Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
Resource
win7-20240221-en
General
-
Target
21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
-
Size
473KB
-
MD5
0b04a67e885c68278f26424d0fe3826e
-
SHA1
b4a521b8b9b6d44fdec744cf57bc23514e3d3351
-
SHA256
21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d
-
SHA512
05c41bcb01bcf59754f7f7a190a6539f6cfb1add4b6a0c1e1423ea013b8cacdfcc132b36232792916bfaa3b67146b90ae2c1797b0cc15ad6c4f8eb5ffa104fa2
-
SSDEEP
6144:ipuN8bKQsIQnrR5L3dnQCarDr0d4Qz+i5GhxkbV9hdlG/8G2ZzIdA4JdfxEu79Li:1Q5QnrrLGnisIS/HaeAEdmSL6nJ
Malware Config
Signatures
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
resource yara_rule behavioral1/memory/3036-0-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
Detects executables containing base64 encoded User Agent 1 IoCs
resource yara_rule behavioral1/memory/3036-0-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe SearchHelper.exe -
Executes dropped EXE 4 IoCs
pid Process 2612 SearchHelper.exe 1952 com3.exe 524 com3.exe 652 SearchHelper.exe -
Loads dropped DLL 7 IoCs
pid Process 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe" com3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 1044 reg.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 2612 SearchHelper.exe 1952 com3.exe 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 524 com3.exe 652 SearchHelper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2612 SearchHelper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2612 SearchHelper.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2612 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 28 PID 3036 wrote to memory of 2612 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 28 PID 3036 wrote to memory of 2612 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 28 PID 3036 wrote to memory of 2612 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 28 PID 3036 wrote to memory of 1952 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 29 PID 3036 wrote to memory of 1952 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 29 PID 3036 wrote to memory of 1952 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 29 PID 3036 wrote to memory of 1952 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 29 PID 3036 wrote to memory of 2580 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 30 PID 3036 wrote to memory of 2580 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 30 PID 3036 wrote to memory of 2580 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 30 PID 3036 wrote to memory of 2580 3036 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 30 PID 2580 wrote to memory of 652 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 31 PID 2580 wrote to memory of 652 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 31 PID 2580 wrote to memory of 652 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 31 PID 2580 wrote to memory of 652 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 31 PID 2580 wrote to memory of 524 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 32 PID 2580 wrote to memory of 524 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 32 PID 2580 wrote to memory of 524 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 32 PID 2580 wrote to memory of 524 2580 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 32 PID 1952 wrote to memory of 1044 1952 com3.exe 35 PID 1952 wrote to memory of 1044 1952 com3.exe 35 PID 1952 wrote to memory of 1044 1952 com3.exe 35 PID 1952 wrote to memory of 1044 1952 com3.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe"C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:1044
-
-
-
C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe"C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe" silent pause2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:652
-
-
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10B
MD59d48424c6912dad5814cd03e0639e836
SHA15ce05f3b4b27e82f24acb673964c0c559ff11163
SHA256979fb2eb009089e6488a6c142e664b2126cd2e833ffa53d9edbcadc50a510c5c
SHA512d9b40cf162aaeedb0c59a80c200d90b24eea1f7b411d279828bb0b4824b539ab01ce37b0c0e40f858d9b04138f37f3f7c957408c3f7b2e37d31e099107234095
-
Filesize
475KB
MD5ff844e6f88d69a4a88a351accd9c4d81
SHA1a1abec6647d006dbd0868ceba375cc918b4cf924
SHA25668eb386452de66ce3967ff36d6bcf37d8dbf948f03223ee59c89955e2bd1db9a
SHA5129a970a37cddb28f6a5684cfe972cb5e088eb9e80fcf5c01707b05f65477a871493c8f8ecf0eda4b2a01e4dbd528a9b048b7809feb1dad035b4d7eed4f3f68579
-
Filesize
475KB
MD5ea65d4ed0e12972e6e5ccdc587f4e81b
SHA182085183281a803383052512f59d850492eb6ce1
SHA2568d9a9e79a179be87ee2417691c04eb88ea5182b6e312a8b63c075f89d3954960
SHA51283d6a18d5d66aa6a78f6bb3668515ba90d879dc6035e14f29965a397e01ef51320f4f18411992d403fd4f8be23d2e8332485f62b21fe3109f0dcea0506126520