148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b

Analysis

max time kernel
36s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b.exe
Size

2.5MB
MD5

b549b830dd408346610cf8282bcbf2ff
SHA1

68f622f7dd10f8b975f887861a3386559ca8a30f
SHA256

148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b
SHA512

812afb8306c2282a8788db333aa1a381c71eb056046455dcda1bffc16acc3f4d7242e6adad98ac81cfa78b9e448f184b384371c473488554aa35a882dc9ce5e6
SSDEEP

49152:h1OshClxJ6WGWy9DtBjtVn3eDNF0GsVO/F3V5kqU4qvS:h1O7lj4XDS

Score

8^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	bBlmjnKWLZuAY13.exe

Loads dropped DLL 4 IoCs

pid	Process
1256	148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b.exe
2032	bBlmjnKWLZuAY13.exe
1696	regsvr32.exe
1692	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpnddndfbglnpibboalgblgombmlaoji\5.2\manifest.json	bBlmjnKWLZuAY13.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpnddndfbglnpibboalgblgombmlaoji\5.2\manifest.json	bBlmjnKWLZuAY13.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpnddndfbglnpibboalgblgombmlaoji\5.2\manifest.json	bBlmjnKWLZuAY13.exe

Installs/modifies Browser Helper Object 2 TTPs 11 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	bBlmjnKWLZuAY13.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	bBlmjnKWLZuAY13.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	bBlmjnKWLZuAY13.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	bBlmjnKWLZuAY13.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\	bBlmjnKWLZuAY13.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435B-BC74-9C25C1C588A9}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.tlb	bBlmjnKWLZuAY13.exe
File created	C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.dat	bBlmjnKWLZuAY13.exe
File opened for modification	C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.dat	bBlmjnKWLZuAY13.exe
File created	C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.x64.dll	bBlmjnKWLZuAY13.exe
File opened for modification	C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.x64.dll	bBlmjnKWLZuAY13.exe
File created	C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.dll	bBlmjnKWLZuAY13.exe
File opened for modification	C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.dll	bBlmjnKWLZuAY13.exe
File created	C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.tlb	bBlmjnKWLZuAY13.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2032	bBlmjnKWLZuAY13.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2032	1256	148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b.exe	27
PID 1256 wrote to memory of 2032	1256	148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b.exe	27
PID 1256 wrote to memory of 2032	1256	148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b.exe	27
PID 1256 wrote to memory of 2032	1256	148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b.exe	27
PID 2032 wrote to memory of 1696	2032	bBlmjnKWLZuAY13.exe	28
PID 2032 wrote to memory of 1696	2032	bBlmjnKWLZuAY13.exe	28
PID 2032 wrote to memory of 1696	2032	bBlmjnKWLZuAY13.exe	28
PID 2032 wrote to memory of 1696	2032	bBlmjnKWLZuAY13.exe	28
PID 2032 wrote to memory of 1696	2032	bBlmjnKWLZuAY13.exe	28
PID 2032 wrote to memory of 1696	2032	bBlmjnKWLZuAY13.exe	28
PID 2032 wrote to memory of 1696	2032	bBlmjnKWLZuAY13.exe	28
PID 1696 wrote to memory of 1692	1696	regsvr32.exe	29
PID 1696 wrote to memory of 1692	1696	regsvr32.exe	29
PID 1696 wrote to memory of 1692	1696	regsvr32.exe	29
PID 1696 wrote to memory of 1692	1696	regsvr32.exe	29
PID 1696 wrote to memory of 1692	1696	regsvr32.exe	29
PID 1696 wrote to memory of 1692	1696	regsvr32.exe	29
PID 1696 wrote to memory of 1692	1696	regsvr32.exe	29

C:\Users\Admin\AppData\Local\Temp\148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b.exe
"C:\Users\Admin\AppData\Local\Temp\148a312139e50077a546f52b038c1926141c3273eb12a659e65a3285c9aa669b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\bBlmjnKWLZuAY13.exe
  .\bBlmjnKWLZuAY13.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.x64.dll"
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.dat

Filesize
6KB

MD5
8999cc25d6cef2da80518e0407912700

SHA1
dddb0f7f1989bcef8c93bae5ec748a9aba3a00a5

SHA256
c5ca524e959186f3826f621895607e91bbe65f08c3f1a37a9078794ebc34c7a2

SHA512
07cc477ce05b16c6786933e58f6cb44135f7ff89a699fc4a292658cb4d1bbaf98cea7c4541d6cd20498ea8b5ca87717608fffe73b943f40b022207b86ef60967

