39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950

General

Target

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Size

3.8MB
MD5

d389e9bdb0437082ddeb0ee7c8684952
SHA1

434cabeed27d4d1a9bf24f18fd4a247eeeb26621
SHA256

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950
SHA512

0ddbce3e92e2b1fb720fe88df2acbcabd7195bef8b8705c3783aa888a1bb14affe7afea1637ef17da5f82c77e09e5c5062c60e1e0be7471226c04d3353a44132
SSDEEP

98304:mc5Nt3jPkS5AyfVojiD53dtfBaskSxho:hASh53dtwK

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\InprocServer32\ = "C:\\Program Files (x86)\\PricieLeess\\VcxxdclcMiih4r.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exeregsvr32.exeregsvr32.exe

pid process

1140 39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
1436 regsvr32.exe
1516 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjnjnifomceddndlefkppoonlnlbalk\5.2\manifest.json	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjnjnifomceddndlefkppoonlnlbalk\5.2\manifest.json	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjnjnifomceddndlefkppoonlnlbalk\5.2\manifest.json	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\ = "PricieLeess"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\ = "PricieLeess"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\NoExplorer = "1"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File opened for modification	C:\Windows\System32\GroupPolicy	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

Drops file in Program Files directory 8 IoCs

Processes:

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

description	ioc	process
File created	C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.dat	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File opened for modification	C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.dat	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File created	C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.x64.dll	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File opened for modification	C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.x64.dll	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File created	C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.dll	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File opened for modification	C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.dll	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File created	C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.tlb	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
File opened for modification	C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.tlb	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{362F0094-B81D-4B3F-89C7-E2F7F2F03F61}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{362F0094-B81D-4B3F-89C7-E2F7F2F03F61}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

Modifies registry class 64 IoCs

Processes:

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362F0094-B81D-4B3F-89C7-E2F7F2F03F61}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\ProgID\ = ".9"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\Programmable	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\InprocServer32\ThreadingModel = "Apartment"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362F0094-B81D-4B3F-89C7-E2F7F2F03F61}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "PricieLeess"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362F0094-B81D-4B3F-89C7-E2F7F2F03F61}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\InprocServer32\ = "C:\\Program Files (x86)\\PricieLeess\\VcxxdclcMiih4r.dll"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\VersionIndependentProgID	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\ProgID	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\InprocServer32	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "PricieLeess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\ = "PricieLeess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\VersionIndependentProgID\	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\ = "PricieLeess"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\Programmable	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362F0094-B81D-4B3F-89C7-E2F7F2F03F61}\Implemented Categories	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\PricieLeess\\VcxxdclcMiih4r.tlb"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}\ProgID\ = ".9"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

pid	process
1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

description	pid	process
Token: SeDebugPrivilege	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Token: SeDebugPrivilege	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Token: SeDebugPrivilege	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Token: SeDebugPrivilege	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Token: SeDebugPrivilege	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Token: SeDebugPrivilege	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exeregsvr32.exe

description	pid	process	target process
PID 1140 wrote to memory of 1436	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe	regsvr32.exe
PID 1140 wrote to memory of 1436	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe	regsvr32.exe
PID 1140 wrote to memory of 1436	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe	regsvr32.exe
PID 1140 wrote to memory of 1436	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe	regsvr32.exe
PID 1140 wrote to memory of 1436	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe	regsvr32.exe
PID 1140 wrote to memory of 1436	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe	regsvr32.exe
PID 1140 wrote to memory of 1436	1140	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe	regsvr32.exe
PID 1436 wrote to memory of 1516	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 1516	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 1516	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 1516	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 1516	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 1516	1436	regsvr32.exe	regsvr32.exe
PID 1436 wrote to memory of 1516	1436	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{362f0094-b81d-4b3f-89c7-e2f7f2f03f61} = "1"	39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe

C:\Users\Admin\AppData\Local\Temp\39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe
"C:\Users\Admin\AppData\Local\Temp\39df1f0c0110b40458e55b38480051681bf7997f1c67decce978fee4a115e950.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1140

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1516

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.dat
Filesize
4KB

MD5
303283515c826a34ec5608b33166ab34

SHA1
24bb8b3e89c1645bb739364ef2cbed95bff824ba

SHA256
9bdc8eaf04e71166983ff76a7590794c72ebd535de06294a5ef17ee254d4a446

SHA512
aaac3ad07a4f9febc5f72d1386020813bae03e4a4f5a04398f22bea95685c2068f2ba9174e97429a318ac3c0a331a31047a2f70bdfe2b0d0f09bb0685ab830af

Download Submit
C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.tlb
Filesize
3KB

MD5
a6a73f1a452ca95398b6dc3fd5e17164

SHA1
c9ac5a4c9f748a7d9511e354b0a7e70756150e16

SHA256
9ee94cc3fe8448ee7f2758a8a4834e220744544954cc4eac820a2392eb8a0692

SHA512
3ad4f49cb336cd559d57003be0b651996069dc1b585501f534f50ba33e2eaa456f0d876e20b77c91d03c17aa5151510535b6aa75e3591dc9188f3910d3de40a5

Download Submit
C:\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.dll
Filesize
622KB

MD5
18302eec6f8f71f505986c43101e2742

SHA1
c370c11f8722a7e31175862f532fa49dbf5ec7dc

SHA256
9a6a2bcf52012cbb3497838a8db024da0d6a07a30c0f71bd22748b24bbf631d5

SHA512
bb1a3b446ee2b4145c186b53e99ae4297e2e33159f6ae8d64b2d57d326a8f546f82d49f8a772b7dc2016722c7c0f0c00feccab4ca9005865772d9591da0b2227

Download Submit
\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
\Program Files (x86)\PricieLeess\VcxxdclcMiih4r.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
memory/1140-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1140-55-0x0000000000420000-0x00000000004C3000-memory.dmp

Filesize
652KB

Download
memory/1436-61-0x0000000000000000-mapping.dmp

Download
memory/1516-65-0x0000000000000000-mapping.dmp

Download
memory/1516-66-0x000007FEFC201000-0x000007FEFC203000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads