Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
Resource
win7-20240221-en
General
-
Target
21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
-
Size
473KB
-
MD5
0b04a67e885c68278f26424d0fe3826e
-
SHA1
b4a521b8b9b6d44fdec744cf57bc23514e3d3351
-
SHA256
21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d
-
SHA512
05c41bcb01bcf59754f7f7a190a6539f6cfb1add4b6a0c1e1423ea013b8cacdfcc132b36232792916bfaa3b67146b90ae2c1797b0cc15ad6c4f8eb5ffa104fa2
-
SSDEEP
6144:ipuN8bKQsIQnrR5L3dnQCarDr0d4Qz+i5GhxkbV9hdlG/8G2ZzIdA4JdfxEu79Li:1Q5QnrrLGnisIS/HaeAEdmSL6nJ
Malware Config
Signatures
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 6 IoCs
resource yara_rule behavioral2/memory/4720-0-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/4556-16-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/1788-33-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/2520-44-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/2664-57-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/3820-58-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
Detects executables containing base64 encoded User Agent 6 IoCs
resource yara_rule behavioral2/memory/4720-0-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/4556-16-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/1788-33-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2520-44-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/2664-57-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/3820-58-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe SearchHelper.exe -
Executes dropped EXE 4 IoCs
pid Process 4556 SearchHelper.exe 1788 com3.exe 2664 SearchHelper.exe 3820 com3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 4556 SearchHelper.exe 4556 SearchHelper.exe 1788 com3.exe 1788 com3.exe 2520 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 2520 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 2664 SearchHelper.exe 2664 SearchHelper.exe 3820 com3.exe 3820 com3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4556 SearchHelper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4556 SearchHelper.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4720 wrote to memory of 4556 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 89 PID 4720 wrote to memory of 4556 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 89 PID 4720 wrote to memory of 4556 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 89 PID 4720 wrote to memory of 1788 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 90 PID 4720 wrote to memory of 1788 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 90 PID 4720 wrote to memory of 1788 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 90 PID 4720 wrote to memory of 2520 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 93 PID 4720 wrote to memory of 2520 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 93 PID 4720 wrote to memory of 2520 4720 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 93 PID 2520 wrote to memory of 2664 2520 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 97 PID 2520 wrote to memory of 2664 2520 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 97 PID 2520 wrote to memory of 2664 2520 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 97 PID 2520 wrote to memory of 3820 2520 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 98 PID 2520 wrote to memory of 3820 2520 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 98 PID 2520 wrote to memory of 3820 2520 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe"C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe"C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe" silent pause2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
475KB
MD5bb7683b871ceef98d026ae07b3d752f1
SHA1884030377281d73d3335b97f92ad591a07635b36
SHA256d033661f7611810189e16a2cfb1894627d1fef08900b53a5452a91c18dece567
SHA5126e364d82f973676480982a799cdd43bfde8ac94093d6466035aec4606225e9d6227d2aa4cfec66071eba6b932b10e9526c875ac627d3ae1b5e3664aa88e445ce
-
Filesize
475KB
MD5637191f6ffe1561048a95b6606ced54a
SHA1d7c5c3fcc58d6a69d82dbeb41dd0f45d32cfb9dd
SHA256f15cde562c5ed895bf5b66f2ffe227dec6097dd0542e9b90fa3caa79d7117005
SHA512347322b349018925a602d432d615c7de8dc810cd8020715440e2e00f539b93ec3076745f9b433b63413dd6e2bbc4f1366e7893360720d71fe8a148d674485084
-
Filesize
10B
MD55fd824a151eb6bfc4eabfe528c0c5f78
SHA189bec445df7e654bd6c615b22dc9a44464f8d0cb
SHA25669939a5bef84d8ced37f20c56346eeda24c8f6ddac32506a9aa09ae763b8729c
SHA512d572de6439a9ff3643908199e7a0ffa815a65db0bbf2a8b23b331ebe0b6fa892b6e6fe8abe14fabf8f6a50a0585f874ba1f0178a6cf82b64672f0388dc1339c3