Overview

overview

8

Static

static

f73ca1f660...a9.exe

windows7-x64

8

f73ca1f660...a9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 14:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f73ca1f6605d938ddd8576c78ffa87520088f62cef0d33bee2309e510c43f0a9.exe

  • Size

    3.6MB

  • MD5

    d9709e07bad3a51f74e405e7d205930e

  • SHA1

    091e27f7b611d782fdca13fe4d596053b1a06d58

  • SHA256

    f73ca1f6605d938ddd8576c78ffa87520088f62cef0d33bee2309e510c43f0a9

  • SHA512

    f3ba5333d9c76495d821ada26cb06688b227b01c9d0e26ad3ad32394403c308054de182402ccb3a6945478c67426d952c23a7875f8e7c6dc6463479c26770809

  • SSDEEP

    49152:4c+vtjC4APehCOB8GznyXAsxzdmHsa4Oi2+Ua4/4EMFvBIPDIEdOMktcsA:lCNdAPiB8Hvxzisa4SPF/kkEEd

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f73ca1f6605d938ddd8576c78ffa87520088f62cef0d33bee2309e510c43f0a9.exe
    "C:\Users\Admin\AppData\Local\Temp\f73ca1f6605d938ddd8576c78ffa87520088f62cef0d33bee2309e510c43f0a9.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2360
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\PriiceLess\txDyo9Y5LyQOTt.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\PriiceLess\txDyo9Y5LyQOTt.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:3128
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:3592
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:3664

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\PriiceLess\txDyo9Y5LyQOTt.dat
              Filesize

              4KB

              MD5

              7d263b9d1465f19015c7a0e05e8d508a

              SHA1

              83a62159752e931dea0de6a9db0029e347732dd0

              SHA256

              de1d18e57b3f1f75f6b3aa3e9aa1c5e261c9f4b14790019b8995780b596edde4

              SHA512

              1d23dffd3ee98cbd074f33046e5bafbcf45834573770cbf1bd69f42c34e511f8c374b4d3a9bc9196d938bbc6c52a6877be27405805be5754f3c8caca3941365f

              Download Submit

            • C:\Program Files (x86)\PriiceLess\txDyo9Y5LyQOTt.dll
              Filesize

              615KB

              MD5

              ff5e433c6f29178bac73bb59690388e9

              SHA1

              c1ffbcdf7bfc725cbfe6dca5920d88491ea445b0

              SHA256

              f628bed0e2bbba0d403442a9d4ec81b5836b41545498e0e9b6633ed40689c861

              SHA512

              10f18270ae3002f8c428c8937bc5f88a2d06c8973c74ef34bd5ae16b346d658d57944aed459eff154eb1942bded03cc248d706feb18975f5b8107dd640661be6

              Download Submit

            • C:\Program Files (x86)\PriiceLess\txDyo9Y5LyQOTt.tlb
              Filesize

              3KB

              MD5

              b85e28ebb05db1bc98791f4ca29f89c3

              SHA1

              35255fda88e100483eea0a4d11303f68e3e37dad

              SHA256

              0f60549d695da16be688d5e4ab87ae734788c08d115023a2795f299f2b443c20

              SHA512

              655a7f6cdb3ae49333d0fb7a3c0f8f216c278e021b94783e7d5ff3c5b8b88cdf72424621d4831b7a339163e4d23cf3b00b5d0bc0c6a1c5fcffb92cbf6ec9a02a

              Download Submit

            • C:\Program Files (x86)\PriiceLess\txDyo9Y5LyQOTt.x64.dll
              Filesize

              694KB

              MD5

              295488797e3d9cc86059e14a22549c5b

              SHA1

              d01b332f2841a49dfc2bf37776921bc81de30bf2

              SHA256

              8a1af1647f2f95af8c953ac621629af8ffb860b4230fabef216bed97a6f897d2

              SHA512

              935f1f26a198cea3c2554405e3253cd28b9ffeb5faeebcd2eff3e2ac951c2339d2fafff561a6b175d7ccff4259ae62df99503ed66e418e5a10e0a12357eae75e

              Download Submit

            • C:\Program Files (x86)\PriiceLess\txDyo9Y5LyQOTt.x64.dll
              Filesize

              694KB

              MD5

              295488797e3d9cc86059e14a22549c5b

              SHA1

              d01b332f2841a49dfc2bf37776921bc81de30bf2

              SHA256

              8a1af1647f2f95af8c953ac621629af8ffb860b4230fabef216bed97a6f897d2

              SHA512

              935f1f26a198cea3c2554405e3253cd28b9ffeb5faeebcd2eff3e2ac951c2339d2fafff561a6b175d7ccff4259ae62df99503ed66e418e5a10e0a12357eae75e

              Download Submit

            • C:\Program Files (x86)\PriiceLess\txDyo9Y5LyQOTt.x64.dll
              Filesize

              694KB

              MD5

              295488797e3d9cc86059e14a22549c5b

              SHA1

              d01b332f2841a49dfc2bf37776921bc81de30bf2

              SHA256

              8a1af1647f2f95af8c953ac621629af8ffb860b4230fabef216bed97a6f897d2

              SHA512

              935f1f26a198cea3c2554405e3253cd28b9ffeb5faeebcd2eff3e2ac951c2339d2fafff561a6b175d7ccff4259ae62df99503ed66e418e5a10e0a12357eae75e

              Download Submit

            • memory/2360-132-0x0000000000400000-0x00000000004AB000-memory.dmp

              Filesize

              684KB

              Download