8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175

General

Target

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Size

4.3MB
MD5

4904d6ff4e129530a2a1651c7bda8fff
SHA1

1904c61670ccd9414a793830fe66555ad0cafe94
SHA256

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175
SHA512

6cd5aee966cd72b66d859166ec0a3e6b1d47ab8bd3005edd4868a6e2f64162e92a553eca783bdd7dbd0e97f28ba303ca68e933b48b5bc75c5a98789b530cb097
SSDEEP

98304:N8ndzGOKPwFZ0EHw6bcsf1gT7yCnFyBJ9cHVCl/zoy7+nXsqLeZMroMNm0o/cWUe:NVpPwFZH9bcsfS7yUeAR0

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\InprocServer32\ = "C:\\Program Files (x86)\\PriceLess\\TKC0GK2AS54Fw8.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exeregsvr32.exeregsvr32.exe

pid process

2004 8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
1504 regsvr32.exe
692 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eiaccbcgahlgiejhpcmkcciiicmeejpc\5.2\manifest.json	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eiaccbcgahlgiejhpcmkcciiicmeejpc\5.2\manifest.json	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eiaccbcgahlgiejhpcmkcciiicmeejpc\5.2\manifest.json	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\ = "PriceLess"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\ = "PriceLess"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\NoExplorer = "1"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

Drops file in System32 directory 4 IoCs

Processes:

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File opened for modification	C:\Windows\System32\GroupPolicy	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

Drops file in Program Files directory 8 IoCs

Processes:

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.dat	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File created	C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.x64.dll	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File opened for modification	C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.x64.dll	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File created	C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.dll	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File opened for modification	C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.dll	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File created	C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.tlb	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File opened for modification	C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.tlb	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
File created	C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.dat	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{143FF4E1-C9D7-4B09-AB55-70A5D3F2D4F0}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{143FF4E1-C9D7-4B09-AB55-70A5D3F2D4F0}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\Programmable	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143FF4E1-C9D7-4B09-AB55-70A5D3F2D4F0}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PriceLess"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143FF4E1-C9D7-4B09-AB55-70A5D3F2D4F0}\Implemented Categories	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "PriceLess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\ = "PriceLess"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143FF4E1-C9D7-4B09-AB55-70A5D3F2D4F0}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\ = "PriceLess"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143FF4E1-C9D7-4B09-AB55-70A5D3F2D4F0}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\ProgID\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\InprocServer32\ = "C:\\Program Files (x86)\\PriceLess\\TKC0GK2AS54Fw8.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\PriceLess\\TKC0GK2AS54Fw8.tlb"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\VersionIndependentProgID\	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "PriceLess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\ProgID\ = ".9"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\InprocServer32	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}\VersionIndependentProgID\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "PriceLess"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0}	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

pid	process
2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

description	pid	process
Token: SeDebugPrivilege	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Token: SeDebugPrivilege	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Token: SeDebugPrivilege	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Token: SeDebugPrivilege	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Token: SeDebugPrivilege	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Token: SeDebugPrivilege	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exeregsvr32.exe

description	pid	process	target process
PID 2004 wrote to memory of 1504	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe	regsvr32.exe
PID 2004 wrote to memory of 1504	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe	regsvr32.exe
PID 2004 wrote to memory of 1504	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe	regsvr32.exe
PID 2004 wrote to memory of 1504	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe	regsvr32.exe
PID 2004 wrote to memory of 1504	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe	regsvr32.exe
PID 2004 wrote to memory of 1504	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe	regsvr32.exe
PID 2004 wrote to memory of 1504	2004	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe	regsvr32.exe
PID 1504 wrote to memory of 692	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 692	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 692	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 692	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 692	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 692	1504	regsvr32.exe	regsvr32.exe
PID 1504 wrote to memory of 692	1504	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{143ff4e1-c9d7-4b09-ab55-70a5d3f2d4f0} = "1"	8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe

C:\Users\Admin\AppData\Local\Temp\8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe
"C:\Users\Admin\AppData\Local\Temp\8a99b9f0409710c64b9be6f70b1847851176a540e83494c7c47c84fef4855175.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2004

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.dat
Filesize
4KB

MD5
7cb043a726dee93f4fa50a7a4fda8469

SHA1
bf62dc7d07cee8c519e3c2115ff922ff60871c0e

SHA256
67426d78eb44cf88f0560ec61279035b406cf09f4adda7eb3a1abc7c8716c99e

SHA512
fb7740e2f1d92e2f04e6cb2f4ea9aa66012f3ac666e3ea71ad4ee550208499cf0d49bd6f0602d52397ecf982a9efc8ad9b7e90b54322ab97e2188524c9f8fc10

Download Submit
C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.tlb
Filesize
3KB

MD5
ab50bfd160f5251c1c06947ba8523db0

SHA1
7940cc61ab4e0bb82afc03dd141eaf8bd963c091

SHA256
a23c9c376478404d8f90d1d984935f7b5e5f2e5674fd8a7642dc89f2b1b2c4a8

SHA512
506baa3f8ca880eeb4d26e9744babef326d2b5b1fb0971c712072c4aeeaaaff702847c045fe0270d45cc71a0b7fb53ba0af60aeaa34f5154f9617c85a06c3334

Download Submit
C:\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.x64.dll
Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.dll
Filesize
613KB

MD5
0df7c26b4abf65cd6ca180c2ddc7ae4b

SHA1
d43e0770e0a5778525a4828f46e1e4448cdc9aa8

SHA256
f133fed29f50b1cdc8af2043608b14f8f20ab5349a2cfe16536d089966eb120b

SHA512
29ca79a58784de2855975849a94f0f3e55b3a13ece1cf9ff25db98d397c1758d88df8ac4887dfb48b28a89564e60a3a0195140d154ce0d0b81569fd0931fc474

Download Submit
\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.x64.dll
Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
\Program Files (x86)\PriceLess\TKC0GK2AS54Fw8.x64.dll
Filesize
695KB

MD5
2e506193dce62c7f1cf73d8709f60d2d

SHA1
746e4a7b0505d2eb486896c913c917075f23d974

SHA256
18f9cd61c2de7ce04bb14e08820d52cc42e9b2b5a63dd9770d83df2867947d9a

SHA512
bb49793b6263920a61d602b2cb33e241cfc5e3c624a65b62dcd7ad4924fdceeefe4d73c08c5c5163860a65438262439a64119c13c734fc404f01be8d0085fb64

Download Submit
memory/692-65-0x0000000000000000-mapping.dmp

Download
memory/692-66-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

Filesize
8KB

Download
memory/1504-61-0x0000000000000000-mapping.dmp

Download
memory/2004-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/2004-55-0x0000000002940000-0x00000000029E3000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads