23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 06:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771.exe
Size

2.1MB
MD5

1f6a447e56b5051785163f156f48f7d2
SHA1

5e359ce8769df3b1b272d75cd30e2d756e4ed267
SHA256

23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771
SHA512

537ecc189f5a45eb479df4b157ab8c03163ad2c31f0c6b10c1de781040558df9278b560e8e54d44cb602efe09f14524624e9050c8737d371ba8825d9f43d3fd6
SSDEEP

49152:h1OsXNQToNVxbNrInKtDSwSm7CXH9e7GPszffW572WREqVMWaE9zSuu8Epr9:h1OoNQUNVxNpSmGXpmfVCU

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1884	HWQstA8L1GPynnE.exe

Loads dropped DLL 4 IoCs

pid	Process
864	23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771.exe
1884	HWQstA8L1GPynnE.exe
2040	regsvr32.exe
2020	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfiblfejgdapllhbonhdapaddehcjanc\5.2\manifest.json	HWQstA8L1GPynnE.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfiblfejgdapllhbonhdapaddehcjanc\5.2\manifest.json	HWQstA8L1GPynnE.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfiblfejgdapllhbonhdapaddehcjanc\5.2\manifest.json	HWQstA8L1GPynnE.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	HWQstA8L1GPynnE.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	HWQstA8L1GPynnE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	HWQstA8L1GPynnE.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	HWQstA8L1GPynnE.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	HWQstA8L1GPynnE.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.dll	HWQstA8L1GPynnE.exe
File opened for modification	C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.dll	HWQstA8L1GPynnE.exe
File created	C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.tlb	HWQstA8L1GPynnE.exe
File opened for modification	C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.tlb	HWQstA8L1GPynnE.exe
File created	C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.dat	HWQstA8L1GPynnE.exe
File opened for modification	C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.dat	HWQstA8L1GPynnE.exe
File created	C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.x64.dll	HWQstA8L1GPynnE.exe
File opened for modification	C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.x64.dll	HWQstA8L1GPynnE.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1884	HWQstA8L1GPynnE.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1884	864	23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771.exe	28
PID 864 wrote to memory of 1884	864	23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771.exe	28
PID 864 wrote to memory of 1884	864	23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771.exe	28
PID 864 wrote to memory of 1884	864	23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771.exe	28
PID 1884 wrote to memory of 2040	1884	HWQstA8L1GPynnE.exe	29
PID 1884 wrote to memory of 2040	1884	HWQstA8L1GPynnE.exe	29
PID 1884 wrote to memory of 2040	1884	HWQstA8L1GPynnE.exe	29
PID 1884 wrote to memory of 2040	1884	HWQstA8L1GPynnE.exe	29
PID 1884 wrote to memory of 2040	1884	HWQstA8L1GPynnE.exe	29
PID 1884 wrote to memory of 2040	1884	HWQstA8L1GPynnE.exe	29
PID 1884 wrote to memory of 2040	1884	HWQstA8L1GPynnE.exe	29
PID 2040 wrote to memory of 2020	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2020	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2020	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2020	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2020	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2020	2040	regsvr32.exe	30
PID 2040 wrote to memory of 2020	2040	regsvr32.exe	30

C:\Users\Admin\AppData\Local\Temp\23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771.exe
"C:\Users\Admin\AppData\Local\Temp\23c146c7b092d117cbcd9c8a500c3883425efe0a554d3ae2fcc34f70ed2b3771.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\HWQstA8L1GPynnE.exe
  .\HWQstA8L1GPynnE.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.dat

Filesize
6KB

MD5
f61e7096db4cfb74e96df003415dad3c

SHA1
bd281b1968a4af8d0d8245d9a181adddf857b178

SHA256
8ef62146164696334d99e542165654152c38dc37fba4a0d92ba3225da489f082

SHA512
d449fd3bc947ae03692d28cf3bf64f27f666711e718d4d6b8655e398570f3fc34621ae779620ae62a260681349d8685922b16c1a3daabaf3f9790d9d831d7f49