Download Submit
C:\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.x64.dll

Filesize
877KB

MD5
a15b6688166a055d5fd2143e65d75910

SHA1
f394b5bd24a1eb02f69fe93946671167599e4f99

SHA256
cdc5850bc491da08b7fd7e1c6bb052b9413c087225fdbc199688bd87f25691b1

SHA512
43fb91562a298eadf12184aebdcc1836205e4bc8fca4510a65b466deb7654b075570febbb75a1bdd076591981bb915355002d5b818655fdbb4c85ea592360272

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\bBlmjnKWLZuAY13.dat

Filesize
6KB

MD5
8999cc25d6cef2da80518e0407912700

SHA1
dddb0f7f1989bcef8c93bae5ec748a9aba3a00a5

SHA256
c5ca524e959186f3826f621895607e91bbe65f08c3f1a37a9078794ebc34c7a2

SHA512
07cc477ce05b16c6786933e58f6cb44135f7ff89a699fc4a292658cb4d1bbaf98cea7c4541d6cd20498ea8b5ca87717608fffe73b943f40b022207b86ef60967

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\bBlmjnKWLZuAY13.exe

Filesize
771KB

MD5
b0b4c6156634dc080ddc26ade107014f

SHA1
548cf6616be7c542123968efe9778bce9a3aadb2

SHA256
aa09d621d336c8026a171b9deae99cc497dc400488f63948ea6aa2b1d8f4aa8a

SHA512
2d9a5fffad92eb1dfa98181fb93593424c47e2ff71f1c11284af87e3b80c2d8e5f452556f042cf4494d6d50cee540504a346a916302dc503d499eef5e487635d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\bBlmjnKWLZuAY13.exe

Filesize
771KB

MD5
b0b4c6156634dc080ddc26ade107014f

SHA1
548cf6616be7c542123968efe9778bce9a3aadb2

SHA256
aa09d621d336c8026a171b9deae99cc497dc400488f63948ea6aa2b1d8f4aa8a

SHA512
2d9a5fffad92eb1dfa98181fb93593424c47e2ff71f1c11284af87e3b80c2d8e5f452556f042cf4494d6d50cee540504a346a916302dc503d499eef5e487635d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\hfgbg0bARU7zXW.dll

Filesize
742KB

MD5
53845933b56cada593a829f10cd63ae3

SHA1
522d100452b7614bac9b2cf7c6cd0c45b233fad2

SHA256
c159676166cd50ffe11e1d30dcb1a0f974c38abb69e3e1912609c61f95905e55

SHA512
2c1fcfd4c2a7fd111da27fe4696308824f814a01dd363bb27a56eb530b1ad1b7b26350f0437402c5cfe6dc152f0736a4443418f94159f00eb279c02911f72380

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\hfgbg0bARU7zXW.tlb

Filesize
3KB

MD5
70da0213cf204278c649a4ae3cc72cc3

SHA1
b3ef6a42b409974683873ca0cb160d3e750250ca

SHA256
b38058e120d8c84a7f3bf6422aba9ea564730e49c8610e62322f69285bb1d56b

SHA512
d3e513949926f130ca871312fde254f980fbfac15056c1c46e54fd8b2eb0829a07ac29bff757b4fe5cff905a7b6357ff232726413582ef8bc130e950dd05337c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\hfgbg0bARU7zXW.x64.dll

Filesize
877KB

MD5
a15b6688166a055d5fd2143e65d75910

SHA1
f394b5bd24a1eb02f69fe93946671167599e4f99

SHA256
cdc5850bc491da08b7fd7e1c6bb052b9413c087225fdbc199688bd87f25691b1

SHA512
43fb91562a298eadf12184aebdcc1836205e4bc8fca4510a65b466deb7654b075570febbb75a1bdd076591981bb915355002d5b818655fdbb4c85ea592360272

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\kpnddndfbglnpibboalgblgombmlaoji\background.html

Filesize
146B

MD5
4cbbb7ebe9fcb61d21999d18936a70eb

SHA1
3229131e3a64b54a5636664bfda59b2715870707

SHA256
3965a982331354f4e50292044688af068e0f9f9c03b018b93fee04449b128fa2

SHA512
1891368a7c28a3d0a7eea0199afca037c27200efa6ff8a348b0035401e2f339f7164d1cbe818aa522e51e4eb0506d7c30029f727eca72b9f08ff761ad89e3d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\kpnddndfbglnpibboalgblgombmlaoji\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\kpnddndfbglnpibboalgblgombmlaoji\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\kpnddndfbglnpibboalgblgombmlaoji\manifest.json

Filesize
501B

MD5
9d9d74bfa8e9ace025b834b96419d05e

SHA1
f5e56a100b0208b88335859cec692d867ffb572b

SHA256
a54dc66b61256c08f2bf60f507673814d263effe532fd8e6e1e1d662eca1d265

SHA512
4c8b216a781da9d366d5ea49e66dda6313c1f12947e59119782d14fe07ffa2db9de5b4e818f6e58088dd90f167ac8168796887676e0eacf7a86d2c9f7c3c1512

