fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e

General

Target

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Size

3.1MB
MD5

3c3384cd45ede6f3fa4dfb9296e28fa4
SHA1

76ba463f3a40ca47d892e7cb30c31f319570c133
SHA256

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e
SHA512

9e1a80129dc61e57a730550fef6fb86923a9d7040a3f5014d662d21061d5757d8e64f557b69b12fe439f9a6d0c3e477135223d606c546cedc7c79db2c19b5010
SSDEEP

49152:bgpjaT01rpJXA5gtqA3Sv/fN9P5jDQoxnI3Kj/Y4y44ZGvhMJG0dvgNkwIe5nrM:kwSrphA5RN53vxnBEvGfJN1

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exeregsvr32.exe

pid process

580 fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
2000 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\afojifljbhmjagpdiicnnjimlclkdmdj\5.2\manifest.json	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\afojifljbhmjagpdiicnnjimlclkdmdj\5.2\manifest.json	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\afojifljbhmjagpdiicnnjimlclkdmdj\5.2\manifest.json	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{fec022a2-7561-4af2-b62f-a358d79a58bd}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{fec022a2-7561-4af2-b62f-a358d79a58bd}\ = "PricceeLLess"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{fec022a2-7561-4af2-b62f-a358d79a58bd}\NoExplorer = "1"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{fec022a2-7561-4af2-b62f-a358d79a58bd}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

Drops file in System32 directory 4 IoCs

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

Drops file in Program Files directory 8 IoCs

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.dll	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File created	C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.tlb	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File opened for modification	C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.tlb	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File created	C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.dat	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File opened for modification	C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.dat	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File created	C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.x64.dll	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File opened for modification	C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.x64.dll	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
File created	C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.dll	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{fec022a2-7561-4af2-b62f-a358d79a58bd}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{FEC022A2-7561-4AF2-B62F-A358D79A58BD}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

Modifies registry class 64 IoCs

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\VersionIndependentProgID\	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\InprocServer32\ThreadingModel = "Apartment"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEC022A2-7561-4AF2-B62F-A358D79A58BD}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEC022A2-7561-4AF2-B62F-A358D79A58BD}\Implemented Categories	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\VersionIndependentProgID	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{fec022a2-7561-4af2-b62f-a358d79a58bd}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{fec022a2-7561-4af2-b62f-a358d79a58bd}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\ProgID	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\ = "PricceeLLess"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\ProgID	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\ProgID\ = ".9"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\Programmable	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\VersionIndependentProgID	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\InprocServer32	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd}\InprocServer32\ = "C:\\Program Files (x86)\\PricceeLLess\\7zi7FhkdD8noxy.dll"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PricceeLLess"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "PricceeLLess"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\PricceeLLess\\7zi7FhkdD8noxy.tlb"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

pid	process
580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

description	pid	process
Token: SeDebugPrivilege	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Token: SeDebugPrivilege	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Token: SeDebugPrivilege	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Token: SeDebugPrivilege	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Token: SeDebugPrivilege	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Token: SeDebugPrivilege	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exeregsvr32.exe

description	pid	process	target process
PID 580 wrote to memory of 2000	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe	regsvr32.exe
PID 580 wrote to memory of 2000	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe	regsvr32.exe
PID 580 wrote to memory of 2000	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe	regsvr32.exe
PID 580 wrote to memory of 2000	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe	regsvr32.exe
PID 580 wrote to memory of 2000	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe	regsvr32.exe
PID 580 wrote to memory of 2000	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe	regsvr32.exe
PID 580 wrote to memory of 2000	580	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe	regsvr32.exe
PID 2000 wrote to memory of 1224	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 1224	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 1224	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 1224	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 1224	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 1224	2000	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 1224	2000	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{fec022a2-7561-4af2-b62f-a358d79a58bd} = "1"	fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe

C:\Users\Admin\AppData\Local\Temp\fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe
"C:\Users\Admin\AppData\Local\Temp\fcb6c8e1b4d5484459e84a4c3e2b0c85c94ac056184f81deb2d4a5c6f8dfaa6e.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:580

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.x64.dll"
3⤵
PID:1224

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.x64.dll
Filesize
696KB

MD5
df7367824b7f650acbd6e79ba2289d39

SHA1
c89d6ddd0b831488b79d2d84f114daa1da46151b

SHA256
0a1739d49e7161b3593306e1b1255278d6fa5ca642697c880dfa31b9d783bf62

SHA512
aa67c10cfc4ab9e0155ed89ee0e1a5db3bea596951e23d6fdadefc960f96a68723bb7423297c0ffdbf49fd6560504f6836d5f27f7077ac336e21bc09b9dd1e31

Download Submit
\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.dll
Filesize
617KB

MD5
0824e96d2290c55a0656e54ae21a0500

SHA1
15e7c7faf237f6b74a39a26f1da39dbed1b49ed3

SHA256
020f799f6bab93debc71c2586cbc6615659066b11484f79ac2227eb8b6b8b164

SHA512
ad52079068406cfd2a6d9159f06b16929f99bdfe6a625ca36c758e8b8b705df1348c7275a815c6365d838ecc550104c0a76d4bd3bccbd0c6124521af3cb76138

Download Submit
\Program Files (x86)\PricceeLLess\7zi7FhkdD8noxy.x64.dll
Filesize
696KB

MD5
df7367824b7f650acbd6e79ba2289d39

SHA1
c89d6ddd0b831488b79d2d84f114daa1da46151b

SHA256
0a1739d49e7161b3593306e1b1255278d6fa5ca642697c880dfa31b9d783bf62

SHA512
aa67c10cfc4ab9e0155ed89ee0e1a5db3bea596951e23d6fdadefc960f96a68723bb7423297c0ffdbf49fd6560504f6836d5f27f7077ac336e21bc09b9dd1e31

Download Submit
memory/580-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/580-55-0x0000000002730000-0x00000000027D2000-memory.dmp

Filesize
648KB

Download
memory/1224-86-0x0000000000000000-mapping.dmp

Download
memory/1224-87-0x000007FEFB641000-0x000007FEFB643000-memory.dmp

Filesize
8KB

Download
memory/2000-82-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads