aa2c4b678d0f042bebaa8c5e174bdbbf30d52ad3dc8e364fdafe1a6883971607

Analysis

max time kernel
375s
max time network
394s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa2c4b678d0f042bebaa8c5e174bdbbf30d52ad3dc8e364fdafe1a6883971607.exe
Size

2.5MB
MD5

d4c27fb54ccf8504ac729f72eaa28148
SHA1

4b2781cb4904a53eccc39a5e8bf5bbd8340f61d6
SHA256

aa2c4b678d0f042bebaa8c5e174bdbbf30d52ad3dc8e364fdafe1a6883971607
SHA512

9409866e879bb5d172f696bdbef8860ca5895a4e47769cac692c78a73ac0edddc75fe108761c446da9f6d296a4df245da28a79603c4bd68dc52ad900af54ac65
SSDEEP

49152:h1OsSIPtchP5IawtcvlV3COH8qA0OOMC1gqEaejGfru:h1OTIPtrkvlBCOHgBC6

Score

8^/10

adware spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pkiGUSLtyFphXq0.exe

pid process

3412 pkiGUSLtyFphXq0.exe
Loads dropped DLL 1 IoCs

Processes:

pkiGUSLtyFphXq0.exe

pid process

3412 pkiGUSLtyFphXq0.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3412	pkiGUSLtyFphXq0.exe

pid	process
3412	pkiGUSLtyFphXq0.exe

Drops Chrome extension 5 IoCs

Processes:

pkiGUSLtyFphXq0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdkninindehjliofiojblhiafnpgjeeh\5.2\manifest.json	pkiGUSLtyFphXq0.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdkninindehjliofiojblhiafnpgjeeh\5.2\manifest.json	pkiGUSLtyFphXq0.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdkninindehjliofiojblhiafnpgjeeh\5.2\manifest.json	pkiGUSLtyFphXq0.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdkninindehjliofiojblhiafnpgjeeh\5.2\manifest.json	pkiGUSLtyFphXq0.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdkninindehjliofiojblhiafnpgjeeh\5.2\manifest.json	pkiGUSLtyFphXq0.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

pkiGUSLtyFphXq0.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	pkiGUSLtyFphXq0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	pkiGUSLtyFphXq0.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	pkiGUSLtyFphXq0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	pkiGUSLtyFphXq0.exe

Drops file in Program Files directory 8 IoCs

Processes:

pkiGUSLtyFphXq0.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.dat	pkiGUSLtyFphXq0.exe
File created	C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.x64.dll	pkiGUSLtyFphXq0.exe
File opened for modification	C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.x64.dll	pkiGUSLtyFphXq0.exe
File created	C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.dll	pkiGUSLtyFphXq0.exe
File opened for modification	C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.dll	pkiGUSLtyFphXq0.exe
File created	C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.tlb	pkiGUSLtyFphXq0.exe
File opened for modification	C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.tlb	pkiGUSLtyFphXq0.exe
File created	C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.dat	pkiGUSLtyFphXq0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pkiGUSLtyFphXq0.exe

pid process

3412 pkiGUSLtyFphXq0.exe
3412 pkiGUSLtyFphXq0.exe

pid	process
3412	pkiGUSLtyFphXq0.exe
3412	pkiGUSLtyFphXq0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

aa2c4b678d0f042bebaa8c5e174bdbbf30d52ad3dc8e364fdafe1a6883971607.exepkiGUSLtyFphXq0.exe

