415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb

General

Target

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Size

4.6MB
MD5

dfb31f14a706185d829b9ee0b66791d9
SHA1

af12e57d25cf6e242e2a0e66f94ae36dac991a61
SHA256

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb
SHA512

ad1eadc24676cf56978233298f7dbc84d01f56df687fae90cfe2d615cb2681abcab3852efa9e14e6ff50adde8df3ba931a69c97119516700a0c1291e36a7b6f8
SSDEEP

98304:sdhBzl2TVTwymbvw1tf37IGTad+ESjS2Lkyj:sdETVTwymbUsGTfnjB4y

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\InprocServer32\ = "C:\\Program Files (x86)\\PriceLess\\5iytD1cKiiq6yH.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exeregsvr32.exeregsvr32.exe

pid process

964 415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
588 regsvr32.exe
1280 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiibnkafdgcnclojnhcnnagcopfecafm\5.2\manifest.json	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiibnkafdgcnclojnhcnnagcopfecafm\5.2\manifest.json	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiibnkafdgcnclojnhcnnagcopfecafm\5.2\manifest.json	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8120f81b-ec74-4ea0-845c-7b7fce241540}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8120f81b-ec74-4ea0-845c-7b7fce241540}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8120f81b-ec74-4ea0-845c-7b7fce241540}\ = "PriceLess"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8120f81b-ec74-4ea0-845c-7b7fce241540}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8120f81b-ec74-4ea0-845c-7b7fce241540}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8120f81b-ec74-4ea0-845c-7b7fce241540}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8120f81b-ec74-4ea0-845c-7b7fce241540}\ = "PriceLess"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8120f81b-ec74-4ea0-845c-7b7fce241540}\NoExplorer = "1"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

Drops file in System32 directory 4 IoCs

Processes:

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File opened for modification	C:\Windows\System32\GroupPolicy	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

Drops file in Program Files directory 8 IoCs

Processes:

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

description	ioc	process
File created	C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.x64.dll	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File opened for modification	C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.x64.dll	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File created	C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.dll	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File opened for modification	C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.dll	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File created	C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.tlb	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File opened for modification	C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.tlb	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File created	C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.dat	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
File opened for modification	C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.dat	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8120F81B-EC74-4EA0-845C-7B7FCE241540}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8120f81b-ec74-4ea0-845c-7b7fce241540}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8120f81b-ec74-4ea0-845c-7b7fce241540}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8120F81B-EC74-4EA0-845C-7B7FCE241540}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\ = "PriceLess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\InprocServer32\ = "C:\\Program Files (x86)\\PriceLess\\5iytD1cKiiq6yH.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\Programmable	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{8120f81b-ec74-4ea0-845c-7b7fce241540}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{8120f81b-ec74-4ea0-845c-7b7fce241540}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "PriceLess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\ProgID\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\VersionIndependentProgID\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8120F81B-EC74-4EA0-845C-7B7FCE241540}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\PriceLess"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "PriceLess"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{8120f81b-ec74-4ea0-845c-7b7fce241540}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\ProgID	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\VersionIndependentProgID	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8120F81B-EC74-4EA0-845C-7B7FCE241540}\Implemented Categories	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{8120f81b-ec74-4ea0-845c-7b7fce241540}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\Programmable	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8120F81B-EC74-4EA0-845C-7B7FCE241540}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\ProgID	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\VersionIndependentProgID	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8120F81B-EC74-4EA0-845C-7B7FCE241540}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "PriceLess"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

pid	process
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

description	pid	process
Token: SeDebugPrivilege	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Token: SeDebugPrivilege	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Token: SeDebugPrivilege	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Token: SeDebugPrivilege	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Token: SeDebugPrivilege	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Token: SeDebugPrivilege	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exeregsvr32.exe

description	pid	process	target process
PID 964 wrote to memory of 588	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe	regsvr32.exe
PID 964 wrote to memory of 588	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe	regsvr32.exe
PID 964 wrote to memory of 588	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe	regsvr32.exe
PID 964 wrote to memory of 588	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe	regsvr32.exe
PID 964 wrote to memory of 588	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe	regsvr32.exe
PID 964 wrote to memory of 588	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe	regsvr32.exe
PID 964 wrote to memory of 588	964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe	regsvr32.exe
PID 588 wrote to memory of 1280	588	regsvr32.exe	regsvr32.exe
PID 588 wrote to memory of 1280	588	regsvr32.exe	regsvr32.exe
PID 588 wrote to memory of 1280	588	regsvr32.exe	regsvr32.exe
PID 588 wrote to memory of 1280	588	regsvr32.exe	regsvr32.exe
PID 588 wrote to memory of 1280	588	regsvr32.exe	regsvr32.exe
PID 588 wrote to memory of 1280	588	regsvr32.exe	regsvr32.exe
PID 588 wrote to memory of 1280	588	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8120f81b-ec74-4ea0-845c-7b7fce241540} = "1"	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe

