19cc7c12090a8ed5d310066f6966c97c3e57742adb8cacc681bb963a38d4e3a3

Analysis

max time kernel
90s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19cc7c12090a8ed5d310066f6966c97c3e57742adb8cacc681bb963a38d4e3a3.exe
Size

2.1MB
MD5

29f0a8f228d90df2ad251b7c2e2431cd
SHA1

2ccb9f86766ddf0a855a3b2e7cb481bc83d0ec78
SHA256

19cc7c12090a8ed5d310066f6966c97c3e57742adb8cacc681bb963a38d4e3a3
SHA512

1d859f33341f95d1533e1bba0f73576c65fb4ae8b781b5952066fb9b92ef085587f9dad181e8c0111ffc4b969816da39ecb5b6b4ae704bb1e52629b8c6b79959
SSDEEP

49152:h1OsNBNPM6n5oHCZdw3CyvHht6wqM7M1cHC:h1OYBjn5oHCZMDvHhrqMMB

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	jKKRvJ1baaLz85U.exe

Loads dropped DLL 3 IoCs

pid	Process
2836	jKKRvJ1baaLz85U.exe
3144	regsvr32.exe
4300	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ebjgnfmbbgjlleiaolfpahidjioakonj\5.2\manifest.json	jKKRvJ1baaLz85U.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ebjgnfmbbgjlleiaolfpahidjioakonj\5.2\manifest.json	jKKRvJ1baaLz85U.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\ebjgnfmbbgjlleiaolfpahidjioakonj\5.2\manifest.json	jKKRvJ1baaLz85U.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ebjgnfmbbgjlleiaolfpahidjioakonj\5.2\manifest.json	jKKRvJ1baaLz85U.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ebjgnfmbbgjlleiaolfpahidjioakonj\5.2\manifest.json	jKKRvJ1baaLz85U.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	jKKRvJ1baaLz85U.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	jKKRvJ1baaLz85U.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	jKKRvJ1baaLz85U.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	jKKRvJ1baaLz85U.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.x64.dll	jKKRvJ1baaLz85U.exe
File created	C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.dll	jKKRvJ1baaLz85U.exe
File opened for modification	C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.dll	jKKRvJ1baaLz85U.exe
File created	C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.tlb	jKKRvJ1baaLz85U.exe
File opened for modification	C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.tlb	jKKRvJ1baaLz85U.exe
File created	C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.dat	jKKRvJ1baaLz85U.exe
File opened for modification	C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.dat	jKKRvJ1baaLz85U.exe
File created	C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.x64.dll	jKKRvJ1baaLz85U.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2836	jKKRvJ1baaLz85U.exe
2836	jKKRvJ1baaLz85U.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2836	4956	19cc7c12090a8ed5d310066f6966c97c3e57742adb8cacc681bb963a38d4e3a3.exe	81
PID 4956 wrote to memory of 2836	4956	19cc7c12090a8ed5d310066f6966c97c3e57742adb8cacc681bb963a38d4e3a3.exe	81
PID 4956 wrote to memory of 2836	4956	19cc7c12090a8ed5d310066f6966c97c3e57742adb8cacc681bb963a38d4e3a3.exe	81
PID 2836 wrote to memory of 3144	2836	jKKRvJ1baaLz85U.exe	82
PID 2836 wrote to memory of 3144	2836	jKKRvJ1baaLz85U.exe	82
PID 2836 wrote to memory of 3144	2836	jKKRvJ1baaLz85U.exe	82
PID 3144 wrote to memory of 4300	3144	regsvr32.exe	83
PID 3144 wrote to memory of 4300	3144	regsvr32.exe	83

C:\Users\Admin\AppData\Local\Temp\19cc7c12090a8ed5d310066f6966c97c3e57742adb8cacc681bb963a38d4e3a3.exe
"C:\Users\Admin\AppData\Local\Temp\19cc7c12090a8ed5d310066f6966c97c3e57742adb8cacc681bb963a38d4e3a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\jKKRvJ1baaLz85U.exe
  .\jKKRvJ1baaLz85U.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.dat

Filesize
6KB

MD5
bae5b89fc587a4c563b223d67ce7d13c

SHA1
75e7e2952b0acf4d42a9d0171e579b343837d908

SHA256
2f54ab1c87d98c7ec31fd6dfee5a679a28575770749c70d3f6e43231a86a11aa

SHA512
7efcf1cac754834bc98fb609c4bafaf1373736247d8cba631a716a47b6140f3d3c23c4e5ca5852e0894e1068917ea3d6f93bc1b9ee34be7cd302741926a3aca5