description	pid	process	target process
PID 5116 wrote to memory of 3412	5116	aa2c4b678d0f042bebaa8c5e174bdbbf30d52ad3dc8e364fdafe1a6883971607.exe	pkiGUSLtyFphXq0.exe
PID 5116 wrote to memory of 3412	5116	aa2c4b678d0f042bebaa8c5e174bdbbf30d52ad3dc8e364fdafe1a6883971607.exe	pkiGUSLtyFphXq0.exe
PID 5116 wrote to memory of 3412	5116	aa2c4b678d0f042bebaa8c5e174bdbbf30d52ad3dc8e364fdafe1a6883971607.exe	pkiGUSLtyFphXq0.exe
PID 3412 wrote to memory of 5092	3412	pkiGUSLtyFphXq0.exe	regsvr32.exe
PID 3412 wrote to memory of 5092	3412	pkiGUSLtyFphXq0.exe	regsvr32.exe
PID 3412 wrote to memory of 5092	3412	pkiGUSLtyFphXq0.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\aa2c4b678d0f042bebaa8c5e174bdbbf30d52ad3dc8e364fdafe1a6883971607.exe
"C:\Users\Admin\AppData\Local\Temp\aa2c4b678d0f042bebaa8c5e174bdbbf30d52ad3dc8e364fdafe1a6883971607.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\pkiGUSLtyFphXq0.exe
.\pkiGUSLtyFphXq0.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.x64.dll"
3⤵
PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\o0tknTdr49wsTN.dll

Filesize
747KB

MD5
075a34d90e4395f320b3266b2a6cc2c0

SHA1
c04c7386f13b45f5cc8424109d369e1e2427e5ec

SHA256
82550996793875d5d60d0479968dd63ff127ac705aca610110bc3f6ca127e8dc

SHA512
2618fb83c62bfd2ea6925d15417a86144d0133c1db3d6020b93ff6bac19adf47c1d31a10fcc31010e0fd6c2bd6f0a4537763715c57b74ad094ce8d6aedbf896a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\kdkninindehjliofiojblhiafnpgjeeh\H6.js

Filesize
5KB

MD5
2b35ebdbf8b5ae4fcfc712f5b6289f00

SHA1
b4c4b79746308d34471cb83613112accf6bbea13

SHA256
a01ed53154f903db625506cf11086b7f7d9a0a37963e417f69856495d8930e38

SHA512
05c069bc38e9bb8d44b5311661c1719b892e2f349a3373b103a827df021c987e4d233a27dbcd2a2b7ad46a8dd69eb77a9f9ad5d3e99dba9c9e79d6b685a0ef9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\kdkninindehjliofiojblhiafnpgjeeh\background.html

Filesize
139B

MD5
10a8150c2594331c51012995a405a3fb

SHA1
9db0372afe1cb4c35980bd78e23a49478e9c8b9b

SHA256
b972db0453032ea7effd1128a5765bec90b46b48da59f67ae2d5134b91bb5d85

SHA512
bf940a26dc8436c61c783eb1c810f50501c5fec5fae03e7eb7cdd28ae8e11caeb58da53ffe63b5972ae4be58c8e2b6c2b03fc116cbfecb9a0ccf97ec51941c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\kdkninindehjliofiojblhiafnpgjeeh\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\kdkninindehjliofiojblhiafnpgjeeh\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\kdkninindehjliofiojblhiafnpgjeeh\manifest.json

Filesize
501B

MD5
9d9d74bfa8e9ace025b834b96419d05e

SHA1
f5e56a100b0208b88335859cec692d867ffb572b

SHA256
a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265

SHA512
4c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\o0tknTdr49wsTN.dll

Filesize
747KB

MD5
075a34d90e4395f320b3266b2a6cc2c0

SHA1
c04c7386f13b45f5cc8424109d369e1e2427e5ec

SHA256
82550996793875d5d60d0479968dd63ff127ac705aca610110bc3f6ca127e8dc

SHA512
2618fb83c62bfd2ea6925d15417a86144d0133c1db3d6020b93ff6bac19adf47c1d31a10fcc31010e0fd6c2bd6f0a4537763715c57b74ad094ce8d6aedbf896a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\o0tknTdr49wsTN.tlb

Filesize
3KB

MD5
80b66ebf00d9d7c1904175c81cf3b1e1

SHA1
25edfc73c30f45e1254ddec9bdc5854d0f5c3c1b

SHA256
5691ef6a5460131e8fbebeed40d4f0fb81ff49e25a08d45df2178bb8d486672a

SHA512
396db976a5a56df11be3f46e16908341b33be7b374c92674550a563885012c056b7213ab873745e98bf4681bf12882632260363c578105decda25a2d249fdb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\o0tknTdr49wsTN.x64.dll