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\kpnddndfbglnpibboalgblgombmlaoji\wQ0k0jEDx.js

Filesize
5KB

MD5
cbcf82218959e9f1ee88bf1e2f6def3e

SHA1
2fecb8c59ab7c993fb7a93f7a995158ca2b2dd0f

SHA256
563b9eb2c3893279b2b08da5b2c333c7698dc74e72df58051d4791f19db7702e

SHA512
27cfa34293fe0af416e85106ee95d59446d0088e260487499de7f7865e66d652ccf8eb38ef66e3b25e95e789b4b49b05df8d16647c9ba7822058be87ba03f8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
3b89c2d5082b7d723b9956afe6d2cdf3

SHA1
b1e1cc710ad2ead80524a547cd100bf5510a6e3c

SHA256
fb1394da0a21cc97b4c5a29e95e4af836dbc322cca249b82ec55b347514bd9c0

SHA512
d021ae2f6de5562861fc894c8804fcf974607b5bd52c13f4d3455bc1eb09f1a477f7e422c2b755d470be6c9ea820718580b65ccf2dbd3339a75a93d63be4926f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\[email protected]\content\bg.js

Filesize
7KB

MD5
03caed113760f91b2fef2bf49bd9718f

SHA1
2b272c5f1df8123ff8134f9561df4df20237341a

SHA256
10e5101255cbcc13d38c29f756f50bed29b08cc5eb5620b3e4f892f1c232a68d

SHA512
add5a1e6c2ae71fb514388ddda39d85783d251416d8cf7414fb6691269c3273620f1efaac2b78a2518220a0cab870e936549d9ec8b1dab9337e41574a02ecc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\[email protected]\install.rdf

Filesize
596B

MD5
beb1f5458ba88e46409026b3803a20bd

SHA1
0697d1d3e9e3b122498a66840934d60ebcfc6460

SHA256
51fc94985bf950017a992a49c455cf97c6fa223020f1833b3e7a6463437a6cb1

SHA512
65da643fae0603454bf604d477a54ca52f88a703582a25842a427fb0ed9381aaf0ee4b3c1f26f997be03de9d3718c3e7101a8af294c18114e028b11c0aa3afc5

Download Submit
\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.dll

Filesize
742KB

MD5
53845933b56cada593a829f10cd63ae3

SHA1
522d100452b7614bac9b2cf7c6cd0c45b233fad2

SHA256
c159676166cd50ffe11e1d30dcb1a0f974c38abb69e3e1912609c61f95905e55

SHA512
2c1fcfd4c2a7fd111da27fe4696308824f814a01dd363bb27a56eb530b1ad1b7b26350f0437402c5cfe6dc152f0736a4443418f94159f00eb279c02911f72380

Download Submit
\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.x64.dll

Filesize
877KB

MD5
a15b6688166a055d5fd2143e65d75910

SHA1
f394b5bd24a1eb02f69fe93946671167599e4f99

SHA256
cdc5850bc491da08b7fd7e1c6bb052b9413c087225fdbc199688bd87f25691b1

SHA512
43fb91562a298eadf12184aebdcc1836205e4bc8fca4510a65b466deb7654b075570febbb75a1bdd076591981bb915355002d5b818655fdbb4c85ea592360272

Download Submit
\Program Files (x86)\PriceLess\hfgbg0bARU7zXW.x64.dll

Filesize
877KB

MD5
a15b6688166a055d5fd2143e65d75910

SHA1
f394b5bd24a1eb02f69fe93946671167599e4f99

SHA256
cdc5850bc491da08b7fd7e1c6bb052b9413c087225fdbc199688bd87f25691b1

SHA512
43fb91562a298eadf12184aebdcc1836205e4bc8fca4510a65b466deb7654b075570febbb75a1bdd076591981bb915355002d5b818655fdbb4c85ea592360272

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4E8E.tmp\bBlmjnKWLZuAY13.exe

Filesize
771KB

MD5
b0b4c6156634dc080ddc26ade107014f

SHA1
548cf6616be7c542123968efe9778bce9a3aadb2

SHA256
aa09d621d336c8026a171b9deae99cc497dc400488f63948ea6aa2b1d8f4aa8a

SHA512
2d9a5fffad92eb1dfa98181fb93593424c47e2ff71f1c11284af87e3b80c2d8e5f452556f042cf4494d6d50cee540504a346a916302dc503d499eef5e487635d

Download Submit
memory/1256-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1692-78-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/1692-77-0x0000000000000000-mapping.dmp

Download
memory/1696-73-0x0000000000000000-mapping.dmp

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download