Analysis
-
max time kernel
42s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 21:13
Static task
static1
Behavioral task
behavioral1
Sample
a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exe
Resource
win7-20220901-en
General
-
Target
a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exe
-
Size
2.5MB
-
MD5
4b67e8de664c74ad365b847c2c94633d
-
SHA1
73c09e67d3a85c6d70b6ee507459e51e096403b1
-
SHA256
a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5
-
SHA512
fcacd179e5c8ecf33fb5261c824b5223c5e99b426abab1d883fefe20f8e4b719c6e7a48c98b58a1bc9d14697e3000de1cbb8cc1c826abaeffb3306c06b30c0f5
-
SSDEEP
49152:h1Os+LPc3NlPjsK1cB232wgpTvjxd2AN2mAkKaqlF+7hbXK+kJcQASJQ:h1OPL03XbDzsxHR4s
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WdoNDLz2pZAvKYA.exepid process 1576 WdoNDLz2pZAvKYA.exe -
Loads dropped DLL 4 IoCs
Processes:
a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exeWdoNDLz2pZAvKYA.exeregsvr32.exeregsvr32.exepid process 1752 a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exe 1576 WdoNDLz2pZAvKYA.exe 576 regsvr32.exe 1820 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
WdoNDLz2pZAvKYA.exedescription ioc process File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggkjmljopglpdemebbdjcnhlfdocbnbo\5.2\manifest.json WdoNDLz2pZAvKYA.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggkjmljopglpdemebbdjcnhlfdocbnbo\5.2\manifest.json WdoNDLz2pZAvKYA.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggkjmljopglpdemebbdjcnhlfdocbnbo\5.2\manifest.json WdoNDLz2pZAvKYA.exe -
Installs/modifies Browser Helper Object 2 TTPs 11 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
WdoNDLz2pZAvKYA.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} WdoNDLz2pZAvKYA.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} WdoNDLz2pZAvKYA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ WdoNDLz2pZAvKYA.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} WdoNDLz2pZAvKYA.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects WdoNDLz2pZAvKYA.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
WdoNDLz2pZAvKYA.exedescription ioc process File opened for modification C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.x64.dll WdoNDLz2pZAvKYA.exe File created C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.dll WdoNDLz2pZAvKYA.exe File opened for modification C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.dll WdoNDLz2pZAvKYA.exe File created C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.tlb WdoNDLz2pZAvKYA.exe File opened for modification C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.tlb WdoNDLz2pZAvKYA.exe File created C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.dat WdoNDLz2pZAvKYA.exe File opened for modification C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.dat WdoNDLz2pZAvKYA.exe File created C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.x64.dll WdoNDLz2pZAvKYA.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
WdoNDLz2pZAvKYA.exepid process 1576 WdoNDLz2pZAvKYA.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exeWdoNDLz2pZAvKYA.exeregsvr32.exedescription pid process target process PID 1752 wrote to memory of 1576 1752 a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exe WdoNDLz2pZAvKYA.exe PID 1752 wrote to memory of 1576 1752 a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exe WdoNDLz2pZAvKYA.exe PID 1752 wrote to memory of 1576 1752 a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exe WdoNDLz2pZAvKYA.exe PID 1752 wrote to memory of 1576 1752 a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exe WdoNDLz2pZAvKYA.exe PID 1576 wrote to memory of 576 1576 WdoNDLz2pZAvKYA.exe regsvr32.exe PID 1576 wrote to memory of 576 1576 WdoNDLz2pZAvKYA.exe regsvr32.exe PID 1576 wrote to memory of 576 1576 WdoNDLz2pZAvKYA.exe regsvr32.exe PID 1576 wrote to memory of 576 1576 WdoNDLz2pZAvKYA.exe regsvr32.exe PID 1576 wrote to memory of 576 1576 WdoNDLz2pZAvKYA.exe regsvr32.exe