8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e

General

Target

8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
Size

480KB
MD5

2ab83703ced16ff9f3659c6632dd88fe
SHA1

ced5efbef629ee9ce07a26952b95649f77247f8f
SHA256

8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e
SHA512

52510a4092927e224ab90c3acf0ade4c0ac3fc7c5393a03d036011cdbfd3ca27428a0e13e073fff661f241f1a25fea7d0214270720c9dfbdfc5a6877d5ec3e54
SSDEEP

12288:VPAl/HOfKF4q/9t+RFOybiB3DowbQ7oMAU:VPG/BF4q/aoJ3De7yU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3796	SearchHelper.exe
4856	com3.exe
1004	SearchHelper.exe
4420	com3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
3796	SearchHelper.exe
3796	SearchHelper.exe
4856	com3.exe
4856	com3.exe
4888	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
4888	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
1004	SearchHelper.exe
1004	SearchHelper.exe
4420	com3.exe
4420	com3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3796	SearchHelper.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 3796	4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	85
PID 4032 wrote to memory of 3796	4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	85
PID 4032 wrote to memory of 3796	4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	85
PID 4032 wrote to memory of 4856	4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	88
PID 4032 wrote to memory of 4856	4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	88
PID 4032 wrote to memory of 4856	4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	88
PID 4032 wrote to memory of 4888	4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	90
PID 4032 wrote to memory of 4888	4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	90
PID 4032 wrote to memory of 4888	4032	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	90
PID 4888 wrote to memory of 1004	4888	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	91
PID 4888 wrote to memory of 1004	4888	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	91
PID 4888 wrote to memory of 1004	4888	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	91
PID 4888 wrote to memory of 4420	4888	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	92
PID 4888 wrote to memory of 4420	4888	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	92
PID 4888 wrote to memory of 4420	4888	8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe	92

C:\Users\Admin\AppData\Local\Temp\8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
"C:\Users\Admin\AppData\Local\Temp\8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3796
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe
  "C:\Users\Admin\AppData\Local\Temp\8df0d617abc710d186294edc401e1723e5886eedcc7cd2b212873d0612f3712e.exe" silent pause
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1004
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
11d0536b8d3ab1d78d31ec2adb3d576c

SHA1
17abfb5c3ce43b07893039b87244b4a06b974b86

SHA256
c9cd2bb870ab493bb03671bc21295106c291b5edc2d5e3305679a54a3040251d

SHA512
18630acad3abf22955b9c0fb6cc9fe09f13199c4fc910eaf39824335f3e553c77a827126ac4b9372f4d363e9ff6d34e89c4f65755e4f358d2b386f00a990151c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
11d0536b8d3ab1d78d31ec2adb3d576c

SHA1
17abfb5c3ce43b07893039b87244b4a06b974b86

SHA256
c9cd2bb870ab493bb03671bc21295106c291b5edc2d5e3305679a54a3040251d

SHA512
18630acad3abf22955b9c0fb6cc9fe09f13199c4fc910eaf39824335f3e553c77a827126ac4b9372f4d363e9ff6d34e89c4f65755e4f358d2b386f00a990151c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
483KB

MD5
11d0536b8d3ab1d78d31ec2adb3d576c

SHA1
17abfb5c3ce43b07893039b87244b4a06b974b86

SHA256
c9cd2bb870ab493bb03671bc21295106c291b5edc2d5e3305679a54a3040251d

SHA512
18630acad3abf22955b9c0fb6cc9fe09f13199c4fc910eaf39824335f3e553c77a827126ac4b9372f4d363e9ff6d34e89c4f65755e4f358d2b386f00a990151c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
483KB

MD5
bc0a073179bc28404336a875a619cdc7

SHA1
4618cecd70a0df4a9ee44188972c3b92f08f3500

SHA256
8339cb11623c8461c01aa49f7074123c8791122ab68dc8ad900135627e057882

SHA512
67f0ac2df347e61ad67797fb7750428eb3411cd19cf99cf6df99c9d144ce1a753eb9869ae383a0831dfbabd5c8dab6b6c75e928594198a1d74195e68207db0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
483KB

MD5
bc0a073179bc28404336a875a619cdc7

SHA1
4618cecd70a0df4a9ee44188972c3b92f08f3500

SHA256
8339cb11623c8461c01aa49f7074123c8791122ab68dc8ad900135627e057882

SHA512
67f0ac2df347e61ad67797fb7750428eb3411cd19cf99cf6df99c9d144ce1a753eb9869ae383a0831dfbabd5c8dab6b6c75e928594198a1d74195e68207db0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
483KB

MD5
bc0a073179bc28404336a875a619cdc7

SHA1
4618cecd70a0df4a9ee44188972c3b92f08f3500

SHA256
8339cb11623c8461c01aa49f7074123c8791122ab68dc8ad900135627e057882

SHA512
67f0ac2df347e61ad67797fb7750428eb3411cd19cf99cf6df99c9d144ce1a753eb9869ae383a0831dfbabd5c8dab6b6c75e928594198a1d74195e68207db0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
7f9e9072ad0005436d20861abb8f6477

SHA1
554c05f95bed1edf12ccd2921933b9dc28065b3f

SHA256
6b9d8783df41a05572f030cfbcfd3cf6d932074448567a1d4f29f5d43dbce8da

SHA512
6163d50a929dcf5284e0ff4576b5ebee0c5fcab956bc426a73121dc4cac4ea9d4989cd3304886db01ee0932f6df59cd896bd0085693f0c23e420c0005d5ffe5b

Download Submit
memory/1004-184-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/3796-145-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4032-132-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4856-159-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4888-170-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing