051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Size

3.6MB
MD5

87f9480819416e5d102df86c18bb1ae2
SHA1

79f64af8df16bec1c64a3a1098d256b20b2bd19f
SHA256

051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626
SHA512

e2d74167570ce1de2e24b24ea47c00b93e16dae68a8f55e1a5c2c16d547b25da14852682d39ae1018b1fdc64f8e2514a638900d0e6cfa62e5f10d313c3342ab7
SSDEEP

98304:KGFKbFZmkAa3O0Ktgq333XYuyEdp68mEycu:PKbFjde0KtJH3XYuyUp68msu

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\InprocServer32\ = "C:\\Program Files (x86)\\PriceLess\\GycFYEKljOwy9i.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

pid	Process
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
744	regsvr32.exe
3160	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnbggnlbeaicpaeiobpdldjfggdfgbag\5.2\manifest.json	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnbggnlbeaicpaeiobpdldjfggdfgbag\5.2\manifest.json	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnbggnlbeaicpaeiobpdldjfggdfgbag\5.2\manifest.json	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnbggnlbeaicpaeiobpdldjfggdfgbag\5.2\manifest.json	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnbggnlbeaicpaeiobpdldjfggdfgbag\5.2\manifest.json	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ad013a-54e0-4774-8d74-93be1804895c}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ad013a-54e0-4774-8d74-93be1804895c}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ad013a-54e0-4774-8d74-93be1804895c}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ad013a-54e0-4774-8d74-93be1804895c}\ = "PriceLess"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ad013a-54e0-4774-8d74-93be1804895c}\NoExplorer = "1"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ad013a-54e0-4774-8d74-93be1804895c}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ad013a-54e0-4774-8d74-93be1804895c}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ad013a-54e0-4774-8d74-93be1804895c}\ = "PriceLess"	regsvr32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.x64.dll	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File created	C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.dll	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File opened for modification	C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.dll	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File created	C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.tlb	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File opened for modification	C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.tlb	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File created	C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.dat	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File opened for modification	C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.dat	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
File created	C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.x64.dll	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c4ad013a-54e0-4774-8d74-93be1804895c}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c4ad013a-54e0-4774-8d74-93be1804895c}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{C4AD013A-54E0-4774-8D74-93BE1804895C}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{C4AD013A-54E0-4774-8D74-93BE1804895C}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "PriceLess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\InprocServer32\ThreadingModel = "Apartment"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PriceLess"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4AD013A-54E0-4774-8D74-93BE1804895C}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{c4ad013a-54e0-4774-8d74-93be1804895c}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4AD013A-54E0-4774-8D74-93BE1804895C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4AD013A-54E0-4774-8D74-93BE1804895C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\VersionIndependentProgID	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\Programmable	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\InprocServer32	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\ = "PriceLess"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\VersionIndependentProgID	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4AD013A-54E0-4774-8D74-93BE1804895C}\Implemented Categories	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\Programmable	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "PriceLess"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{c4ad013a-54e0-4774-8d74-93be1804895c}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c}\ProgID	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "PriceLess"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Token: SeDebugPrivilege	1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Token: SeDebugPrivilege	1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Token: SeDebugPrivilege	1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Token: SeDebugPrivilege	1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
Token: SeDebugPrivilege	1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 744	1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe	83
PID 1260 wrote to memory of 744	1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe	83
PID 1260 wrote to memory of 744	1260	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe	83
PID 744 wrote to memory of 3160	744	regsvr32.exe	84
PID 744 wrote to memory of 3160	744	regsvr32.exe	84

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{c4ad013a-54e0-4774-8d74-93be1804895c} = "1"	051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe

C:\Users\Admin\AppData\Local\Temp\051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe
"C:\Users\Admin\AppData\Local\Temp\051049beec31277c84bc9378f7f1a2227a74b94df638d747e882e72b9f552626.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.x64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.x64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.dat

Filesize
3KB

MD5
a7bb7a58cf1068a7df17bdd76e1c1f78

SHA1
da8cc8ae491df5caf93efec5366eba479a562453

SHA256
2ae3556deaa0b541028faeb96591eeee31898cb3a1bd91c66a39db6b6c0176bd

SHA512
0c5c7115e289b2ea150f129701f894720e8f58bacd4c01649d2a007e0d977be62d2f1dabd4a8e2253444cc8f74f6d96fa268bfae7b64ef88fe42f321a85ab4cf

Download Submit
C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.dll

Filesize
621KB

MD5
f83e1d285fd555033363c873a035eaa8

SHA1
8d9807732d3afc5b859f80a3d5d1ed9441fee8f5

SHA256
19eb0207cff8f32182b16f8bb2ac81d05ee68a8754e31146376fb39b2f7cb23d

SHA512
cf415d65d43ae65a3b3a5f17f5be51339784ca67cf387ab235a80474d8d02a21f5e32e80b93561140b9890bb718ce17e3c3471687a71bcc0aa7551560c400d80

Download Submit
C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.tlb

Filesize
3KB

MD5
8eaf79892b19435884ff045bce1315e4

SHA1
38c843500d6f1f40392038257d04352bb0e5974a

SHA256
c268494c35ce0a6d0f12480b319e01e4454f37f7f5e2a4dba3663d130ef0b392

SHA512
d98bb8ee1b4abe9ba2a3e924cafecd1a8f9880c9519ea7c5aaed645cb7a65d50dcc84c309a6e16f5a3c9b489271458fe3e211ae6efd9ee8f44509fbe7c9e221e

Download Submit
C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.x64.dll

Filesize
700KB

MD5
8f24dd048bd99349732315da3740ab6f

SHA1
9d3eed72ebbd7c80877da59f5112878f1a1e4be2

SHA256
eabbf9c6c7a760307bdb6413614d7240032b72ebc60e16b2a8bd54e2d8b70d6c

SHA512
627e307cec8e2b2c2b733d3c4f7a34b8daf34c6a26950e17eb9a9304da7f8bf0ace36d79508cd6955322b3afed4048dded631b6f55e534c594dc52d448a80f3a

Download Submit
C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.x64.dll

Filesize
700KB

MD5
8f24dd048bd99349732315da3740ab6f

SHA1
9d3eed72ebbd7c80877da59f5112878f1a1e4be2

SHA256
eabbf9c6c7a760307bdb6413614d7240032b72ebc60e16b2a8bd54e2d8b70d6c

SHA512
627e307cec8e2b2c2b733d3c4f7a34b8daf34c6a26950e17eb9a9304da7f8bf0ace36d79508cd6955322b3afed4048dded631b6f55e534c594dc52d448a80f3a

Download Submit
C:\Program Files (x86)\PriceLess\GycFYEKljOwy9i.x64.dll

Filesize
700KB

MD5
8f24dd048bd99349732315da3740ab6f

SHA1
9d3eed72ebbd7c80877da59f5112878f1a1e4be2

SHA256
eabbf9c6c7a760307bdb6413614d7240032b72ebc60e16b2a8bd54e2d8b70d6c

SHA512
627e307cec8e2b2c2b733d3c4f7a34b8daf34c6a26950e17eb9a9304da7f8bf0ace36d79508cd6955322b3afed4048dded631b6f55e534c594dc52d448a80f3a

Download Submit
memory/1260-132-0x0000000003820000-0x00000000038C2000-memory.dmp

Filesize
648KB

Download