Download Submit
C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.dll

Filesize
629KB

MD5
8f0476d4c7ef0c04523efe17f95ffff8

SHA1
a7605f6101031e5eec2ae964b6ed9d8775434e9e

SHA256
7277b7268f48043af02c5a6793e8c17cf815080bebef610fac956b3cb581d909

SHA512
21a8056c7a7f1d14240f28543bcda3a19fceeebf5dff24da51f71f97a2d4a2c6bdb1e308051eff62b52efe25af5b5de0f88130f9dad2dc440697b7997de36429

Download Submit
C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.x64.dll

Filesize
710KB

MD5
2d9b84b8a433eff58888a3240a3a4ff5

SHA1
a59f591168b33de4f42b680fb66c7c7f78b11056

SHA256
4df3323f9cfeb84add405bf9bf36445a22b368c1efb70e109200d94d880bfbb3

SHA512
1cdc6571ae7a8708aaef77f566222aa7cad9da7a77e3e904a56fcfa9238bb6c9993bd455c7f336e4b14e63e61ec8cf4f710567b4b9f420c3133da6dddd10d23e

Download Submit
C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.x64.dll

Filesize
710KB

MD5
2d9b84b8a433eff58888a3240a3a4ff5

SHA1
a59f591168b33de4f42b680fb66c7c7f78b11056

SHA256
4df3323f9cfeb84add405bf9bf36445a22b368c1efb70e109200d94d880bfbb3

SHA512
1cdc6571ae7a8708aaef77f566222aa7cad9da7a77e3e904a56fcfa9238bb6c9993bd455c7f336e4b14e63e61ec8cf4f710567b4b9f420c3133da6dddd10d23e

Download Submit
C:\Program Files (x86)\PricELess\prQhTaSApq6Qc5.x64.dll

Filesize
710KB

MD5
2d9b84b8a433eff58888a3240a3a4ff5

SHA1
a59f591168b33de4f42b680fb66c7c7f78b11056

SHA256
4df3323f9cfeb84add405bf9bf36445a22b368c1efb70e109200d94d880bfbb3

SHA512
1cdc6571ae7a8708aaef77f566222aa7cad9da7a77e3e904a56fcfa9238bb6c9993bd455c7f336e4b14e63e61ec8cf4f710567b4b9f420c3133da6dddd10d23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\ebjgnfmbbgjlleiaolfpahidjioakonj\BJb1Y.js

Filesize
5KB

MD5
3a354114318ad7643a4b21777daffe4d

SHA1
adf5757323cc1e83835d48ba97f34b66584aead1

SHA256
8b103654abda87841062375f3489a1f2a29599557f9d0a5aff41c3dd793b5da9

SHA512
a6c7e0aed038abc399cfa2f1f53c228af8619d7e601c4a71831aab849afbd096f61db984801f5fd27ce4356dd3034503a0659c298fc5dc952876cf5f424ab588

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\ebjgnfmbbgjlleiaolfpahidjioakonj\background.html

Filesize
142B

MD5
f8d227c0d5a523526037f3c838b28f01

SHA1
12fd68c94d7f9aa2e35d483f20bf37b471970e68

SHA256
e07c47b8296f5a961180ee09f5989e489be3c50d4babd0b820166ab1cec836d8

SHA512
171fc8e45ae92d586f8981bd142ea567f7a522b9e32688632c8c87d597a61d27af358e10e89b832d9bc5ef9bdcf4c48cac8c7fe091419da9aa5fbaaddb3cdbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\ebjgnfmbbgjlleiaolfpahidjioakonj\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\ebjgnfmbbgjlleiaolfpahidjioakonj\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\ebjgnfmbbgjlleiaolfpahidjioakonj\manifest.json

Filesize
501B

MD5
3f36e36e497a5211320aa188fd64a708

SHA1
0527c4bcdaceaeb9f55bcc849ac851de15170d44

SHA256
8daca567de98f31a240c788edcbba3ff154f6bf9f95c82288e4a9bc82dcaebb3

SHA512
a36deb555c00c9cba6d6db6c83d3d20f7ad21085c2a64a7415629fed1727f0df42b7fcfc4a9d95a515b3c4432a43d236d68a531616bd85c136cfa4d38425fb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\jKKRvJ1baaLz85U.dat

