45cf419b2cf0bb8e806caa1f654d3f06c64535b511113abba65d4f8e556c18a9

Analysis

max time kernel
92s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45cf419b2cf0bb8e806caa1f654d3f06c64535b511113abba65d4f8e556c18a9.exe
Size

2.1MB
MD5

237aef29186aa76b638dd089f4dc232b
SHA1

dd177b70fef866f22fe310ff86ecaf113aa24960
SHA256

45cf419b2cf0bb8e806caa1f654d3f06c64535b511113abba65d4f8e556c18a9
SHA512

07d973e401c3b34ff352e80126a842f2f6cc8b0ae4f34748b794f09a9fba096b40cbc4bfbd640f5eec54b495bfda2aa59c7b5abb8b2fde6d143d290fba780227
SSDEEP

49152:h1OsENQToNVxbNrInKtDSwSm7CXH9e7TPszffWJJBWRErVMWaE9zSu0+OlWZO:h1OHNQUNVxNpSmGXomfoCn

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4848	pZkcILMmrmrXLnj.exe

Loads dropped DLL 3 IoCs

pid	Process
4848	pZkcILMmrmrXLnj.exe
3460	regsvr32.exe
3312	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

description	ioc	Process
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfimefbjebgfkbfnpdijbpjddnbolok\5.2\manifest.json	pZkcILMmrmrXLnj.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfimefbjebgfkbfnpdijbpjddnbolok\5.2\manifest.json	pZkcILMmrmrXLnj.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfimefbjebgfkbfnpdijbpjddnbolok\5.2\manifest.json	pZkcILMmrmrXLnj.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfimefbjebgfkbfnpdijbpjddnbolok\5.2\manifest.json	pZkcILMmrmrXLnj.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\plfimefbjebgfkbfnpdijbpjddnbolok\5.2\manifest.json	pZkcILMmrmrXLnj.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	pZkcILMmrmrXLnj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	pZkcILMmrmrXLnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	pZkcILMmrmrXLnj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	pZkcILMmrmrXLnj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.dat	pZkcILMmrmrXLnj.exe
File opened for modification	C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.dat	pZkcILMmrmrXLnj.exe
File created	C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.x64.dll	pZkcILMmrmrXLnj.exe
File opened for modification	C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.x64.dll	pZkcILMmrmrXLnj.exe
File created	C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.dll	pZkcILMmrmrXLnj.exe
File opened for modification	C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.dll	pZkcILMmrmrXLnj.exe
File created	C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.tlb	pZkcILMmrmrXLnj.exe
File opened for modification	C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.tlb	pZkcILMmrmrXLnj.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4848	pZkcILMmrmrXLnj.exe
4848	pZkcILMmrmrXLnj.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4848	4604	45cf419b2cf0bb8e806caa1f654d3f06c64535b511113abba65d4f8e556c18a9.exe	78
PID 4604 wrote to memory of 4848	4604	45cf419b2cf0bb8e806caa1f654d3f06c64535b511113abba65d4f8e556c18a9.exe	78
PID 4604 wrote to memory of 4848	4604	45cf419b2cf0bb8e806caa1f654d3f06c64535b511113abba65d4f8e556c18a9.exe	78
PID 4848 wrote to memory of 3460	4848	pZkcILMmrmrXLnj.exe	79
PID 4848 wrote to memory of 3460	4848	pZkcILMmrmrXLnj.exe	79
PID 4848 wrote to memory of 3460	4848	pZkcILMmrmrXLnj.exe	79
PID 3460 wrote to memory of 3312	3460	regsvr32.exe	80
PID 3460 wrote to memory of 3312	3460	regsvr32.exe	80

C:\Users\Admin\AppData\Local\Temp\45cf419b2cf0bb8e806caa1f654d3f06c64535b511113abba65d4f8e556c18a9.exe
"C:\Users\Admin\AppData\Local\Temp\45cf419b2cf0bb8e806caa1f654d3f06c64535b511113abba65d4f8e556c18a9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\pZkcILMmrmrXLnj.exe
  .\pZkcILMmrmrXLnj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:3312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.dat

