984e612285ce20490b4d727bc1d5ec5515b818b1137be1b5b3a3c7afe42a7586

Analysis

max time kernel
60s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

984e612285ce20490b4d727bc1d5ec5515b818b1137be1b5b3a3c7afe42a7586.exe
Size

2.5MB
MD5

9a5fb4f7926330383e37b3a938395aec
SHA1

13c1b2da03a7dec7ff479ba45934f8cb259aae59
SHA256

984e612285ce20490b4d727bc1d5ec5515b818b1137be1b5b3a3c7afe42a7586
SHA512

9f82d1725fbf87c447cd375f06a593b01273a72acbfb84a69b1d946d2aba96aa48cd99ad4793110381a8cc2630ea2d29d79d5148c2a5252beb7993345d757fe3
SSDEEP

49152:h1OsINQToNVxbNrInKtDSwSm7CXH9e7EAR0+a8ZSrlIYr16/EPZH9kS9:h1ONNQUNVxNpSmGXt40+V/EPZH9p

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3440	2BhlCHqjCdhWIHr.exe

Loads dropped DLL 3 IoCs

pid	Process
3440	2BhlCHqjCdhWIHr.exe
4900	regsvr32.exe
3064	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgjghkilhjggjngpaoebmeihfjlhpmah\5.2\manifest.json	2BhlCHqjCdhWIHr.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgjghkilhjggjngpaoebmeihfjlhpmah\5.2\manifest.json	2BhlCHqjCdhWIHr.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgjghkilhjggjngpaoebmeihfjlhpmah\5.2\manifest.json	2BhlCHqjCdhWIHr.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgjghkilhjggjngpaoebmeihfjlhpmah\5.2\manifest.json	2BhlCHqjCdhWIHr.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgjghkilhjggjngpaoebmeihfjlhpmah\5.2\manifest.json	2BhlCHqjCdhWIHr.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	2BhlCHqjCdhWIHr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2BhlCHqjCdhWIHr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	2BhlCHqjCdhWIHr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	2BhlCHqjCdhWIHr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.x64.dll	2BhlCHqjCdhWIHr.exe
File created	C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.dll	2BhlCHqjCdhWIHr.exe
File opened for modification	C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.dll	2BhlCHqjCdhWIHr.exe
File created	C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.tlb	2BhlCHqjCdhWIHr.exe
File opened for modification	C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.tlb	2BhlCHqjCdhWIHr.exe
File created	C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.dat	2BhlCHqjCdhWIHr.exe
File opened for modification	C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.dat	2BhlCHqjCdhWIHr.exe
File created	C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.x64.dll	2BhlCHqjCdhWIHr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3440	2BhlCHqjCdhWIHr.exe
3440	2BhlCHqjCdhWIHr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 3440	1960	984e612285ce20490b4d727bc1d5ec5515b818b1137be1b5b3a3c7afe42a7586.exe	81
PID 1960 wrote to memory of 3440	1960	984e612285ce20490b4d727bc1d5ec5515b818b1137be1b5b3a3c7afe42a7586.exe	81
PID 1960 wrote to memory of 3440	1960	984e612285ce20490b4d727bc1d5ec5515b818b1137be1b5b3a3c7afe42a7586.exe	81
PID 3440 wrote to memory of 4900	3440	2BhlCHqjCdhWIHr.exe	82
PID 3440 wrote to memory of 4900	3440	2BhlCHqjCdhWIHr.exe	82
PID 3440 wrote to memory of 4900	3440	2BhlCHqjCdhWIHr.exe	82
PID 4900 wrote to memory of 3064	4900	regsvr32.exe	83
PID 4900 wrote to memory of 3064	4900	regsvr32.exe	83

C:\Users\Admin\AppData\Local\Temp\984e612285ce20490b4d727bc1d5ec5515b818b1137be1b5b3a3c7afe42a7586.exe
"C:\Users\Admin\AppData\Local\Temp\984e612285ce20490b4d727bc1d5ec5515b818b1137be1b5b3a3c7afe42a7586.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\2BhlCHqjCdhWIHr.exe
  .\2BhlCHqjCdhWIHr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4900
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:3064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.dat