C:\Users\Admin\AppData\Local\Temp\415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
"C:\Users\Admin\AppData\Local\Temp\415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:964

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1280

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.dat
Filesize
3KB

MD5
59bc62149d1222331426a7585315e67c

SHA1
8ef629a3885e1a2be20cfb780f8f6d77a3eb2930

SHA256
8b16d514ac788a67bc6d1feff804660501e9ffe176c25d7e1850db0fcb285f09

SHA512
af41e93bd876d60be96ca61179a69a88c3e6c1d0049164c5b1492b0aa0a1c6e959741e1fffdfdf83224cd9de3fd37d67f51e32378b8948c08fc3a122596d1c49

Download Submit
C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.tlb
Filesize
3KB

MD5
a605ae2858a95cc2ce9bb1e9d9304674

SHA1
6d921d39e97d8fa34c010b4045e45ba776565ac9

SHA256
3074c890173c5cfefa194ea54ad1fd95801384893476628823481fe071576d45

SHA512
95335e817be4486e8e949ac701f4ffa22c579a3509d62278f05ce5b5e369bd3949ebf90e1ac8f3aa4ee59525e2c59a906666633c594d264fbbb76146216e7725

Download Submit
C:\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.x64.dll
Filesize
889KB

MD5
042040d8e80233e425b5c9e39da669a3

SHA1
f4d544cc6f6979cdab77b0072642edb4824aac04

SHA256
d5adc62ab4e22acf8f91d165bde2e398cec14e4424542e355bd07e54f6b2aed2

SHA512
d127946ea1b7d08f184646a44ef6f8f59daa70c46b6e54638fa15b9c8a4dfcf62ed384c7961447070fbfb3875cecffc85c963752e0ac8b5cba430826a0b7bac5

Download Submit
\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.dll
Filesize
751KB

MD5
68b0c82a53fdfe07ab206ee2078ec984

SHA1
dc0bc38f5219340b309e53841f562499bf517568

SHA256
6c37c9e2af50feb15f2cd2ac1e85a03c1cab2d997bea12da8beea59bc0099c21

SHA512
e194eed7704e793e36a0e8d130d672c5788b3d41adde92b5876ba32f52a1c8065952243666ca804736f567e5af316ac80d2f7d5612bc90f6a92b9269f6678330

Download Submit
\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.x64.dll
Filesize
889KB

MD5
042040d8e80233e425b5c9e39da669a3

SHA1
f4d544cc6f6979cdab77b0072642edb4824aac04

SHA256
d5adc62ab4e22acf8f91d165bde2e398cec14e4424542e355bd07e54f6b2aed2

SHA512
d127946ea1b7d08f184646a44ef6f8f59daa70c46b6e54638fa15b9c8a4dfcf62ed384c7961447070fbfb3875cecffc85c963752e0ac8b5cba430826a0b7bac5

Download Submit
\Program Files (x86)\PriceLess\5iytD1cKiiq6yH.x64.dll
Filesize
889KB

MD5
042040d8e80233e425b5c9e39da669a3

SHA1
f4d544cc6f6979cdab77b0072642edb4824aac04

SHA256
d5adc62ab4e22acf8f91d165bde2e398cec14e4424542e355bd07e54f6b2aed2

SHA512
d127946ea1b7d08f184646a44ef6f8f59daa70c46b6e54638fa15b9c8a4dfcf62ed384c7961447070fbfb3875cecffc85c963752e0ac8b5cba430826a0b7bac5

Download Submit
memory/588-61-0x0000000000000000-mapping.dmp

Download
memory/964-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/964-55-0x0000000000DC0000-0x0000000000E8A000-memory.dmp

Filesize
808KB

Download
memory/1280-65-0x0000000000000000-mapping.dmp

Download
memory/1280-66-0x000007FEFC631000-0x000007FEFC633000-memory.dmp

Filesize
8KB

Download

pid	process
964	415249faf38a84e4b180beafc0818a06fe43cb5a4c2843e37791235bdcd8f5eb.exe
588	regsvr32.exe
1280	regsvr32.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads