c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe
Size

2.5MB
MD5

f2a759fc65a37fa53b4d8e8fe56132f0
SHA1

f5c4c76b98b66ba33624d4904f2c5c8adfa528a3
SHA256

c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19
SHA512

1f7d3281c6e353061762b13b8b9a8b41b35d35aece6d21d6e48326b4a408f0f91f22f7b47d7bcd0d4806a04cf8330b32978395fe74aa2eda829e621b8b378a32
SSDEEP

49152:h1Os+dKF7UldNUwSMQRcXL3Bp9y14pkO/MPQpVPaytn5hbdTfg:h1ONQc/PXVp9yqIodg

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pY7aBeT1Imd4ojw.exe

pid process

2556 pY7aBeT1Imd4ojw.exe
Loads dropped DLL 3 IoCs

Processes:

pY7aBeT1Imd4ojw.exeregsvr32.exeregsvr32.exe

pid process

2556 pY7aBeT1Imd4ojw.exe
4064 regsvr32.exe
1028 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2556	pY7aBeT1Imd4ojw.exe

pid	process
2556	pY7aBeT1Imd4ojw.exe
4064	regsvr32.exe
1028	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

pY7aBeT1Imd4ojw.exe

description	ioc	process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kklhplffdmpioipbilcmlajfmdjkjicb\5.2\manifest.json	pY7aBeT1Imd4ojw.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kklhplffdmpioipbilcmlajfmdjkjicb\5.2\manifest.json	pY7aBeT1Imd4ojw.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kklhplffdmpioipbilcmlajfmdjkjicb\5.2\manifest.json	pY7aBeT1Imd4ojw.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kklhplffdmpioipbilcmlajfmdjkjicb\5.2\manifest.json	pY7aBeT1Imd4ojw.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kklhplffdmpioipbilcmlajfmdjkjicb\5.2\manifest.json	pY7aBeT1Imd4ojw.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

pY7aBeT1Imd4ojw.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	pY7aBeT1Imd4ojw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	pY7aBeT1Imd4ojw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	pY7aBeT1Imd4ojw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	pY7aBeT1Imd4ojw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

pY7aBeT1Imd4ojw.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.tlb	pY7aBeT1Imd4ojw.exe
File created	C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dat	pY7aBeT1Imd4ojw.exe
File opened for modification	C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dat	pY7aBeT1Imd4ojw.exe
File created	C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll	pY7aBeT1Imd4ojw.exe
File opened for modification	C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll	pY7aBeT1Imd4ojw.exe
File created	C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dll	pY7aBeT1Imd4ojw.exe
File opened for modification	C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dll	pY7aBeT1Imd4ojw.exe
File created	C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.tlb	pY7aBeT1Imd4ojw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pY7aBeT1Imd4ojw.exe

pid process

2556 pY7aBeT1Imd4ojw.exe
2556 pY7aBeT1Imd4ojw.exe

pid	process
2556	pY7aBeT1Imd4ojw.exe
2556	pY7aBeT1Imd4ojw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exepY7aBeT1Imd4ojw.exeregsvr32.exe

description	pid	process	target process
PID 2496 wrote to memory of 2556	2496	c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe	pY7aBeT1Imd4ojw.exe
PID 2496 wrote to memory of 2556	2496	c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe	pY7aBeT1Imd4ojw.exe
PID 2496 wrote to memory of 2556	2496	c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe	pY7aBeT1Imd4ojw.exe
PID 2556 wrote to memory of 4064	2556	pY7aBeT1Imd4ojw.exe	regsvr32.exe
PID 2556 wrote to memory of 4064	2556	pY7aBeT1Imd4ojw.exe	regsvr32.exe
PID 2556 wrote to memory of 4064	2556	pY7aBeT1Imd4ojw.exe	regsvr32.exe
PID 4064 wrote to memory of 1028	4064	regsvr32.exe	regsvr32.exe
PID 4064 wrote to memory of 1028	4064	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe
"C:\Users\Admin\AppData\Local\Temp\c50bf06c4dd345b53f1ca224c3a9140372389f8dff0a5ecd33d1377bc26eff19.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\pY7aBeT1Imd4ojw.exe
.\pY7aBeT1Imd4ojw.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dat
Filesize
6KB

