Analysis
-
max time kernel
45s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 02:05
Static task
static1
Behavioral task
behavioral1
Sample
46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exe
Resource
win7-20220901-en
General
-
Target
46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exe
-
Size
2.5MB
-
MD5
cdbe4d28cd53e5f2a567de261dd1b35e
-
SHA1
2c8d5f097037dcdc3c031551d0aba08e25081cdf
-
SHA256
46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440
-
SHA512
e8395fa18e4a2f8d97ecb3aa762e9fa236c2019cd928a41c539b4833be93dd7ef1bc3959a2f21796577cb0a1ecb6822d9cd12a7806cc5cc1d5b8afa5fd8d4bc8
-
SSDEEP
49152:h1OszTAHQDPTB3RnKWXUjuxZsHKddXx/WPKGL2ONrq8J8aUnbeZ9Y:h1O0TAqMjuxZH/Wpda
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mVBAmIGufzw0N8w.exepid process 1948 mVBAmIGufzw0N8w.exe -
Loads dropped DLL 4 IoCs
Processes:
46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exemVBAmIGufzw0N8w.exeregsvr32.exeregsvr32.exepid process 1880 46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exe 1948 mVBAmIGufzw0N8w.exe 1940 regsvr32.exe 1676 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 3 IoCs
Processes:
mVBAmIGufzw0N8w.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gadhljpjijnehablopggapegbkbfgpej\5.2\manifest.json mVBAmIGufzw0N8w.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gadhljpjijnehablopggapegbkbfgpej\5.2\manifest.json mVBAmIGufzw0N8w.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gadhljpjijnehablopggapegbkbfgpej\5.2\manifest.json mVBAmIGufzw0N8w.exe -
Installs/modifies Browser Helper Object 2 TTPs 11 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
mVBAmIGufzw0N8w.exeregsvr32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} mVBAmIGufzw0N8w.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} mVBAmIGufzw0N8w.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} mVBAmIGufzw0N8w.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects mVBAmIGufzw0N8w.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\ mVBAmIGufzw0N8w.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ regsvr32.exe -
Drops file in Program Files directory 8 IoCs
Processes:
mVBAmIGufzw0N8w.exedescription ioc process File created C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.x64.dll mVBAmIGufzw0N8w.exe File opened for modification C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.x64.dll mVBAmIGufzw0N8w.exe File created C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.dll mVBAmIGufzw0N8w.exe File opened for modification C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.dll mVBAmIGufzw0N8w.exe File created C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.tlb mVBAmIGufzw0N8w.exe File opened for modification C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.tlb mVBAmIGufzw0N8w.exe File created C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.dat mVBAmIGufzw0N8w.exe File opened for modification C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.dat mVBAmIGufzw0N8w.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
mVBAmIGufzw0N8w.exepid process 1948 mVBAmIGufzw0N8w.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exemVBAmIGufzw0N8w.exeregsvr32.exedescription pid process target process PID 1880 wrote to memory of 1948 1880 46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exe mVBAmIGufzw0N8w.exe PID 1880 wrote to memory of 1948 1880 46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exe mVBAmIGufzw0N8w.exe PID 1880 wrote to memory of 1948 1880 46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exe mVBAmIGufzw0N8w.exe PID 1880 wrote to memory of 1948 1880 46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exe mVBAmIGufzw0N8w.exe PID 1948 wrote to memory of 1940 1948 mVBAmIGufzw0N8w.exe regsvr32.exe PID 1948 wrote to memory of 1940 1948 mVBAmIGufzw0N8w.exe regsvr32.exe PID 1948 wrote to memory of 1940 1948 mVBAmIGufzw0N8w.exe regsvr32.exe PID 1948 wrote to memory of 1940 1948 mVBAmIGufzw0N8w.exe regsvr32.exe PID 1948 wrote to memory of 1940 1948 mVBAmIGufzw0N8w.exe regsvr32.exe PID 1948 wrote to memory of 1940 1948 mVBAmIGufzw0N8w.exe