8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e

Analysis

max time kernel
152s
max time network
51s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 09:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
Size

480KB
MD5

2ab83703ced16ff9f3659c6632dd88fe
SHA1

ced5efbef629ee9ce07a26952b95649f77247f8f
SHA256

8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e
SHA512

52510a4092927e224ab90c3acf0ade4c0ac3fc7c5393a03d036011cdbfd3ca27428a0e13e073fff661f241f1a25fea7d0214270720c9dfbdfc5a6877d5ec3e54
SSDEEP

12288:VPAl/HOfKF4q/9t+RFOybiB3DowbQ7oMAU:VPG/BF4q/aoJ3De7yU

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
760	SearchHelper.exe
1700	com3.exe
1164	SearchHelper.exe
1168	com3.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Loads dropped DLL 7 IoCs

pid	Process
1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
760	SearchHelper.exe
1700	com3.exe
380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
1164	SearchHelper.exe
1168	com3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
760	SearchHelper.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 760	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	26
PID 1504 wrote to memory of 760	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	26
PID 1504 wrote to memory of 760	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	26
PID 1504 wrote to memory of 760	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	26
PID 1504 wrote to memory of 1700	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	27
PID 1504 wrote to memory of 1700	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	27
PID 1504 wrote to memory of 1700	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	27
PID 1504 wrote to memory of 1700	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	27
PID 1504 wrote to memory of 380	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	28
PID 1504 wrote to memory of 380	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	28
PID 1504 wrote to memory of 380	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	28
PID 1504 wrote to memory of 380	1504	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	28
PID 380 wrote to memory of 1164	380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	29
PID 380 wrote to memory of 1164	380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	29
PID 380 wrote to memory of 1164	380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	29
PID 380 wrote to memory of 1164	380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	29
PID 380 wrote to memory of 1168	380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	30
PID 380 wrote to memory of 1168	380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	30
PID 380 wrote to memory of 1168	380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	30
PID 380 wrote to memory of 1168	380	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	30

C:\Users\Admin\AppData\Local\Temp\8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
"C:\Users\Admin\AppData\Local\Temp\8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:760
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
  "C:\Users\Admin\AppData\Local\Temp\8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe" silent pause
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1164
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
8497bcd275a1449fc15f47ebcc03f501

SHA1
48d4b027e9c52068efddd47ca9efe04eabdbf923

SHA256
bbb317a0c9d0082a385ef8c9f01a1f7e8188b7e9e581b148dbed7e19498d202e

SHA512
1421ea625eff57612c9fa7d08295bb14cd12ca5f0b0459adca293ebec4d1736d6ee854474e6c338a5bdb414887bdd09b15a2ada5f43fb922770ea01b8c6c5eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
8497bcd275a1449fc15f47ebcc03f501

SHA1
48d4b027e9c52068efddd47ca9efe04eabdbf923

SHA256
bbb317a0c9d0082a385ef8c9f01a1f7e8188b7e9e581b148dbed7e19498d202e

SHA512
1421ea625eff57612c9fa7d08295bb14cd12ca5f0b0459adca293ebec4d1736d6ee854474e6c338a5bdb414887bdd09b15a2ada5f43fb922770ea01b8c6c5eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
8497bcd275a1449fc15f47ebcc03f501

SHA1
48d4b027e9c52068efddd47ca9efe04eabdbf923

SHA256
bbb317a0c9d0082a385ef8c9f01a1f7e8188b7e9e581b148dbed7e19498d202e

SHA512
1421ea625eff57612c9fa7d08295bb14cd12ca5f0b0459adca293ebec4d1736d6ee854474e6c338a5bdb414887bdd09b15a2ada5f43fb922770ea01b8c6c5eea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
483KB

MD5
425d94ff0566668c98d43dc6d9b7ccbc

SHA1
c9621b50b26d029b3bb0c0231c3c0d2af0ff883d

SHA256
bfbf075560ed918646b1fa9e3addae7a0c2fb36cd582e1df566562e58f0fd91c

SHA512
0be9cc19d467ca8d7bb237c48e8c0a548fc3fd2fea70f38ab6298700385ac397256aa95a201199f149f8dc9ae1f9b8ba3ef03b4e4afe09aa03a81937df906188

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
483KB

MD5
425d94ff0566668c98d43dc6d9b7ccbc

SHA1
c9621b50b26d029b3bb0c0231c3c0d2af0ff883d

SHA256
bfbf075560ed918646b1fa9e3addae7a0c2fb36cd582e1df566562e58f0fd91c

SHA512
0be9cc19d467ca8d7bb237c48e8c0a548fc3fd2fea70f38ab6298700385ac397256aa95a201199f149f8dc9ae1f9b8ba3ef03b4e4afe09aa03a81937df906188