MD5
7f13e1c406eac64c2213c49beee60e02

SHA1
bf7f733250c878103884015dc62f58f65f1542ab

SHA256
7a0aa7e5d421ff22ed09441a115d785fbf3ad77ddc7131960f7a570f15e8ea34

SHA512
fd111c6a39d698760ac4963a973e03bdc3b4d716bfeb531ecbceb4cd90dc5745e1315c0f1320d3496a739a97770f5f93c6d3047256694d526f68e49ea21f0ef5

Download Submit
C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.dll
Filesize
745KB

MD5
9b0bbae1c51f35af98a38950ad9b6902

SHA1
abaf6e0d4af36bc020b8948beb95c1d6dd6b4108

SHA256
bc3180830a01359e2a0533b58b505a89999861cc6649a597912424d4856404ef

SHA512
731cedc519324e24f6649e05678eeff9ed04be8a519a816179c254ad8e1d360037053104c2ab3ed03a50aa1bbe0d3a6562ed871d7943d241f2dbfe184ec6a14b

Download Submit
C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll
Filesize
874KB

MD5
315ffb224983b4981895e20bc3a68f75

SHA1
75f25396fb15f5269198623b604bc456d05d623c

SHA256
e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e

SHA512
8255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8

Download Submit
C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll
Filesize
874KB

MD5
315ffb224983b4981895e20bc3a68f75

SHA1
75f25396fb15f5269198623b604bc456d05d623c

SHA256
e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e

SHA512
8255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8

Download Submit
C:\Program Files (x86)\PriceLess\mBjDOcH9yvRi2h.x64.dll
Filesize
874KB

MD5
315ffb224983b4981895e20bc3a68f75

SHA1
75f25396fb15f5269198623b604bc456d05d623c

SHA256
e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e

SHA512
8255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\[email protected]\chrome.manifest
Filesize
35B

MD5
4ec95f3bc026438bd6662eb76bebfdf7

SHA1
e7a457e8cf666bca256e398ff8a14fadad72c882

SHA256
6f92c992d2f40757595601ae1dec38214991f907a9e33c2ab985a9ca1c04d55a

SHA512
5cdf9e63072acf5d920da9612e65a633027e29adf89d09c619cd77f4ed6052eea1e5fd5a2f166ab4003ef3e5817b74e78a3b26dc4c1dbe58c67ed55536832035

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\[email protected]\content\bg.js
Filesize
7KB

MD5
3065e40d3f1cb319798f050b7fd8810c

SHA1
68e03b31a1a4d8316b916ad25830886d572e88ae

SHA256
791bb2b3b3d14c609a99d14424caa3a6450bd23c92edd6acea28d8984189dfaa

SHA512
cc94764ffae9b3eee1c75e2e06e2ae52342e0e2a0da8fdbf6fcf8b741a50631ff98bd411e8e3b825aaf1ed000b8bfaf625ab5150aad7cd364bc984a9c576cb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\[email protected]\install.rdf
Filesize
594B

MD5
8676ed32a2df62ef15521eb2d32ae44a

SHA1
06e88ffe443fad870f15e0b8ce424e8ef666fbdd

SHA256
c979a0634e0abb24b0ea1e3d668699f64f6c20ac33101cd52d569cfe2d39b407

SHA512
4c39f0e6aeea3525168a728f39e9d4626d1265e0f2691f11e8aef5e1640a7509b3554c47a9926b13fa4b4dcc04da40efcd3fb2091a3e285e5ab07be3d243fb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\background.html
Filesize
143B

MD5
eef7c4fbabc6eb8800be4f7ab81c6078

SHA1
c2f888e56f72dffd856e0e11cf96827e53d8ca41

SHA256
281e391b7dc058987e926808d97c6b7b308a46128f0d4b09820efcebf968de0f

SHA512
6b64addfddab0e4911c63447f0a8511f3d39e454950385629d795fad95ab78657d5f9d09ac867f89c061b1c8f30315dfe1b7833d9dab2e1f0605ad9effce40bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\dVMxJ6.js
Filesize
5KB

