4457a9178dd06866e284093aaf6cf366b109e8d0a533be8e099beca9280783874968429f6718e13481c17385daa233a95b8bffe8fdb67094da1
-
\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dllFilesize
745KB
MD59b0bbae1c51f35af98a38950ad9b6902
SHA1abaf6e0d4af36bc020b8948beb95c1d6dd6b4108
SHA256bc3180830a01359e2a0533b58b505a89999861cc6649a597912424d4856404ef
SHA512731cedc519324e24f6649e05678eeff9ed04be8a519a816179c254ad8e1d360037053104c2ab3ed03a50aa1bbe0d3a6562ed871d7943d241f2dbfe184ec6a14b
-
\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dllFilesize
874KB
MD5315ffb224983b4981895e20bc3a68f75
SHA175f25396fb15f5269198623b604bc456d05d623c
SHA256e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e
SHA5128255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8
-
\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dllFilesize
874KB
MD5315ffb224983b4981895e20bc3a68f75
SHA175f25396fb15f5269198623b604bc456d05d623c
SHA256e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e
SHA5128255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8
-
\Users\Admin\AppData\Local\Temp\7zSA4F7.tmp\pY7aBeT1Imd4ojw.exeFilesize
769KB
MD5291319a3090dccd5eaa32056863ae03e
SHA1af43bfec74b1b1266f52e03cd043dd26c69fd2e9
SHA256093bbafecd0c59ac6495fdd821d8af0d02b167c545cc5d95aa198eeef091115a
SHA512162a3e21247ec4457a9178dd06866e284093aaf6cf366b109e8d0a533be8e099beca9280783874968429f6718e13481c17385daa233a95b8bffe8fdb67094da1
-
memory/612-73-0x0000000000000000-mapping.dmp
-
memory/1308-56-0x0000000000000000-mapping.dmp
-
memory/1376-54-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/1692-77-0x0000000000000000-mapping.dmp
-
memory/1692-78-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmpFilesize
8KB