Filesize
6KB

MD5
c596ab5812fa6b77d10803c8c7a7015c

SHA1
aff26593f8d0d5838e6c67900d2058bed7ce6d50

SHA256
a09e05f9f4ecc3ddbc28dcb9bdf1280ce3faf98f147eb8055c6106d2fce1dff2

SHA512
821058536acd7919dbc28b22920a19e88503085cbda13aa31a0ed1311f0272dc95e363d6f67f666dd3f4ea2fe5be9911f0fca1f04ada9909d127878ef148f87d

Download Submit
C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.dll

Filesize
551KB

MD5
0697932538364996e99e98ccd532286b

SHA1
8f04c9c23dfccb276ad3e9533540058487cd2f29

SHA256
7f42a3d3f5f23ee5141eab93e7bcd592775492df5379548574345b94bc103317

SHA512
91d5a7b72753a6071e19fa0f0914a475dfc495d17e2766aaf87cbacdf556f3805e5e21fc8cb6188ef217b94e3733abdcbcbd72742d85f66bdd9b251d809cb665

Download Submit
C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.x64.dll

Filesize
690KB

MD5
e6677672be472951ae32a0c4f6d7233e

SHA1
19179ce9ad17d5529364487f5b8f4fb6d28e8675

SHA256
2166fff2939e76f369bb6b637defce51e8b1a709cf1103d2af2c5c168631258e

SHA512
c76cff620f7693043257209b08d5b9df0b8e1a850f5ab3197e31633bf497d2d56ba5c14f86e119566b0708ed0aefed99018d80411dfed2a3e38eb6ef47154a84

Download Submit
C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.x64.dll

Filesize
690KB

MD5
e6677672be472951ae32a0c4f6d7233e

SHA1
19179ce9ad17d5529364487f5b8f4fb6d28e8675

SHA256
2166fff2939e76f369bb6b637defce51e8b1a709cf1103d2af2c5c168631258e

SHA512
c76cff620f7693043257209b08d5b9df0b8e1a850f5ab3197e31633bf497d2d56ba5c14f86e119566b0708ed0aefed99018d80411dfed2a3e38eb6ef47154a84

Download Submit
C:\Program Files (x86)\PriceLLess\nCLD5NQuUxYOEt.x64.dll

Filesize
690KB

MD5
e6677672be472951ae32a0c4f6d7233e

SHA1
19179ce9ad17d5529364487f5b8f4fb6d28e8675

SHA256
2166fff2939e76f369bb6b637defce51e8b1a709cf1103d2af2c5c168631258e

SHA512
c76cff620f7693043257209b08d5b9df0b8e1a850f5ab3197e31633bf497d2d56ba5c14f86e119566b0708ed0aefed99018d80411dfed2a3e38eb6ef47154a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
53c42940b58ac8b2e1043192d6b54b5e

SHA1
48fbdd92bc2c6835b93718426245501be0924cf9

SHA256
f2c128c67dd95ff7b04026982a3465b28e5f659545f18cac8b6aa6fb45889c12

SHA512
05f0af96c7981801fcb5d46fe31b2f843ecc8ae7163b4d3fa606de88bdb451bd7d9feaba6d000e7d15bb033557fec1c11b0be55b07cc6f565301e35c9c295888

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
f93e48e130f30812820faa9c16827b3a

SHA1
6b3fe7d55c9f07341c5ba20de1ad368bf270f4ca

SHA256
e45cf7d50605d61e2f51d72550114ca163aff91594b6d81bfb348cdd56fe96cc

SHA512
91df8cc588a2839c297e42b0c6c05c5f8235f1b05b969b093dca5127bf194f2c9afbf163357740ff1da0eeea9d0e369668dc20218bba0d211bc0860843183646

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\[email protected]\install.rdf

Filesize
596B

MD5
c076e674f5095767c171f4173051a300

SHA1
09ff0074fd6fc1867ac9d71d3a708997756a5c81

SHA256
25c6eaab14bd3a4dc52c3d8b1458d89e8175fcd81fac471cb7a4ca3a1c7101ca

SHA512
cba6ca05255b16f3d770df31432a26f5bee58f0077cbcb1056f65b3e0466c4bab83dd9ea288deacc23d554c62a97d9b0d89b117b73a57ce0cd039cb3d755d2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\nCLD5NQuUxYOEt.dll

