c13e6ee591ca46422c29eaffdbf027aae9956504a03bb2477a43173ebc2c00a2

Analysis

max time kernel
150s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c13e6ee591ca46422c29eaffdbf027aae9956504a03bb2477a43173ebc2c00a2.exe
Size

2.5MB
MD5

6f17e16085b538b5df7ad08332d7e275
SHA1

74ea72055ae3d8e139d31fc1a46614d8c07d6e02
SHA256

c13e6ee591ca46422c29eaffdbf027aae9956504a03bb2477a43173ebc2c00a2
SHA512

daac7ea2c778107adb7be05bd4c0628efa4406ef22d042587dae70eeb6c889e75c5d1f9f1a8e0187e51fce89e4ac8e19964a5e7e67b93565345f911eb6505d4c
SSDEEP

49152:h1OsvLcyYizLFAkqkpcfOgZ9m7POsrKFoWDzFDJTViU9YxLQ6XDR:h1O2cWf5qkgOIIKTpiCIR

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pSrresfPio8iFTi.exe

pid process

3636 pSrresfPio8iFTi.exe
Loads dropped DLL 3 IoCs

Processes:

pSrresfPio8iFTi.exeregsvr32.exeregsvr32.exe

pid process

3636 pSrresfPio8iFTi.exe
4512 regsvr32.exe
3736 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3636	pSrresfPio8iFTi.exe

pid	process
3636	pSrresfPio8iFTi.exe
4512	regsvr32.exe
3736	regsvr32.exe

Drops Chrome extension 5 IoCs

Processes:

pSrresfPio8iFTi.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbphonjboelonlifaljdfnhfieibokhb\5.2\manifest.json	pSrresfPio8iFTi.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbphonjboelonlifaljdfnhfieibokhb\5.2\manifest.json	pSrresfPio8iFTi.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbphonjboelonlifaljdfnhfieibokhb\5.2\manifest.json	pSrresfPio8iFTi.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbphonjboelonlifaljdfnhfieibokhb\5.2\manifest.json	pSrresfPio8iFTi.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbphonjboelonlifaljdfnhfieibokhb\5.2\manifest.json	pSrresfPio8iFTi.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exepSrresfPio8iFTi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	pSrresfPio8iFTi.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	pSrresfPio8iFTi.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	pSrresfPio8iFTi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	pSrresfPio8iFTi.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

pSrresfPio8iFTi.exe

description	ioc	process
File created	C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.dll	pSrresfPio8iFTi.exe
File opened for modification	C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.dll	pSrresfPio8iFTi.exe
File created	C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.tlb	pSrresfPio8iFTi.exe
File opened for modification	C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.tlb	pSrresfPio8iFTi.exe
File created	C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.dat	pSrresfPio8iFTi.exe
File opened for modification	C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.dat	pSrresfPio8iFTi.exe
File created	C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.x64.dll	pSrresfPio8iFTi.exe
File opened for modification	C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.x64.dll	pSrresfPio8iFTi.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pSrresfPio8iFTi.exe

pid process

3636 pSrresfPio8iFTi.exe
3636 pSrresfPio8iFTi.exe

pid	process
3636	pSrresfPio8iFTi.exe
3636	pSrresfPio8iFTi.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c13e6ee591ca46422c29eaffdbf027aae9956504a03bb2477a43173ebc2c00a2.exepSrresfPio8iFTi.exeregsvr32.exe

description	pid	process	target process
PID 2592 wrote to memory of 3636	2592	c13e6ee591ca46422c29eaffdbf027aae9956504a03bb2477a43173ebc2c00a2.exe	pSrresfPio8iFTi.exe
PID 2592 wrote to memory of 3636	2592	c13e6ee591ca46422c29eaffdbf027aae9956504a03bb2477a43173ebc2c00a2.exe	pSrresfPio8iFTi.exe
PID 2592 wrote to memory of 3636	2592	c13e6ee591ca46422c29eaffdbf027aae9956504a03bb2477a43173ebc2c00a2.exe	pSrresfPio8iFTi.exe
PID 3636 wrote to memory of 4512	3636	pSrresfPio8iFTi.exe	regsvr32.exe
PID 3636 wrote to memory of 4512	3636	pSrresfPio8iFTi.exe	regsvr32.exe
PID 3636 wrote to memory of 4512	3636	pSrresfPio8iFTi.exe	regsvr32.exe
PID 4512 wrote to memory of 3736	4512	regsvr32.exe	regsvr32.exe
PID 4512 wrote to memory of 3736	4512	regsvr32.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\c13e6ee591ca46422c29eaffdbf027aae9956504a03bb2477a43173ebc2c00a2.exe
"C:\Users\Admin\AppData\Local\Temp\c13e6ee591ca46422c29eaffdbf027aae9956504a03bb2477a43173ebc2c00a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\pSrresfPio8iFTi.exe
.\pSrresfPio8iFTi.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.x64.dll"
4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
PID:3736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.dat
Filesize
6KB

