Analysis Overview
SHA256
21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d
Threat Level: Likely malicious
The file 21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d was found to be: Likely malicious.
Malicious Activity Summary
Detects executables containing base64 encoded User Agent
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 19:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 19:23
Reported
2024-04-03 19:26
Platform
win7-20240221-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing base64 encoded User Agent
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe" | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
"C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
"C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe" silent pause
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 8.8.8.8:53 | supportservice.netai.net | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | backupsupport.esy.es | udp |
| US | 8.8.8.8:53 | backupsupport.comxa.com | udp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 8.8.8.8:53 | backupsupport.esy.es | udp |
| US | 8.8.8.8:53 | backupsupport.esy.es | udp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 8.8.8.8:53 | quicks.hol.es | udp |
| US | 8.8.8.8:53 | quick.comuf.com | udp |
| US | 153.92.0.100:80 | quick.comuf.com | tcp |
| US | 153.92.0.100:80 | quick.comuf.com | tcp |
Files
memory/3036-0-0x0000000063080000-0x00000000631EC000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
| MD5 | ea65d4ed0e12972e6e5ccdc587f4e81b |
| SHA1 | 82085183281a803383052512f59d850492eb6ce1 |
| SHA256 | 8d9a9e79a179be87ee2417691c04eb88ea5182b6e312a8b63c075f89d3954960 |
| SHA512 | 83d6a18d5d66aa6a78f6bb3668515ba90d879dc6035e14f29965a397e01ef51320f4f18411992d403fd4f8be23d2e8332485f62b21fe3109f0dcea0506126520 |
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat
| MD5 | 9d48424c6912dad5814cd03e0639e836 |
| SHA1 | 5ce05f3b4b27e82f24acb673964c0c559ff11163 |
| SHA256 | 979fb2eb009089e6488a6c142e664b2126cd2e833ffa53d9edbcadc50a510c5c |
| SHA512 | d9b40cf162aaeedb0c59a80c200d90b24eea1f7b411d279828bb0b4824b539ab01ce37b0c0e40f858d9b04138f37f3f7c957408c3f7b2e37d31e099107234095 |
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
| MD5 | ff844e6f88d69a4a88a351accd9c4d81 |
| SHA1 | a1abec6647d006dbd0868ceba375cc918b4cf924 |
| SHA256 | 68eb386452de66ce3967ff36d6bcf37d8dbf948f03223ee59c89955e2bd1db9a |
| SHA512 | 9a970a37cddb28f6a5684cfe972cb5e088eb9e80fcf5c01707b05f65477a871493c8f8ecf0eda4b2a01e4dbd528a9b048b7809feb1dad035b4d7eed4f3f68579 |
memory/3036-50-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2612-63-0x0000000000400000-0x0000000000468000-memory.dmp
memory/652-90-0x0000000000400000-0x0000000000468000-memory.dmp
memory/524-89-0x0000000000400000-0x0000000000468000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 19:23
Reported
2024-04-03 19:26
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing base64 encoded User Agent
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
"C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe
"C:\Users\Admin\AppData\Local\Temp\21f055fae8ca7df29375d05c1400c166aed1ca1473770e7b22d242cf2609d25d.exe" silent pause
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | supportservice.netai.net | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | 227.97.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.122.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | backupsupport.esy.es | udp |
| US | 8.8.8.8:53 | backupsupport.comxa.com | udp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.150.79.40.in-addr.arpa | udp |
Files
memory/4720-0-0x0000000063080000-0x00000000631EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
| MD5 | 637191f6ffe1561048a95b6606ced54a |
| SHA1 | d7c5c3fcc58d6a69d82dbeb41dd0f45d32cfb9dd |
| SHA256 | f15cde562c5ed895bf5b66f2ffe227dec6097dd0542e9b90fa3caa79d7117005 |
| SHA512 | 347322b349018925a602d432d615c7de8dc810cd8020715440e2e00f539b93ec3076745f9b433b63413dd6e2bbc4f1366e7893360720d71fe8a148d674485084 |
memory/4556-16-0x0000000063080000-0x00000000631EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat
| MD5 | 5fd824a151eb6bfc4eabfe528c0c5f78 |
| SHA1 | 89bec445df7e654bd6c615b22dc9a44464f8d0cb |
| SHA256 | 69939a5bef84d8ced37f20c56346eeda24c8f6ddac32506a9aa09ae763b8729c |
| SHA512 | d572de6439a9ff3643908199e7a0ffa815a65db0bbf2a8b23b331ebe0b6fa892b6e6fe8abe14fabf8f6a50a0585f874ba1f0178a6cf82b64672f0388dc1339c3 |
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
| MD5 | bb7683b871ceef98d026ae07b3d752f1 |
| SHA1 | 884030377281d73d3335b97f92ad591a07635b36 |
| SHA256 | d033661f7611810189e16a2cfb1894627d1fef08900b53a5452a91c18dece567 |
| SHA512 | 6e364d82f973676480982a799cdd43bfde8ac94093d6466035aec4606225e9d6227d2aa4cfec66071eba6b932b10e9526c875ac627d3ae1b5e3664aa88e445ce |
memory/1788-33-0x0000000063080000-0x00000000631EC000-memory.dmp
memory/4720-43-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2520-44-0x0000000063080000-0x00000000631EC000-memory.dmp
memory/4556-54-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2664-57-0x0000000063080000-0x00000000631EC000-memory.dmp
memory/3820-58-0x0000000063080000-0x00000000631EC000-memory.dmp
memory/2664-77-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3820-78-0x0000000000400000-0x0000000000468000-memory.dmp