Download Submit
C:\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.x64.dll

Filesize
690KB

MD5
7fca0346f2b8ac449fb2df1bfea2594b

SHA1
24c0455ef52defb0043e2011eab82051704ede2f

SHA256
bf7af027e5146f13182fa6a7daf1c78a002b3bbbd79ccb38adf8603190cad8e0

SHA512
e1a3691a4ac7ae232f4c64ae97c32446c1600912708037f9a16c98e2d253e8359c84acc0e76facc1bde9cd9a53c12067121f4b57c1f13cf68d0433d025ef3e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\3SQkePYmuCtUqX.dll

Filesize
551KB

MD5
c137dae104d10769117aa4afeb625da7

SHA1
6cfd717021cf5f753ffa386eb7b5bb54f4614b14

SHA256
defcaf1b7344e1ff2a3f7c7de7d8c99672319e3c6827f02aae6f49807d017c0b

SHA512
7b1b772902e3303c8f1513af0081513b6ae6f282d27e13b3a77f0e130e3e7163ac67b4dca9589995c7a84956a6e98c39687e51699637aa61d5f2fe4241b228af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\3SQkePYmuCtUqX.tlb

Filesize
3KB

MD5
a6b5ea445ec47e9059c1441a4f24a5d8

SHA1
715c4c56e675738f78a8275430ba66d1d2d054f7

SHA256
7e913370d681007e9b4ff3413bf71ccae505d8e1016b4a1c39875e33735764d2

SHA512
8ec2b559e14537a6aede49ff46ffdb41f808ee042109909c0fd4adf78975b1b420e2dd1b546e6cf4dc02ddaa55cbd6a9a4411d4da642a305d5aec3d56d1ec120

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\3SQkePYmuCtUqX.x64.dll

Filesize
690KB

MD5
7fca0346f2b8ac449fb2df1bfea2594b

SHA1
24c0455ef52defb0043e2011eab82051704ede2f

SHA256
bf7af027e5146f13182fa6a7daf1c78a002b3bbbd79ccb38adf8603190cad8e0

SHA512
e1a3691a4ac7ae232f4c64ae97c32446c1600912708037f9a16c98e2d253e8359c84acc0e76facc1bde9cd9a53c12067121f4b57c1f13cf68d0433d025ef3e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
dc42fea7b1c162cac804f3025f0344ce

SHA1
468a2c965c28a1899304d1b6b84b2824ff349d29

SHA256
e56ca84cf748fefff2e4365539d6a6b427cf128b92f916a6ce883b40929bc9f3

SHA512
d71b122cb26b7abd7c9fb7f10c4c94085b9752577919a5b505134bb0ddfd27db961360f4d85a4f0fe7f03e0d9743c05948a5390cc4301c1ec3ee6647f78c0f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
9a427c511ba3390314c61edbe4b153df

SHA1
460c5183161fd83f9600fcd041ada53094b98609

SHA256
7ba60a65a90ecab14fff5a2de13e7889b2b02f05337049bee0880665c5c3db2c

SHA512
2d375887f1edf546ca8e59132ce3946ad59ea87f49ff70d183776686010b257fbfa678f8a85ff4c0ec0c315cef681dd44d8ae5fb231d135812e2fc972c85e320

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\[email protected]\install.rdf

Filesize
600B

MD5
e567db8b1333a06ce950195f419dac2e

SHA1
057344ec18320a2a4e2a82437103c1ba749bd315

SHA256
aa7dec094513822c23a70eb27201e87dd142d86b49e695c6f14cbab2061f53db

SHA512
fe40a5fd337cbb8c17e97ebb441ded83bff520fa90ee1fd63893d6bb6096cd864f1db2e34258f52034353d3b31d5abdd657e52715e9c714c57e020077354511f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\HWQstA8L1GPynnE.dat