MD5
10548c2b33d661799b9d91b46efb625a

SHA1
750b9603fabfd32a5f4a5698de4693c6aa13d907

SHA256
06416e7f898e4616908a2b7da1dbf63a1bb36dd1e9681fa89f4307a1192d10a1

SHA512
b172637d58efae59b923f87cd0bc2077f87663e7c391cc676d77d617b6c6af7816cc713034ba9c99ed920c1aeec16f9c31ce984013a943c3a9f4e7f11bf83a0d

Download Submit
C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.dll
Filesize
743KB

MD5
5f0feefa22f79300571788bf8b3e8dce

SHA1
96d5a0483fae6df4f91022b5e1996a6a9338e973

SHA256
f0f5b620bbe3f97277cd58f49b3a5439849cb34ed9cd23568783f9c5247d2dcb

SHA512
ee6cce02d8ece233304beb20ad2c2595e185429fb4dc313048817719862154850ef5e5e9794ca0e7b5a3ae5e2a510b6902e0c7a04534fe7a7fc507fd2de9fdc9

Download Submit
C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.x64.dll
Filesize
874KB

MD5
595ab71fd55ada98b537206d600e2fd1

SHA1
18a4f6fc8faa0920bbe118de14563cf4d99fae59

SHA256
278cd3c05c91a2159ed042d03d3e303a09bf2826d61cee3a60aff415c03957f6

SHA512
c93d51c73470d3bc0a5d30e3aa4195a42981c4551774ba37c70d38fee7a9a0a6005dfac2a83936cb97c7ed6f01768e8ee3302a858b3da730736476d10d14d0b8

Download Submit
C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.x64.dll
Filesize
874KB

MD5
595ab71fd55ada98b537206d600e2fd1

SHA1
18a4f6fc8faa0920bbe118de14563cf4d99fae59

SHA256
278cd3c05c91a2159ed042d03d3e303a09bf2826d61cee3a60aff415c03957f6

SHA512
c93d51c73470d3bc0a5d30e3aa4195a42981c4551774ba37c70d38fee7a9a0a6005dfac2a83936cb97c7ed6f01768e8ee3302a858b3da730736476d10d14d0b8

Download Submit
C:\Program Files (x86)\PriceLess\HiizHe2eKO7rDv.x64.dll
Filesize
874KB

MD5
595ab71fd55ada98b537206d600e2fd1

SHA1
18a4f6fc8faa0920bbe118de14563cf4d99fae59

SHA256
278cd3c05c91a2159ed042d03d3e303a09bf2826d61cee3a60aff415c03957f6

SHA512
c93d51c73470d3bc0a5d30e3aa4195a42981c4551774ba37c70d38fee7a9a0a6005dfac2a83936cb97c7ed6f01768e8ee3302a858b3da730736476d10d14d0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\HiizHe2eKO7rDv.dll
Filesize
743KB

MD5
5f0feefa22f79300571788bf8b3e8dce

SHA1
96d5a0483fae6df4f91022b5e1996a6a9338e973

SHA256
f0f5b620bbe3f97277cd58f49b3a5439849cb34ed9cd23568783f9c5247d2dcb

SHA512
ee6cce02d8ece233304beb20ad2c2595e185429fb4dc313048817719862154850ef5e5e9794ca0e7b5a3ae5e2a510b6902e0c7a04534fe7a7fc507fd2de9fdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\HiizHe2eKO7rDv.tlb
Filesize
3KB

MD5
80bd614a8546509c2e4cb400f526282e

SHA1
dc32fac0430a26cf8568d049cc1c6fa77ee6c3b0

SHA256
b0754979cf98e1ad251729652cae8ab4c22364405d5179de922adf7bf4a0c22f

SHA512
937dcb014bfd7ad13b2fc465b4c84c7f9a7d0963afb89c1bb4cbc24e7894686f3918689dd9b098d5842a83f37624edebee657b9d5ffdc5d7a0acbd0257024146

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\HiizHe2eKO7rDv.x64.dll
Filesize
874KB

MD5
595ab71fd55ada98b537206d600e2fd1

SHA1
18a4f6fc8faa0920bbe118de14563cf4d99fae59

SHA256
278cd3c05c91a2159ed042d03d3e303a09bf2826d61cee3a60aff415c03957f6

SHA512
c93d51c73470d3bc0a5d30e3aa4195a42981c4551774ba37c70d38fee7a9a0a6005dfac2a83936cb97c7ed6f01768e8ee3302a858b3da730736476d10d14d0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\Rff@H.net\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\Rff@H.net\chrome.manifest
Filesize
35B