regsvr32.exe PID 1948 wrote to memory of 1940 1948 mVBAmIGufzw0N8w.exe regsvr32.exe PID 1940 wrote to memory of 1676 1940 regsvr32.exe regsvr32.exe PID 1940 wrote to memory of 1676 1940 regsvr32.exe regsvr32.exe PID 1940 wrote to memory of 1676 1940 regsvr32.exe regsvr32.exe PID 1940 wrote to memory of 1676 1940 regsvr32.exe regsvr32.exe PID 1940 wrote to memory of 1676 1940 regsvr32.exe regsvr32.exe PID 1940 wrote to memory of 1676 1940 regsvr32.exe regsvr32.exe PID 1940 wrote to memory of 1676 1940 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exe"C:\Users\Admin\AppData\Local\Temp\46f884f323b15d3c3b67ea33915bf28225a8558106c0a5379cdee7a1d2aa0440.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\mVBAmIGufzw0N8w.exe.\mVBAmIGufzw0N8w.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.x64.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.datFilesize
6KB
MD504499523edee5fee31b7d9c7cb51e09a
SHA123b12748dd458b5fc155e67870bd023aa0071e3f
SHA256dbe1b21f0ba2662669f81857add3ad95ca4cbcab63697069172cf0759e919e59
SHA512412ba04c9feb0153403f06349e390f127c24fd9d5ef62aa7579642ab9d7e9dcc8453d8ec5ca1cec225bf873bddc6803a80b8e4cf2e9b75e1973c59b1c455757e
-
C:\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.x64.dllFilesize
875KB
MD517da2bf78af676b649eae4f74864dfcc
SHA1decf265a0aadc130874511ace40c62b0c0e16aac
SHA256b3a707a96ccf454e91ecc1c8578928232646f188b7d9973678f0e27bbf96a2fb
SHA51276522bd652d3ed0d6bec2c467937e319c24040498f825a2e5dec3c18357c5548a37b3d99de1f748ffdc380ae36b502ec0a6761f2adb55ffbbab1972323a3e806
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\[email protected]\bootstrap.jsFilesize
2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\[email protected]\chrome.manifestFilesize
35B
MD53e59456985b4aedc87f065eedbd68697
SHA150d6f78f1bdfcfa66a6b8a18169fbc84a3eb4183
SHA256525417ba6de89a8192a6c194279609fb4dbf9b0a66e12a7a3156ecd6269d190f
SHA512be773efd9a0674012ad365dbcec4c671dc238aa92083a56d585d366813df7feb6be1a47a2874ebcd328e7f42daab798be28c3a9bf6138dce353b79ee8b53244a
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\[email protected]\content\bg.jsFilesize
7KB
MD5c41a263337ad3813c0b1866de6bea2a6
SHA1a2a38f89043fa05f2072018f48ce3bf993a5bea1
SHA256b7fd7a70dd4006ae8baecf0f4f7f5954825f2972b8b0aa5426fd913748f78301
SHA512fa98864dec7eeaf8e4684060df54ca77231b05fd00b1d880887c2b7701d8c90370606b35bcbcebfa7c4db830a09b4d14d8120fc9cc5cf600fb0b7cb4cdc44dfe
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\[email protected]\install.rdfFilesize
594B
MD5a56269f72b9e563fbf3f3250b9f080e8
SHA1bbbb5f4b2771700a23042fd91792569953365bee
SHA256c717b0a4ecea3f0829de97ce63f897f7700618d57c36ce7d074e4cf9b6c19c1d
SHA51205c2673cc38f484c5dcfaab9eac00bbf5753189634c18fc109c5085c855d162d8022e97e763898fc83b559a1783ead10c27d20a0174ad769b404f5c9983895e1
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\gadhljpjijnehablopggapegbkbfgpej\VkP.jsFilesize
5KB
MD5006e0ac06ea8f2ee07b7f8de1fdb7d79
SHA11b504e783d609e7bb32300825f6a0627416fb2b6
SHA256f99552b60e2725d57bafc94be2b52e0b661cce8418a1f56d7db3a4417f3d33f3
SHA5129c65b8782338951adafe80f469a2ddf53e14e4066205347355c37b5ed8ad0f5a8e0f00459378bd59570951992d47c39e0b08323e8623acd29e2f793282d6c4eb
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\gadhljpjijnehablopggapegbkbfgpej\background.htmlFilesize
140B
MD52490c10a6f995abece6cfb7776152942
SHA1a9ee6a84dbc2845030312ca6533c82af436b0d77
SHA25698cbacdabc44fc0b11ca9c842629310dc54548dc4da92229c75911343f3ad43a
SHA512b21cda3c96f403154dc090da10b9d69171ec86cb4495976cb039ae26b2404a7cc65941cdfbc975eea04f6524b54115245b3eef82aa5f4c9793dbc2c8767e7901
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\gadhljpjijnehablopggapegbkbfgpej\content.jsFilesize
144B
MD5fca19198fd8af21016a8b1dec7980002
SHA1fd01a47d14004e17a625efe66cc46a06c786cf40
SHA256332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a
SHA51260f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\gadhljpjijnehablopggapegbkbfgpej\lsdb.jsFilesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\gadhljpjijnehablopggapegbkbfgpej\manifest.jsonFilesize
501B
MD59d9d74bfa8e9ace025b834b96419d05e