Filesize
6KB

MD5
f61e7096db4cfb74e96df003415dad3c

SHA1
bd281b1968a4af8d0d8245d9a181adddf857b178

SHA256
8ef62146164696334d99e542165654152c38dc37fba4a0d92ba3225da489f082

SHA512
d449fd3bc947ae03692d28cf3bf64f27f666711e718d4d6b8655e398570f3fc34621ae779620ae62a260681349d8685922b16c1a3daabaf3f9790d9d831d7f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\HWQstA8L1GPynnE.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\HWQstA8L1GPynnE.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\nfiblfejgdapllhbonhdapaddehcjanc\background.html

Filesize
145B

MD5
a83aed809942b3e558139bc44e45e1f5

SHA1
ffd9d3b03f8d5b35212da2c3c6a8787c13f2a309

SHA256
917768404f9ede9a702c5163695f97d61378ba4194e423231c1b6df384eb9fb0

SHA512
9d722240255a8ec6869454893519fa4046d47bfdc1f4cfebcf613fbe97bedf0723257a2e00da67b077d480ca617f49345e2f076686afff2f2a61075992fa4ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\nfiblfejgdapllhbonhdapaddehcjanc\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\nfiblfejgdapllhbonhdapaddehcjanc\dKcDd7El.js

Filesize
5KB

MD5
9950730d5e9e9c1b3b1a59b57fc7f3e2

SHA1
f444de6439d440c658e0e1e273f8d431ea6ed001

SHA256
8139a46a484e2f4c1bc8bfce9d61da86aab66d51cdf7e4cf89098ca9d0e9f556

SHA512
544776a0dbc14c33be027ae51758a16246f7067f7622cb8bf29c81d0f4b8c166357fc1146150b6242326ec8d9d2ca8cbc2aa48da9a81d94b946fd41dd480c24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\nfiblfejgdapllhbonhdapaddehcjanc\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\nfiblfejgdapllhbonhdapaddehcjanc\manifest.json

Filesize
502B

MD5
4c65fc2509a236fa6b86318a1d95f138

SHA1
756f3ab9e80481196b106932c39a87e9807d02d5

SHA256
c4474428d1892aa92eec300c6f43f3036c2b340502e2114be0a7d99e921ac9a6

SHA512
1a495f92a422475c21f3e6b0f5f2945497851d86e883ab291ae6244aa8d295f4fd61341337539c1183f570c6b51e4c150b6f775f53ca64adea9c75691e7e273e

Download Submit
\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.dll

Filesize
551KB

MD5
c137dae104d10769117aa4afeb625da7

SHA1
6cfd717021cf5f753ffa386eb7b5bb54f4614b14

SHA256
defcaf1b7344e1ff2a3f7c7de7d8c99672319e3c6827f02aae6f49807d017c0b

SHA512
7b1b772902e3303c8f1513af0081513b6ae6f282d27e13b3a77f0e130e3e7163ac67b4dca9589995c7a84956a6e98c39687e51699637aa61d5f2fe4241b228af

Download Submit
\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.x64.dll

Filesize
690KB

MD5
7fca0346f2b8ac449fb2df1bfea2594b

SHA1
24c0455ef52defb0043e2011eab82051704ede2f

SHA256
bf7af027e5146f13182fa6a7daf1c78a002b3bbbd79ccb38adf8603190cad8e0

SHA512
e1a3691a4ac7ae232f4c64ae97c32446c1600912708037f9a16c98e2d253e8359c84acc0e76facc1bde9cd9a53c12067121f4b57c1f13cf68d0433d025ef3e90

Download Submit
\Program Files (x86)\PriceLLess\3SQkePYmuCtUqX.x64.dll

Filesize
690KB

MD5
7fca0346f2b8ac449fb2df1bfea2594b

SHA1
24c0455ef52defb0043e2011eab82051704ede2f

SHA256
bf7af027e5146f13182fa6a7daf1c78a002b3bbbd79ccb38adf8603190cad8e0

SHA512
e1a3691a4ac7ae232f4c64ae97c32446c1600912708037f9a16c98e2d253e8359c84acc0e76facc1bde9cd9a53c12067121f4b57c1f13cf68d0433d025ef3e90

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE6A8.tmp\HWQstA8L1GPynnE.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/864-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/2020-78-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download