Filesize
6KB

MD5
80b86342ad2694b8e9c7ddd94550bcd6

SHA1
4faa317a49030aa79bcb5e626edba9c22e8bb548

SHA256
e7db51d7376f0831ae23276f1c5abe514787f80b159827c4d15e7cf89bed9a6b

SHA512
774fd96e605c007710716d237b21c2116ef16c3871f79ae91881ad19cfc381cb023a9fdbc03511332190117f50a567626759038957743489b2262f606ed19773

Download Submit
C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.dll

Filesize
744KB

MD5
df7d0a67e09b23194245e0ec259b477f

SHA1
9554804bf904d324a6a1c2f899557a7ec729a0aa

SHA256
91a1a8222bc9ae3836794376637fe1379c9616a5ad1c538ef4965e6b32b1cd4d

SHA512
f2a33e6e03ef3b670d7cfa76ed9cbd87c42a0357164381fdc25a92e00e25177767ff8559c3b4f50f31e0281688e3b4a459ed01c396e494b2787d0fb875d46aa1

Download Submit
C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.x64.dll

Filesize
877KB

MD5
d47ca1c20a10d913fa773f66c14e9edf

SHA1
154382b4022e9a66657cf403a62d19d5ed90f771

SHA256
f5775739883750e15a9717891a9accd6c8620083444404ba9622c16102b1b28a

SHA512
f7d512ad924f0a1f56769c5099b610fd0d9333c9b8d4f9eec1869f721cca199c850d8e54e8430362670b1a96fe9c5309e2a2c1b5d2aa643fcc203c218370f886

Download Submit
C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.x64.dll

Filesize
877KB

MD5
d47ca1c20a10d913fa773f66c14e9edf

SHA1
154382b4022e9a66657cf403a62d19d5ed90f771

SHA256
f5775739883750e15a9717891a9accd6c8620083444404ba9622c16102b1b28a

SHA512
f7d512ad924f0a1f56769c5099b610fd0d9333c9b8d4f9eec1869f721cca199c850d8e54e8430362670b1a96fe9c5309e2a2c1b5d2aa643fcc203c218370f886

Download Submit
C:\Program Files (x86)\PriceLess\PPW8v3fOgA13h1.x64.dll

Filesize
877KB

MD5
d47ca1c20a10d913fa773f66c14e9edf

SHA1
154382b4022e9a66657cf403a62d19d5ed90f771

SHA256
f5775739883750e15a9717891a9accd6c8620083444404ba9622c16102b1b28a

SHA512
f7d512ad924f0a1f56769c5099b610fd0d9333c9b8d4f9eec1869f721cca199c850d8e54e8430362670b1a96fe9c5309e2a2c1b5d2aa643fcc203c218370f886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\2BhlCHqjCdhWIHr.dat

Filesize
6KB

MD5
80b86342ad2694b8e9c7ddd94550bcd6

SHA1
4faa317a49030aa79bcb5e626edba9c22e8bb548

SHA256
e7db51d7376f0831ae23276f1c5abe514787f80b159827c4d15e7cf89bed9a6b

SHA512
774fd96e605c007710716d237b21c2116ef16c3871f79ae91881ad19cfc381cb023a9fdbc03511332190117f50a567626759038957743489b2262f606ed19773

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\2BhlCHqjCdhWIHr.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\2BhlCHqjCdhWIHr.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\PPW8v3fOgA13h1.dll

Filesize
744KB

MD5
df7d0a67e09b23194245e0ec259b477f

SHA1
9554804bf904d324a6a1c2f899557a7ec729a0aa

SHA256
91a1a8222bc9ae3836794376637fe1379c9616a5ad1c538ef4965e6b32b1cd4d

SHA512
f2a33e6e03ef3b670d7cfa76ed9cbd87c42a0357164381fdc25a92e00e25177767ff8559c3b4f50f31e0281688e3b4a459ed01c396e494b2787d0fb875d46aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\PPW8v3fOgA13h1.tlb