PID 1576 wrote to memory of 576 1576 WdoNDLz2pZAvKYA.exe regsvr32.exe PID 1576 wrote to memory of 576 1576 WdoNDLz2pZAvKYA.exe regsvr32.exe PID 576 wrote to memory of 1820 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 1820 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 1820 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 1820 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 1820 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 1820 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 1820 576 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exe"C:\Users\Admin\AppData\Local\Temp\a6262bbc1eb0fb550baa032308257bbe2f04674c1a42022daf989aedefc7abd5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\WdoNDLz2pZAvKYA.exe.\WdoNDLz2pZAvKYA.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.datFilesize
6KB
MD5bb9bca8fd4e40f065c4d5c4764c3ee22
SHA1e81663d8621ebf5fc03042ab766421c84441ddb0
SHA256257492c4ee18bd525140bb0ec5fe2bf0dbfa2e2e8bf435bf55844920f67172c9
SHA512dc0a6a21753e23a824e21815fe49b5f0080d3483db35b3af876e2f8254920c0bea979e45700dd4e26764c47e00158c33f1a5231891880a9387d27c585f7462a2
-
C:\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.x64.dllFilesize
884KB
MD599c7e74de396124ca447c167f289c939
SHA17902e92c5ecf0e2b6c3287e95b65a7bfda49aa37
SHA256766f35f273be9ceb16c8d1e1471d7128686a44c858ac9c8e7f3443ac2b2bf61e
SHA5127043a8f31cb108088b6fb0d116c20ec56f937f3ad55020f19840a4e0e3b07ef432a45a43cc46c5ba51a1e339cdd60d671f43d8a1ac6ddfe30a0c374d8931899e
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\[email protected]\chrome.manifestFilesize
35B
MD588839f997a9cf851311e2a3ac3c2d780
SHA1b20264f7347f74c798218570805acffa8e9465c6
SHA2568dac20c3dcccdca05e6e1c2c491950d2adce658ba3687ae399d3011a4e46104d
SHA512c416c31b6f7213dc1f401c4a95fca2a327062692497fbafcb873a363d31d07634b3869e5a39bea0160fa03ea16c6a0c39e6cdb342843fee84d42264ad87c08a4
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\[email protected]\content\bg.jsFilesize
7KB
MD567a8ac061bb55d221ecc22789f6550c1
SHA166badfb708cba2047c97a53329b4650b1a30da9a
SHA2568f6ce7e57fb85907c8b8ba0cae412b3217d93460c51ad2fbefaebb79e9593c79
SHA5125515a7a7139827ebad1d790def0d234a34418c9759e36d17c8462e9ceb34c5d9579bece7f19249143fb36dd5bf47fec7dc53ae2f088b93bc1d5531d5828aeacb
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\[email protected]\install.rdfFilesize
601B
MD5fd900ab314f4ef4fb0a26cbb59a28328
SHA158c0380075677a274ae8ddcf81e2ac23235b5200
SHA2565920e69da1c9a9b24b030aee78c631369ffa74e23c00065b54431690fc312139
SHA512ec3b4beec95a2027c1dc310821fb55606fb8c09586e46704ff6cd2d9321b2a985d44f301c7db2ad70658427087078e6b8baad96945dccebcf69e2ffc4ba48680
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\WdoNDLz2pZAvKYA.datFilesize
6KB
MD5bb9bca8fd4e40f065c4d5c4764c3ee22
SHA1e81663d8621ebf5fc03042ab766421c84441ddb0
SHA256257492c4ee18bd525140bb0ec5fe2bf0dbfa2e2e8bf435bf55844920f67172c9
SHA512dc0a6a21753e23a824e21815fe49b5f0080d3483db35b3af876e2f8254920c0bea979e45700dd4e26764c47e00158c33f1a5231891880a9387d27c585f7462a2
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\WdoNDLz2pZAvKYA.exeFilesize
781KB
MD57aa7f7ed72960c2eed67c9d730900e88
SHA1ce69b4e2c6464f5d2802385459f1af28c162fb2b
SHA25699d691ec1c1b3a81700b502167c51309682fca3522b87ad6f42b50715dd52890
SHA512fd424205a9d849fd809f43e98ab49f165bd854b31cc45be97475c5b12031cd7ddce7789341bccfa59b6ceea970a925685abaf014d426e5c06660ac9ad07c69c6
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\WdoNDLz2pZAvKYA.exeFilesize
781KB
MD57aa7f7ed72960c2eed67c9d730900e88
SHA1ce69b4e2c6464f5d2802385459f1af28c162fb2b
SHA25699d691ec1c1b3a81700b502167c51309682fca3522b87ad6f42b50715dd52890
SHA512fd424205a9d849fd809f43e98ab49f165bd854b31cc45be97475c5b12031cd7ddce7789341bccfa59b6ceea970a925685abaf014d426e5c06660ac9ad07c69c6
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\ggkjmljopglpdemebbdjcnhlfdocbnbo\background.htmlFilesize
139B
MD593ffafd2865103047ded75c74f7632f9