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
483KB

MD5
425d94ff0566668c98d43dc6d9b7ccbc

SHA1
c9621b50b26d029b3bb0c0231c3c0d2af0ff883d

SHA256
bfbf075560ed918646b1fa9e3addae7a0c2fb36cd582e1df566562e58f0fd91c

SHA512
0be9cc19d467ca8d7bb237c48e8c0a548fc3fd2fea70f38ab6298700385ac397256aa95a201199f149f8dc9ae1f9b8ba3ef03b4e4afe09aa03a81937df906188

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
5feccf462815b17abdfe037582890566

SHA1
baffdd78e52bda8a67660c7d661bc4022ee44066

SHA256
09d777d2959db4599b1cbbe728d314014018874d2357c39971f21afe96bb6288

SHA512
41a64a3b468c928824511c9cedf377fdd9c3d3a35a4424fd06f6334d112fe4e37d86e7fe57b18906f871f9373917745c1a38fc35ac2e3ada824b407894012dd9

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
8497bcd275a1449fc15f47ebcc03f501

SHA1
48d4b027e9c52068efddd47ca9efe04eabdbf923

SHA256
bbb317a0c9d0082a385ef8c9f01a1f7e8188b7e9e581b148dbed7e19498d202e

SHA512
1421ea625eff57612c9fa7d08295bb14cd12ca5f0b0459adca293ebec4d1736d6ee854474e6c338a5bdb414887bdd09b15a2ada5f43fb922770ea01b8c6c5eea

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
8497bcd275a1449fc15f47ebcc03f501

SHA1
48d4b027e9c52068efddd47ca9efe04eabdbf923

SHA256
bbb317a0c9d0082a385ef8c9f01a1f7e8188b7e9e581b148dbed7e19498d202e

SHA512
1421ea625eff57612c9fa7d08295bb14cd12ca5f0b0459adca293ebec4d1736d6ee854474e6c338a5bdb414887bdd09b15a2ada5f43fb922770ea01b8c6c5eea

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
8497bcd275a1449fc15f47ebcc03f501

SHA1
48d4b027e9c52068efddd47ca9efe04eabdbf923

SHA256
bbb317a0c9d0082a385ef8c9f01a1f7e8188b7e9e581b148dbed7e19498d202e

SHA512
1421ea625eff57612c9fa7d08295bb14cd12ca5f0b0459adca293ebec4d1736d6ee854474e6c338a5bdb414887bdd09b15a2ada5f43fb922770ea01b8c6c5eea

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
8497bcd275a1449fc15f47ebcc03f501

SHA1
48d4b027e9c52068efddd47ca9efe04eabdbf923

SHA256
bbb317a0c9d0082a385ef8c9f01a1f7e8188b7e9e581b148dbed7e19498d202e

SHA512
1421ea625eff57612c9fa7d08295bb14cd12ca5f0b0459adca293ebec4d1736d6ee854474e6c338a5bdb414887bdd09b15a2ada5f43fb922770ea01b8c6c5eea

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
483KB

MD5
425d94ff0566668c98d43dc6d9b7ccbc

SHA1
c9621b50b26d029b3bb0c0231c3c0d2af0ff883d

SHA256
bfbf075560ed918646b1fa9e3addae7a0c2fb36cd582e1df566562e58f0fd91c

SHA512
0be9cc19d467ca8d7bb237c48e8c0a548fc3fd2fea70f38ab6298700385ac397256aa95a201199f149f8dc9ae1f9b8ba3ef03b4e4afe09aa03a81937df906188

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
483KB

MD5
425d94ff0566668c98d43dc6d9b7ccbc

SHA1
c9621b50b26d029b3bb0c0231c3c0d2af0ff883d

SHA256
bfbf075560ed918646b1fa9e3addae7a0c2fb36cd582e1df566562e58f0fd91c

SHA512
0be9cc19d467ca8d7bb237c48e8c0a548fc3fd2fea70f38ab6298700385ac397256aa95a201199f149f8dc9ae1f9b8ba3ef03b4e4afe09aa03a81937df906188

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
483KB

MD5
425d94ff0566668c98d43dc6d9b7ccbc

SHA1
c9621b50b26d029b3bb0c0231c3c0d2af0ff883d

SHA256
bfbf075560ed918646b1fa9e3addae7a0c2fb36cd582e1df566562e58f0fd91c

SHA512
0be9cc19d467ca8d7bb237c48e8c0a548fc3fd2fea70f38ab6298700385ac397256aa95a201199f149f8dc9ae1f9b8ba3ef03b4e4afe09aa03a81937df906188

Download Submit
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1504-55-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download