Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/04/2024, 19:23

General

  • Target

    21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe

  • Size

    473KB

  • MD5

    0b04a67e885c68278f26424d0fe3826e

  • SHA1

    b4a521b8b9b6d44fdec744cf57bc23514e3d3351

  • SHA256

    21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d

  • SHA512

    05c41bcb01bcf59754f7f7a190a6539f6cfb1add4b6a0c1e1423ea013b8cacdfcc132b36232792916bfaa3b67146b90ae2c1797b0cc15ad6c4f8eb5ffa104fa2

  • SSDEEP

    6144:ipuN8bKQsIQnrR5L3dnQCarDr0d4Qz+i5GhxkbV9hdlG/8G2ZzIdA4JdfxEu79Li:1Q5QnrrLGnisIS/HaeAEdmSL6nJ

Malware Config

Signatures

  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
  • Detects executables containing base64 encoded User Agent 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
    "C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2612
    • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
      "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1044
    • C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
      "C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe" silent pause
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:652
      • C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
        "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:524

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

          Filesize

          10B

          MD5

          9d48424c6912dad5814cd03e0639e836

          SHA1

          5ce05f3b4b27e82f24acb673964c0c559ff11163

          SHA256

          979fb2eb009089e6488a6c142e664b2126cd2e833ffa53d9edbcadc50a510c5c

          SHA512

          d9b40cf162aaeedb0c59a80c200d90b24eea1f7b411d279828bb0b4824b539ab01ce37b0c0e40f858d9b04138f37f3f7c957408c3f7b2e37d31e099107234095

        • \Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

          Filesize

          475KB

          MD5

          ff844e6f88d69a4a88a351accd9c4d81

          SHA1

          a1abec6647d006dbd0868ceba375cc918b4cf924

          SHA256

          68eb386452de66ce3967ff36d6bcf37d8dbf948f03223ee59c89955e2bd1db9a

          SHA512

          9a970a37cddb28f6a5684cfe972cb5e088eb9e80fcf5c01707b05f65477a871493c8f8ecf0eda4b2a01e4dbd528a9b048b7809feb1dad035b4d7eed4f3f68579

        • \Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

          Filesize

          475KB

          MD5

          ea65d4ed0e12972e6e5ccdc587f4e81b

          SHA1

          82085183281a803383052512f59d850492eb6ce1

          SHA256

          8d9a9e79a179be87ee2417691c04eb88ea5182b6e312a8b63c075f89d3954960

          SHA512

          83d6a18d5d66aa6a78f6bb3668515ba90d879dc6035e14f29965a397e01ef51320f4f18411992d403fd4f8be23d2e8332485f62b21fe3109f0dcea0506126520

        • memory/524-89-0x0000000000400000-0x0000000000468000-memory.dmp

          Filesize

          416KB

        • memory/652-90-0x0000000000400000-0x0000000000468000-memory.dmp

          Filesize

          416KB

        • memory/2612-63-0x0000000000400000-0x0000000000468000-memory.dmp

          Filesize

          416KB

        • memory/3036-0-0x0000000063080000-0x00000000631EC000-memory.dmp

          Filesize

          1.4MB

        • memory/3036-50-0x0000000000400000-0x0000000000468000-memory.dmp

          Filesize

          416KB