Filesize
6KB

MD5
bae5b89fc587a4c563b223d67ce7d13c

SHA1
75e7e2952b0acf4d42a9d0171e579b343837d908

SHA256
2f54ab1c87d98c7ec31fd6dfee5a679a28575770749c70d3f6e43231a86a11aa

SHA512
7efcf1cac754834bc98fb609c4bafaf1373736247d8cba631a716a47b6140f3d3c23c4e5ca5852e0894e1068917ea3d6f93bc1b9ee34be7cd302741926a3aca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\jKKRvJ1baaLz85U.exe

Filesize
657KB

MD5
b831a4edee2ceadc357e0165ea586f14

SHA1
4bd2c00d1331f52acafd077cb358905bcc40a40b

SHA256
917f3a961b2105519fa358adac37496671751a49a215922ddba8dd3f047c8627

SHA512
805bb79c277be66d0ac821de3f5fe5fbdc2bedfcc5201868d354b63520cccd252b965f2e9c608cb678fc5f391050d42c466c9f79670bd591ea865912517cd6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\jKKRvJ1baaLz85U.exe

Filesize
657KB

MD5
b831a4edee2ceadc357e0165ea586f14

SHA1
4bd2c00d1331f52acafd077cb358905bcc40a40b

SHA256
917f3a961b2105519fa358adac37496671751a49a215922ddba8dd3f047c8627

SHA512
805bb79c277be66d0ac821de3f5fe5fbdc2bedfcc5201868d354b63520cccd252b965f2e9c608cb678fc5f391050d42c466c9f79670bd591ea865912517cd6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\prQhTaSApq6Qc5.dll

Filesize
629KB

MD5
8f0476d4c7ef0c04523efe17f95ffff8

SHA1
a7605f6101031e5eec2ae964b6ed9d8775434e9e

SHA256
7277b7268f48043af02c5a6793e8c17cf815080bebef610fac956b3cb581d909

SHA512
21a8056c7a7f1d14240f28543bcda3a19fceeebf5dff24da51f71f97a2d4a2c6bdb1e308051eff62b52efe25af5b5de0f88130f9dad2dc440697b7997de36429

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\prQhTaSApq6Qc5.tlb

Filesize
3KB

MD5
ad50e349afc1c3ffb845262f7fc97603

SHA1
b0cc07253796476f702227739c5050247ca2b279

SHA256
8f8d4fc042feb74d414a3a5a761dc5394a4b96f1e5bd818bd01208d0b3e1bcb0

SHA512
6a11d1bab64ba21c5ce51faf209beb9d6a49e488a27a21e20e51f1d0216c8034be0442ceb351a942d3be4d2883c79495afffa776752dce0fd727a0a32e2740a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\prQhTaSApq6Qc5.x64.dll

Filesize
710KB

MD5
2d9b84b8a433eff58888a3240a3a4ff5

SHA1
a59f591168b33de4f42b680fb66c7c7f78b11056

SHA256
4df3323f9cfeb84add405bf9bf36445a22b368c1efb70e109200d94d880bfbb3

SHA512
1cdc6571ae7a8708aaef77f566222aa7cad9da7a77e3e904a56fcfa9238bb6c9993bd455c7f336e4b14e63e61ec8cf4f710567b4b9f420c3133da6dddd10d23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
815aceec30515fc7318e35c1848255c7

SHA1
9b36e76cbf7ed25dafdab26c049e570f3f541ffa

SHA256
2be0deb15f96037d826844d6ed7a5dafff02b897a7f0520baf9d8b81abf00961

SHA512
e6526ba48fbfe54cec320e3442b957b964f753bd7b1cf5d6cdc6e360f79a5a138b54c8dd6aaa14381d99b8e6fcadca2d2a18288996d548c23bdfa5bcc6a37158

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
45ba6a22be969c5d53cc410545aaf095

SHA1
fb1e760baf58f10115abfc7c4d41f37df5698b51

SHA256
c3475a9454e6dc371814ffba42e311fa335d5d41bafe87f9c254955d7703743b

SHA512
297b71bf721db3bf92df69a44c6899ae347a3a368760c2758205a87d4b98a369671905d5636484dd136830f8f4653cb3c1f165d003353965a2fb76adc32aaaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB654.tmp\[email protected]\install.rdf

Filesize
597B

MD5
4841b84c71a1a50c3e2abc48d770e7a2

SHA1
f380a4f641548f03d3a723ccc71d9ee4a0d453a6

SHA256
a5fcfad60d67e5d0a852d475f87ad4d5805ac96412da2edf515fa582bfa2824c

SHA512
697430d0b5b3a4e55a691e0e8b38de2f350644be0f62edd94644038ddb8c9db82c3eb458116d9df0612cb59fd4039b569c5c3540f7a820c1c1060a3f13854216

Download Submit