Filesize
3KB

MD5
3378b0fae3142f671a40136bd76bc315

SHA1
42d0a498ff0bd5f65f5667a79a86168211e0abdd

SHA256
2de0895eafa8ffce1c32ccaeeef702d63a8573b0945d658f4a40e577df3625a4

SHA512
e65a78bbc5c5c9047d27c4b79d8988a82c995700085413c1cc1644496e4121d18e121508d4339c92910801399afb6d47f27b7de6fd5970f4c473f70d8e2cb3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\PPW8v3fOgA13h1.x64.dll

Filesize
877KB

MD5
d47ca1c20a10d913fa773f66c14e9edf

SHA1
154382b4022e9a66657cf403a62d19d5ed90f771

SHA256
f5775739883750e15a9717891a9accd6c8620083444404ba9622c16102b1b28a

SHA512
f7d512ad924f0a1f56769c5099b610fd0d9333c9b8d4f9eec1869f721cca199c850d8e54e8430362670b1a96fe9c5309e2a2c1b5d2aa643fcc203c218370f886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
63a0c34b0a4f55386b62576c7a5b5602

SHA1
641899fc359b984126443e46b8521f07eef224f3

SHA256
43ad776d24680b1abcaf2feb81ef3b1302f111111cb6d2acd07d1b07ebed7aef

SHA512
89b3994d0ea24c52facb710fffcfb88e5d2760011bd738322888a5f8a9de82a3621ca42064cfe4ad44444280c951f7627141295ef061537e44a9d5c4101330c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
df53f366d1ad764759bd9feaecdc608e

SHA1
b47dc7ef12c86648c74af8bb6f555157496f220c

SHA256
46751ed1c2a94bad00827a265508ac4f85c466df6e099e05f713a1189764a0ad

SHA512
4bb8317600c37f34380fba1065e4258d4e93d4e9222aa2d4646215789f808a0acd915e9333d7ebe7bddaefe7c4b8eee754d060c93be100a4a211800539e988f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\[email protected]\install.rdf

Filesize
597B

MD5
eb4dcf1a82c9c28e96574d51a5e0defd

SHA1
eb0a1adffb8f8cd4f1c71dd81bad9b00955b5437

SHA256
2dbe2519f8b904bceb0187b1c0636b85cb57721ba28e49c76d265e3e6b4fe5b8

SHA512
613dc6a8d251819078fbae347f806f9e92c88145d76103b340d10a79884e8bbf593208f412ff933a9500894fc54c7bc802e5ef27c2361c031820c1df6edfa81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\fgjghkilhjggjngpaoebmeihfjlhpmah\U.js

Filesize
5KB

MD5
0a3078db59efaa1d550cfa16c648ec57

SHA1
16ed944d10c919026f5d3e153eb39345250b14ef

SHA256
7abbc6ef5649ed22499af548279d7f5462b714c95583c7aa52b32761ec7427f4

SHA512
1103ce159631996cbdfeabe304a9aa995e85672c3b1bb2d24b82501286097904f347febd0b9119ceed978626d841da8bf6129777283b0ca201835e03df640bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\fgjghkilhjggjngpaoebmeihfjlhpmah\background.html

Filesize
138B

MD5
e1b4deb0e527b3cf57477d89855bea06

SHA1
d815c8fb55038db446043b8590737a40a7f3d809

SHA256
4250433b6b4d17673c63d7b850d0eb440fe4a6ad00baa41ca0fd1481e92d0a23

SHA512
bb06bd5b56ada66f1f93ae154e4375762cf878acafd327bea99e41d492ccedd1a7b79262bac54bbcc52494d1625de7fd74babeb495f2b74252e3831f4e1b7c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\fgjghkilhjggjngpaoebmeihfjlhpmah\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\fgjghkilhjggjngpaoebmeihfjlhpmah\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCFD8.tmp\fgjghkilhjggjngpaoebmeihfjlhpmah\manifest.json

Filesize
501B

MD5
9d9d74bfa8e9ace025b834b96419d05e

SHA1
f5e56a100b0208b88335859cec692d867ffb572b

SHA256
a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265

SHA512
4c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512

Download Submit