MD5
9060de73ba063e4a9707325123e829c1

SHA1
a003e93808179770d0382dee707f63763c084f03

SHA256
78bd7cf3cc1e9e0e7eaace7156da307d3fc5b3c89263f0bb12821ec9509b57ee

SHA512
9cdbe2628bf1547786a21e4ea6e87b7c88b61635ce71a138699f9dd41d7e82b132839884e2fee209f74e9fbbaba267a47074ce3a1c7945679a899561294ae101

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\Rff@H.net\content\bg.js
Filesize
7KB

MD5
a7eb19cfb59e2d4c99d3f7b0f6ea177e

SHA1
950be2aa5d56119c52b7988f3bd469c76faa223d

SHA256
99e6af23fc8c0527a28ae47fbd7018ccb9ac740b2be74bbe5a82fd635370c1dc

SHA512
a86f5bd1ce0872541f15cb3ebc6137293fc1d8e03060bfca09326848bf5038efae06b1a47cc5ab151c7e69665ea181400355865d78bf8e596215b0e448f26053

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\Rff@H.net\install.rdf
Filesize
594B

MD5
76b777731e9d198854df95026bbe3203

SHA1
86dce9cc3faa745021a98eef0e05ec73c2b06b73

SHA256
d0ef87b95b8d0a05c47b6a3244b310e9f13b1e77d7ae92afa4b6a6a3d040922c

SHA512
d9fd6f80a123da629f547cd788618048c31e4dff5fbe41b1907a3e91398bf736a62b792559839dfe5b59948d1c51bd03f42e14008c890d5c672c540947d584dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\nbphonjboelonlifaljdfnhfieibokhb\EFnQ9rYn.js
Filesize
5KB

MD5
520ce76f1022f198acd631d3c3e62e64

SHA1
30699c882db03653206d71b31fc3a32e280d8948

SHA256
ac165353afa66ac8330bde8450e5abfcaef636ef1c468c642a69404e3a846f33

SHA512
984acca432ac2cbe39e25fc5f246223ab580383caf440a506cc611bd25d7764cd1b81e055aebe5a0861a0fe25dc1c8ec8ba29e5d139ed088a75731bdd68793ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\nbphonjboelonlifaljdfnhfieibokhb\background.html
Filesize
145B

MD5
3147edf1fb58cb665824dc47dfbb83ef

SHA1
4437509a2c5831a04dd12f9824ecb1b05ae3de49

SHA256
3937bbfbeb8d2904345ab17a06ee87e585ddfa0f57103ebf3754ccf665b49624

SHA512
7efc038046904d209649943f1b37bab02848135be01647371f880cec1b3e5516e824e7b2f0213a118c494f946397f78ccb78d4054ee03fe7eda124b02fa68623

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\nbphonjboelonlifaljdfnhfieibokhb\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\nbphonjboelonlifaljdfnhfieibokhb\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\nbphonjboelonlifaljdfnhfieibokhb\manifest.json
Filesize
501B

MD5
9d9d74bfa8e9ace025b834b96419d05e

SHA1
f5e56a100b0208b88335859cec692d867ffb572b

SHA256
a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265

SHA512
4c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\pSrresfPio8iFTi.dat
Filesize
6KB

MD5
10548c2b33d661799b9d91b46efb625a

SHA1
750b9603fabfd32a5f4a5698de4693c6aa13d907

SHA256
06416e7f898e4616908a2b7da1dbf63a1bb36dd1e9681fa89f4307a1192d10a1

SHA512
b172637d58efae59b923f87cd0bc2077f87663e7c391cc676d77d617b6c6af7816cc713034ba9c99ed920c1aeec16f9c31ce984013a943c3a9f4e7f11bf83a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\pSrresfPio8iFTi.exe
Filesize
776KB

MD5
ffa1c9234dcd4d9cf98f7fa1a8c73d83

SHA1
2e7bc17515629dcf3d817fedebaab3d5c1475f3f

SHA256
5ba84c0d67c04fcb4317ee81df1cc4a3ec782dd568e09b9eb6bfd6fe7d009c67

SHA512
51036ff0b9bae7eb81e3630674e69c3909148620ff16609c8b6cdb72187318ee282e8b4b5e0103c8181410318d94d0fb49382a2bc40d0e18b410502add142615

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF00D.tmp\pSrresfPio8iFTi.exe
Filesize
776KB

MD5
ffa1c9234dcd4d9cf98f7fa1a8c73d83

SHA1
2e7bc17515629dcf3d817fedebaab3d5c1475f3f

SHA256
5ba84c0d67c04fcb4317ee81df1cc4a3ec782dd568e09b9eb6bfd6fe7d009c67

SHA512
51036ff0b9bae7eb81e3630674e69c3909148620ff16609c8b6cdb72187318ee282e8b4b5e0103c8181410318d94d0fb49382a2bc40d0e18b410502add142615

Download Submit
memory/3636-132-0x0000000000000000-mapping.dmp

Download
memory/3736-152-0x0000000000000000-mapping.dmp

Download
memory/4512-149-0x0000000000000000-mapping.dmp

Download