SHA1f5e56a100b0208b88335859cec692d867ffb572b
SHA256a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265
SHA5124c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\m0SiCLQsyBCn0p.dllFilesize
747KB
MD5568f45a778978bfa4c7b3bd0c6a5dbf3
SHA12bf9ff26b5c38630b42d932506905725ef3a04a6
SHA256a914e0ec45c799c86c4f62d4144ab5b9c9ded0ad33461fb41de8a437ce00196d
SHA51262727e134832a741b10260a50a3f0ea68dece7e8f22afc29b937c10a84b3d6fbd23f36b8a1ff83bfa804a7fa18482671d25a9e94b77820c64f33bd66a95f2fca
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\m0SiCLQsyBCn0p.tlbFilesize
3KB
MD509f02d57c684e89e594215260e2323b4
SHA1c66c408e4919d9466f0b079846658165fd5daf11
SHA256e4cdffe72ccc82e3dc738b78bc1aa4646ef9f9451662b0de6d67e18067837383
SHA512f44be8c55204e41ade8c71d837cfe6d21fc9e708fdeb1b40433b4b893287f11006835ff1361e81de42f9cf03e0783269169e7ec920ea6b4f369f2dd648febdf5
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\m0SiCLQsyBCn0p.x64.dllFilesize
875KB
MD517da2bf78af676b649eae4f74864dfcc
SHA1decf265a0aadc130874511ace40c62b0c0e16aac
SHA256b3a707a96ccf454e91ecc1c8578928232646f188b7d9973678f0e27bbf96a2fb
SHA51276522bd652d3ed0d6bec2c467937e319c24040498f825a2e5dec3c18357c5548a37b3d99de1f748ffdc380ae36b502ec0a6761f2adb55ffbbab1972323a3e806
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\mVBAmIGufzw0N8w.datFilesize
6KB
MD504499523edee5fee31b7d9c7cb51e09a
SHA123b12748dd458b5fc155e67870bd023aa0071e3f
SHA256dbe1b21f0ba2662669f81857add3ad95ca4cbcab63697069172cf0759e919e59
SHA512412ba04c9feb0153403f06349e390f127c24fd9d5ef62aa7579642ab9d7e9dcc8453d8ec5ca1cec225bf873bddc6803a80b8e4cf2e9b75e1973c59b1c455757e
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\mVBAmIGufzw0N8w.exeFilesize
785KB
MD5c452103272f13b87cdbecb41ae8c5e15
SHA13904c76d43842139288db38322ae2522f69b0f47
SHA25695494f4ea7ec3895ab6b670e91e3f99489d4ac84e54bb652bda11f1d539c5a30
SHA512f20683111d6cc0dc72de592e74d101a30af835bd32d4a70ad00fb9f2b5cc42081e6c942477dba8bb294ee0aadedf1e3b335bb982b5613ae550987f10f84273a5
-
C:\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\mVBAmIGufzw0N8w.exeFilesize
785KB
MD5c452103272f13b87cdbecb41ae8c5e15
SHA13904c76d43842139288db38322ae2522f69b0f47
SHA25695494f4ea7ec3895ab6b670e91e3f99489d4ac84e54bb652bda11f1d539c5a30
SHA512f20683111d6cc0dc72de592e74d101a30af835bd32d4a70ad00fb9f2b5cc42081e6c942477dba8bb294ee0aadedf1e3b335bb982b5613ae550987f10f84273a5
-
\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.dllFilesize
747KB
MD5568f45a778978bfa4c7b3bd0c6a5dbf3
SHA12bf9ff26b5c38630b42d932506905725ef3a04a6
SHA256a914e0ec45c799c86c4f62d4144ab5b9c9ded0ad33461fb41de8a437ce00196d
SHA51262727e134832a741b10260a50a3f0ea68dece7e8f22afc29b937c10a84b3d6fbd23f36b8a1ff83bfa804a7fa18482671d25a9e94b77820c64f33bd66a95f2fca
-
\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.x64.dllFilesize
875KB
MD517da2bf78af676b649eae4f74864dfcc
SHA1decf265a0aadc130874511ace40c62b0c0e16aac
SHA256b3a707a96ccf454e91ecc1c8578928232646f188b7d9973678f0e27bbf96a2fb
SHA51276522bd652d3ed0d6bec2c467937e319c24040498f825a2e5dec3c18357c5548a37b3d99de1f748ffdc380ae36b502ec0a6761f2adb55ffbbab1972323a3e806
-
\Program Files (x86)\PriceLess\m0SiCLQsyBCn0p.x64.dllFilesize
875KB
MD517da2bf78af676b649eae4f74864dfcc
SHA1decf265a0aadc130874511ace40c62b0c0e16aac
SHA256b3a707a96ccf454e91ecc1c8578928232646f188b7d9973678f0e27bbf96a2fb
SHA51276522bd652d3ed0d6bec2c467937e319c24040498f825a2e5dec3c18357c5548a37b3d99de1f748ffdc380ae36b502ec0a6761f2adb55ffbbab1972323a3e806
-
\Users\Admin\AppData\Local\Temp\7zSFC4A.tmp\mVBAmIGufzw0N8w.exeFilesize
785KB
MD5c452103272f13b87cdbecb41ae8c5e15
SHA13904c76d43842139288db38322ae2522f69b0f47
SHA25695494f4ea7ec3895ab6b670e91e3f99489d4ac84e54bb652bda11f1d539c5a30
SHA512f20683111d6cc0dc72de592e74d101a30af835bd32d4a70ad00fb9f2b5cc42081e6c942477dba8bb294ee0aadedf1e3b335bb982b5613ae550987f10f84273a5
-
memory/1676-78-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/1676-77-0x0000000000000000-mapping.dmp
-
memory/1880-54-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB
-
memory/1940-73-0x0000000000000000-mapping.dmp
-
memory/1948-56-0x0000000000000000-mapping.dmp