Filesize
551KB

MD5
0697932538364996e99e98ccd532286b

SHA1
8f04c9c23dfccb276ad3e9533540058487cd2f29

SHA256
7f42a3d3f5f23ee5141eab93e7bcd592775492df5379548574345b94bc103317

SHA512
91d5a7b72753a6071e19fa0f0914a475dfc495d17e2766aaf87cbacdf556f3805e5e21fc8cb6188ef217b94e3733abdcbcbd72742d85f66bdd9b251d809cb665

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\nCLD5NQuUxYOEt.tlb

Filesize
3KB

MD5
a6b5ea445ec47e9059c1441a4f24a5d8

SHA1
715c4c56e675738f78a8275430ba66d1d2d054f7

SHA256
7e913370d681007e9b4ff3413bf71ccae505d8e1016b4a1c39875e33735764d2

SHA512
8ec2b559e14537a6aede49ff46ffdb41f808ee042109909c0fd4adf78975b1b420e2dd1b546e6cf4dc02ddaa55cbd6a9a4411d4da642a305d5aec3d56d1ec120

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\nCLD5NQuUxYOEt.x64.dll

Filesize
690KB

MD5
e6677672be472951ae32a0c4f6d7233e

SHA1
19179ce9ad17d5529364487f5b8f4fb6d28e8675

SHA256
2166fff2939e76f369bb6b637defce51e8b1a709cf1103d2af2c5c168631258e

SHA512
c76cff620f7693043257209b08d5b9df0b8e1a850f5ab3197e31633bf497d2d56ba5c14f86e119566b0708ed0aefed99018d80411dfed2a3e38eb6ef47154a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\pZkcILMmrmrXLnj.dat

Filesize
6KB

MD5
c596ab5812fa6b77d10803c8c7a7015c

SHA1
aff26593f8d0d5838e6c67900d2058bed7ce6d50

SHA256
a09e05f9f4ecc3ddbc28dcb9bdf1280ce3faf98f147eb8055c6106d2fce1dff2

SHA512
821058536acd7919dbc28b22920a19e88503085cbda13aa31a0ed1311f0272dc95e363d6f67f666dd3f4ea2fe5be9911f0fca1f04ada9909d127878ef148f87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\pZkcILMmrmrXLnj.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\pZkcILMmrmrXLnj.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\plfimefbjebgfkbfnpdijbpjddnbolok\background.html

Filesize
139B

MD5
ef22ef75d82515cb92f39e25ff1e7f48

SHA1
590fd7f67c1db1488c85a5f0d3987a4c26046e20

SHA256
6f46cfb9141b012cf815a24805be6c7aed0d8b318885156c9803e0b69a0f2323

SHA512
0db79da71f115fa8049428aa589d1b861c0130d8e367d9b9181dc9ebcbc7b3b411b92d7cca97db00f6d60faa7826c33935e7cc3a246fc542cf167ea4e5e33368

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\plfimefbjebgfkbfnpdijbpjddnbolok\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\plfimefbjebgfkbfnpdijbpjddnbolok\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\plfimefbjebgfkbfnpdijbpjddnbolok\manifest.json

Filesize
502B

MD5
4c65fc2509a236fa6b86318a1d95f138

SHA1
756f3ab9e80481196b106932c39a87e9807d02d5

SHA256
c4474428d1892aa92eec300c6f43f3036c2b340502e2114be0a7d99e921ac9a6

SHA512
1a495f92a422475c21f3e6b0f5f2945497851d86e883ab291ae6244aa8d295f4fd61341337539c1183f570c6b51e4c150b6f775f53ca64adea9c75691e7e273e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF38C.tmp\plfimefbjebgfkbfnpdijbpjddnbolok\wz.js

Filesize
5KB

MD5
80684bc0dd9cd9feb3dbe489cc8daea4

SHA1
4c20e313523b70642a4f76729feb58dbe7688f26

SHA256
d20299eb1b2f3b9ee5fab4da497c1ad7bfca538876a15df69e369ca5b651d227

SHA512
4913ac305450b74be827ac34fcb6f557b199b78f9947b1c0415cfc942a0a6093475d6a6ae9f0ca695bb9c40ff71e70b37684d8075a74a80ab8b0298f50038919

Download Submit