MD5
6717e2386e1100f93c2be6c93dc74c14

SHA1
81b64e425c76eb468d7d874ff756ce33450df5dd

SHA256
4c1bb6e51574ab81283afe3aed6310dc10735537fc0907eff35bdac690ef7b8d

SHA512
d64a529e65d0f92089305b18b064971eb174650ded979d0aff4cad60e6c7e0ab429095e28a9d6c55529c3ae9aa4e447ac1119030627f080e5215441fe3bbc5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\kklhplffdmpioipbilcmlajfmdjkjicb\manifest.json
Filesize
501B

MD5
9d9d74bfa8e9ace025b834b96419d05e

SHA1
f5e56a100b0208b88335859cec692d867ffb572b

SHA256
a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265

SHA512
4c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\mBjDOcH9yvRi2h.dll
Filesize
745KB

MD5
9b0bbae1c51f35af98a38950ad9b6902

SHA1
abaf6e0d4af36bc020b8948beb95c1d6dd6b4108

SHA256
bc3180830a01359e2a0533b58b505a89999861cc6649a597912424d4856404ef

SHA512
731cedc519324e24f6649e05678eeff9ed04be8a519a816179c254ad8e1d360037053104c2ab3ed03a50aa1bbe0d3a6562ed871d7943d241f2dbfe184ec6a14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\mBjDOcH9yvRi2h.tlb
Filesize
3KB

MD5
e0d8c71eebc95cf3bd5cf6086938176f

SHA1
e24d47c63e459b2d0664b2a1709c8243d5d6ab39

SHA256
1c87908f309599a94b048c1571ab271342aee8092d6d3ac22db7a509e22a3779

SHA512
d5a9387933d788dbddcb9fcaa7fafef9232d289b287d5fb95666a2b7e0a9838664241a7c6021841f13d2f0b979dd61dcf361c8261b2e78510af298cedd05f92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\mBjDOcH9yvRi2h.x64.dll
Filesize
874KB

MD5
315ffb224983b4981895e20bc3a68f75

SHA1
75f25396fb15f5269198623b604bc456d05d623c

SHA256
e4cb3b0a84a7030b20a151bb857a4a28feeb14863a3685b726a2ad5b69e99c5e

SHA512
8255b3d4f9c0a251a5a63075b8f8747dd3e9e6dacbce8877b859a53b266e2a81286576d0c78fe4ce034e451aee367ce700128a9f296b101f3e984669d0c519a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\pY7aBeT1Imd4ojw.dat
Filesize
6KB

MD5
7f13e1c406eac64c2213c49beee60e02

SHA1
bf7f733250c878103884015dc62f58f65f1542ab

SHA256
7a0aa7e5d421ff22ed09441a115d785fbf3ad77ddc7131960f7a570f15e8ea34

SHA512
fd111c6a39d698760ac4963a973e03bdc3b4d716bfeb531ecbceb4cd90dc5745e1315c0f1320d3496a739a97770f5f93c6d3047256694d526f68e49ea21f0ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\pY7aBeT1Imd4ojw.exe
Filesize
769KB

MD5
291319a3090dccd5eaa32056863ae03e

SHA1
af43bfec74b1b1266f52e03cd043dd26c69fd2e9

SHA256
093bbafecd0c59ac6495fdd821d8af0d02b167c545cc5d95aa198eeef091115a

SHA512
162a3e21247ec4457a9178dd06866e284093aaf6cf366b109e8d0a533be8e099beca9280783874968429f6718e13481c17385daa233a95b8bffe8fdb67094da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE03.tmp\pY7aBeT1Imd4ojw.exe
Filesize
769KB

MD5
291319a3090dccd5eaa32056863ae03e

SHA1
af43bfec74b1b1266f52e03cd043dd26c69fd2e9

SHA256
093bbafecd0c59ac6495fdd821d8af0d02b167c545cc5d95aa198eeef091115a

SHA512
162a3e21247ec4457a9178dd06866e284093aaf6cf366b109e8d0a533be8e099beca9280783874968429f6718e13481c17385daa233a95b8bffe8fdb67094da1

Download Submit
memory/1028-152-0x0000000000000000-mapping.dmp

Download
memory/2556-132-0x0000000000000000-mapping.dmp

Download
memory/4064-149-0x0000000000000000-mapping.dmp

Download