Filesize
881KB

MD5
8cb4c5980306da615fd3a3c0b7124d95

SHA1
04c3ab5e547e3644e8627f9a548a56c112792499

SHA256
ce12f2e485306ea9a8bd019ffd6a62d846259bac4ba0ec71d81b43ab32470d43

SHA512
1852f4cf028c72869f215a8efff6c7244e2c67cde1230eb633a0d700fce957774dade7a50fcd7b760f395b3e242a5701ab88496e5551f778d208bcf182e0bedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\pkiGUSLtyFphXq0.dat

Filesize
6KB

MD5
916f77b3b00667398f45a0d979761345

SHA1
dd37dfa7f0874480ed3ba8b887e09a7ad74eaf0a

SHA256
be823223cecb7a61199e18bb3cf5c7c7daebc8faf04f1cd3ea804c14bf90b0c8

SHA512
c023a38a6dfc4cbe65fe1dcb3292697516a50f94af088fed6025920abbed84955f1c11c588c9072004ede2c44233c663b67b0235b071993f336a843ef87aa8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\pkiGUSLtyFphXq0.exe

Filesize
787KB

MD5
7b2176326be202922b35e876bab7ff83

SHA1
e7e8a0feb3fd78413b5c6d636a72bd28254bcea8

SHA256
292a3ad5628c78a7956e3ff9e30e484453ca674ced5a37894415eef1055051c4

SHA512
369d238f1118fe730bb49e44058999e0afca237d722ac68e3272c8e9ad27e97c368c8380f7d0c35a233ad44341e4f368fdb8a385f9b82789c1266a9b0024dd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\pkiGUSLtyFphXq0.exe

Filesize
787KB

MD5
7b2176326be202922b35e876bab7ff83

SHA1
e7e8a0feb3fd78413b5c6d636a72bd28254bcea8

SHA256
292a3ad5628c78a7956e3ff9e30e484453ca674ced5a37894415eef1055051c4

SHA512
369d238f1118fe730bb49e44058999e0afca237d722ac68e3272c8e9ad27e97c368c8380f7d0c35a233ad44341e4f368fdb8a385f9b82789c1266a9b0024dd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
30e90fdd9f3e008ed4103c75f477c85f

SHA1
f99b54ad2422f865e90d15661992de7f2d6d1030

SHA256
e5710362b476485c2ec343d62057081988af178ee307936139cc5bff430c57d5

SHA512
9419332baef0088aad8760220ebe2415da7708947233d4a3d5a766e02bd319c5ae9549af81fd146ac5e33717978e3647beb953bb0405f2aa1c94e9f4594c946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
6b4f899aca826377546a1194ed27e21e

SHA1
7bcae43bf79207eaae3a090e2bb0bc2c6486588f

SHA256
d8fbb42ee5334e100e01ae36b5f6ee7e5ccf9fa40c297a1ced1f9952ad846090

SHA512
d40a4918184f57c6b34d320fb5263c32fe529413cbfa2efca218ad6ab9e77877cc0c1535ff08e093e404fbdb086f1071d91127609945af4d67e84600d4e626b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2363.tmp\[email protected]\install.rdf

Filesize
594B

MD5
0186c841c49af0e5091745fc496db1bf

SHA1
1d944dd8d3253ddc6b0f8b83222d83fc68683a28

SHA256
7eea9c81984878b6e56a7c88925894172958a3530aa97cb0caedaf948ee99129

SHA512
5a97369ac87ef95cc1cb05718749fa0a2eb05d2eaf5df4add76c0ee70b45e08c70c42513242af3f296940e02c6c66a7f463624f5d3e14eaaa0b7321b9a417de7

Download Submit
memory/3412-132-0x0000000000000000-mapping.dmp

Download
memory/5092-149-0x0000000000000000-mapping.dmp

Download