SHA178fea70e4c18278d4188a8a5fecc35b447daafe9
SHA256dd0a22ca6fcfa920ee27d163c7d6d74ccc6dd9ba2720932b274e9be193e3d1e6
SHA512b82b752b27d18c2566934c2cf3c4c3af5978aaa99b7592cc188c7e9ee6fbe28da447625ebd0c389f4bc2f176aa9edcc207b6e212e2c9a9d3ecb924a8bac3fb8e
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\ggkjmljopglpdemebbdjcnhlfdocbnbo\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\ggkjmljopglpdemebbdjcnhlfdocbnbo\eH.jsFilesize
5KB
MD51adfaa551ebdc7d1688cf08371346174
SHA140221b29e407b95d2f900340dc9581d06fc6be80
SHA256ebbe1e94c5624e0c52576e4a31889b827e0bfdb178e55af7b3c4553bca80d21b
SHA5126b9466c7b41dda104d50b896a38e79dc1d6d59d03a739c6562409053d8582ffadf2849f4e372c64d703383697611111b6f1321de2f2e9243dcbd65ee887b82ce
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\ggkjmljopglpdemebbdjcnhlfdocbnbo\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\ggkjmljopglpdemebbdjcnhlfdocbnbo\manifest.jsonFilesize
501B
MD59d9d74bfa8e9ace025b834b96419d05e
SHA1f5e56a100b0208b88335859cec692d867ffb572b
SHA256a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265
SHA5124c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\r5m6pkdp5pZ2Wu.dllFilesize
751KB
MD52d9514fdf857b13e32758fe0896846a7
SHA18364dfb63691bdb31129299ee8d4e041f96e4c62
SHA25649c21b85825d96718c6cd8c187b5da4994078af2ffefe7c82338f30dfc765503
SHA5127662323130f612b716edf2e1114419db4bdda9251f5ce3f898eb56378ea17d5fec829cdc7e85542519a8b0954e6d163b77cbcba0516c2854f1d310b66012c918
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\r5m6pkdp5pZ2Wu.tlbFilesize
3KB
MD5bc1ff9bc8f45abc5c943c7bcc5f76783
SHA1d8fe00ffe44904c506fe9297cf7f2c0ce1651546
SHA256c76d22ee4f471fa7e2f17d085702203614965f548a28bd0080b31c2b9c58ea0b
SHA512fcbcf2ef78acf85241947b1b117f6b0c99581cbadd946ddf6884f22751ecd694e0b344305b632b7cecfbf7060dcb7057f78deb3d540f5f7e7975339434e572d6
-
C:\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\r5m6pkdp5pZ2Wu.x64.dllFilesize
884KB
MD599c7e74de396124ca447c167f289c939
SHA17902e92c5ecf0e2b6c3287e95b65a7bfda49aa37
SHA256766f35f273be9ceb16c8d1e1471d7128686a44c858ac9c8e7f3443ac2b2bf61e
SHA5127043a8f31cb108088b6fb0d116c20ec56f937f3ad55020f19840a4e0e3b07ef432a45a43cc46c5ba51a1e339cdd60d671f43d8a1ac6ddfe30a0c374d8931899e
-
\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.dllFilesize
751KB
MD52d9514fdf857b13e32758fe0896846a7
SHA18364dfb63691bdb31129299ee8d4e041f96e4c62
SHA25649c21b85825d96718c6cd8c187b5da4994078af2ffefe7c82338f30dfc765503
SHA5127662323130f612b716edf2e1114419db4bdda9251f5ce3f898eb56378ea17d5fec829cdc7e85542519a8b0954e6d163b77cbcba0516c2854f1d310b66012c918
-
\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.x64.dllFilesize
884KB
MD599c7e74de396124ca447c167f289c939
SHA17902e92c5ecf0e2b6c3287e95b65a7bfda49aa37
SHA256766f35f273be9ceb16c8d1e1471d7128686a44c858ac9c8e7f3443ac2b2bf61e
SHA5127043a8f31cb108088b6fb0d116c20ec56f937f3ad55020f19840a4e0e3b07ef432a45a43cc46c5ba51a1e339cdd60d671f43d8a1ac6ddfe30a0c374d8931899e
-
\Program Files (x86)\PriceLess\r5m6pkdp5pZ2Wu.x64.dllFilesize
884KB
MD599c7e74de396124ca447c167f289c939
SHA17902e92c5ecf0e2b6c3287e95b65a7bfda49aa37
SHA256766f35f273be9ceb16c8d1e1471d7128686a44c858ac9c8e7f3443ac2b2bf61e
SHA5127043a8f31cb108088b6fb0d116c20ec56f937f3ad55020f19840a4e0e3b07ef432a45a43cc46c5ba51a1e339cdd60d671f43d8a1ac6ddfe30a0c374d8931899e
-
\Users\Admin\AppData\Local\Temp\7zS1CE4.tmp\WdoNDLz2pZAvKYA.exeFilesize
781KB
MD57aa7f7ed72960c2eed67c9d730900e88
SHA1ce69b4e2c6464f5d2802385459f1af28c162fb2b
SHA25699d691ec1c1b3a81700b502167c51309682fca3522b87ad6f42b50715dd52890
SHA512fd424205a9d849fd809f43e98ab49f165bd854b31cc45be97475c5b12031cd7ddce7789341bccfa59b6ceea970a925685abaf014d426e5c06660ac9ad07c69c6
-
memory/576-73-0x0000000000000000-mapping.dmp
-
memory/1576-56-0x0000000000000000-mapping.dmp
-
memory/1752-54-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB
-
memory/1820-77-0x0000000000000000-mapping.dmp
-
memory/1820-78-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmpFilesize
8KB