Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 14:52

General

  • Target

    d6e5bfea5def9f8900c869455d59141e374f8f035d363ff83bc8b51647d05ba1.exe

  • Size

    4.6MB

  • MD5

    d3c26ef7a6509a8059e4c05f1926b0a8

  • SHA1

    46cdd1d607cdff66990e78f6c90d9b41b517b3eb

  • SHA256

    d6e5bfea5def9f8900c869455d59141e374f8f035d363ff83bc8b51647d05ba1

  • SHA512

    d4608b61bf7ece3edee254e7850c0ed170da1a8261af0a04fc5474abf5ad83c248149ed99a52393bca6820cee4a1ec5bd92ec6a7e70a9a6facdfe7898085591e

  • SSDEEP

    98304:YoBQXwcATVTwymaBp1tf3MIGT1CB5ckO:YoNBTVTwymaPbGTYB9

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6e5bfea5def9f8900c869455d59141e374f8f035d363ff83bc8b51647d05ba1.exe
    "C:\Users\Admin\AppData\Local\Temp\d6e5bfea5def9f8900c869455d59141e374f8f035d363ff83bc8b51647d05ba1.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1552
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.dat

    Filesize

    3KB

    MD5

    114fb34862522d8733bbdf9b74f11976

    SHA1

    0f625c0571958b8c6a5201d78ea542e98635f0f1

    SHA256

    7afcf6e3f2e8e6e1770721f3766d5f4aefb4316d8d09012a080e788aa5419629

    SHA512

    7adf11ae8911ac779d00a7ded8ce5c54aff313e587da7fbd329d441cff3e05a794e025c484a4e1c3d56c3f71d0109c1ec1a15ac3c91698269c9fcd6b42179e8e

  • C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.tlb

    Filesize

    3KB

    MD5

    a605ae2858a95cc2ce9bb1e9d9304674

    SHA1

    6d921d39e97d8fa34c010b4045e45ba776565ac9

    SHA256

    3074c890173c5cfefa194ea54ad1fd95801384893476628823481fe071576d45

    SHA512

    95335e817be4486e8e949ac701f4ffa22c579a3509d62278f05ce5b5e369bd3949ebf90e1ac8f3aa4ee59525e2c59a906666633c594d264fbbb76146216e7725

  • C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll

    Filesize

    889KB

    MD5

    042040d8e80233e425b5c9e39da669a3

    SHA1

    f4d544cc6f6979cdab77b0072642edb4824aac04

    SHA256

    d5adc62ab4e22acf8f91d165bde2e398cec14e4424542e355bd07e54f6b2aed2

    SHA512

    d127946ea1b7d08f184646a44ef6f8f59daa70c46b6e54638fa15b9c8a4dfcf62ed384c7961447070fbfb3875cecffc85c963752e0ac8b5cba430826a0b7bac5

  • \Program Files (x86)\PriceLess\NdhmMEpXijnIHc.dll

    Filesize

    751KB

    MD5

    68b0c82a53fdfe07ab206ee2078ec984

    SHA1

    dc0bc38f5219340b309e53841f562499bf517568

    SHA256

    6c37c9e2af50feb15f2cd2ac1e85a03c1cab2d997bea12da8beea59bc0099c21

    SHA512

    e194eed7704e793e36a0e8d130d672c5788b3d41adde92b5876ba32f52a1c8065952243666ca804736f567e5af316ac80d2f7d5612bc90f6a92b9269f6678330

  • \Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll

    Filesize

    889KB

    MD5

    042040d8e80233e425b5c9e39da669a3

    SHA1

    f4d544cc6f6979cdab77b0072642edb4824aac04

    SHA256

    d5adc62ab4e22acf8f91d165bde2e398cec14e4424542e355bd07e54f6b2aed2

    SHA512

    d127946ea1b7d08f184646a44ef6f8f59daa70c46b6e54638fa15b9c8a4dfcf62ed384c7961447070fbfb3875cecffc85c963752e0ac8b5cba430826a0b7bac5

  • \Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll

    Filesize

    889KB

    MD5

    042040d8e80233e425b5c9e39da669a3

    SHA1

    f4d544cc6f6979cdab77b0072642edb4824aac04

    SHA256

    d5adc62ab4e22acf8f91d165bde2e398cec14e4424542e355bd07e54f6b2aed2

    SHA512

    d127946ea1b7d08f184646a44ef6f8f59daa70c46b6e54638fa15b9c8a4dfcf62ed384c7961447070fbfb3875cecffc85c963752e0ac8b5cba430826a0b7bac5

  • memory/1552-54-0x0000000075241000-0x0000000075243000-memory.dmp

    Filesize

    8KB

  • memory/1552-55-0x00000000029F0000-0x0000000002ABA000-memory.dmp

    Filesize

    808KB

  • memory/1972-66-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

    Filesize

    8KB