Analysis Overview
SHA256
bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7
Threat Level: Likely malicious
The file bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7 was found to be: Likely malicious.
Malicious Activity Summary
Detects executables containing base64 encoded User Agent
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Drops startup file
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-08 01:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-08 01:00
Reported
2024-04-08 01:03
Platform
win7-20240221-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing base64 encoded User Agent
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe
"C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe
"C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe" silent pause
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 8.8.8.8:53 | supportservice.netai.net | udp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | backupsupport.esy.es | udp |
| US | 8.8.8.8:53 | backupsupport.esy.es | udp |
| US | 8.8.8.8:53 | backupsupport.comxa.com | udp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
Files
memory/1440-0-0x0000000063080000-0x00000000631EC000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
| MD5 | 32c5d992d2483b253e655fadb41d52e2 |
| SHA1 | 95dc3639b7fdcbaff237a1bc85aebca51f17f7b5 |
| SHA256 | 7f9cf940bd49ed7972d529bde9b165c4ece1606ee5edfd3170f3c704509c5430 |
| SHA512 | 28257ebd60cfa380ab1bd7d4757c9393ec49b9367e03e9c6450c8c5264cf662dcd680cf53640266435b5c1db71eec55ac22868666387b3dd360c482d6a3dcb63 |
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat
| MD5 | 06e4d812fe41a5202885325ec334d048 |
| SHA1 | 651175d57ed80c5498a73df84f7e800a1eb9ef9f |
| SHA256 | 3854626033c257ce5c1cbae16acda0c3e2b17d74c2117aee79cfb6728e9c644e |
| SHA512 | 600f17fae82eb82f1af9102ba49e7fc02d66d7a6bf04bfa7b259e0004a3885885899495dce37dde61eaebf4ac66f1e6afc28ac3e5ad9c2a1980d2548e2d7a786 |
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
| MD5 | c51e093f90155f275efd01c8a3875bbe |
| SHA1 | 55fd9db675abb2a05e7f9fa2dd03cfcbc93b471f |
| SHA256 | 6fc3e57be353fc888fd94fbb83601b5278b18b2eddcdaa82875a9266d3967ed3 |
| SHA512 | 7a35b5cb6e6be4450c60bdaffc915db63f2eee904d2f7f8bef8eef4832730e54d189759934823b872e117e013b5684b6820a19d994357fc3cf008a63380cd6e4 |
memory/1440-47-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2864-57-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2488-84-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2444-85-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2760-86-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2644-87-0x0000000000400000-0x0000000000468000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-08 01:00
Reported
2024-04-08 01:03
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing base64 encoded User Agent
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe" | C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe
"C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe
"C:\Users\Admin\AppData\Local\Temp\bf2f02bbab00f8d3d82393cc364158e47bd1629b2710846960fc3ce36667e6c7.exe" silent pause
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 8.8.8.8:53 | supportservice.netai.net | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | supportbackup.esy.es | udp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 153.92.0.100:80 | supportservice.netai.net | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | backupsupport.esy.es | udp |
| US | 8.8.8.8:53 | backupsupport.comxa.com | udp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 153.92.0.100:80 | backupsupport.comxa.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
memory/1628-0-0x0000000063080000-0x00000000631EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
| MD5 | b6b6e5f49f776467ab9c08923764f42b |
| SHA1 | ad624a9d1e1ac3bb07dedf1bf38c1ff76ee2366f |
| SHA256 | 5a96188d8b27e1d164ebad4d21bee19dbeb6b38fedb89fd73dae5d27c27c68c0 |
| SHA512 | 95f2e54fc7cedc8cc065851102a3a7586fc360630f4c724d143eb1b25556dc9b1d3847ff1ba870aff0d65d8939d80236e00574835f62361362c991d039002542 |
memory/2556-16-0x0000000063080000-0x00000000631EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat
| MD5 | 06e4d812fe41a5202885325ec334d048 |
| SHA1 | 651175d57ed80c5498a73df84f7e800a1eb9ef9f |
| SHA256 | 3854626033c257ce5c1cbae16acda0c3e2b17d74c2117aee79cfb6728e9c644e |
| SHA512 | 600f17fae82eb82f1af9102ba49e7fc02d66d7a6bf04bfa7b259e0004a3885885899495dce37dde61eaebf4ac66f1e6afc28ac3e5ad9c2a1980d2548e2d7a786 |
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
| MD5 | 43b62e5af2303a351b567713b555c758 |
| SHA1 | d3bacf2a15f7e9533748de881b8382ab3f8b9bf5 |
| SHA256 | 91e7ea2aa716757d03135eef741f73bf2005ac82f08d108fb65861037e187326 |
| SHA512 | 65987f3df22a326e8980186ed411d72d643c9db6c22eaba84c3808c7ef703a6696ec371d6c28cd1fbc2c6287c715f095c8b0c9028abfbc8436733259ed1a6d60 |
memory/4800-32-0x0000000063080000-0x00000000631EC000-memory.dmp
memory/1628-43-0x0000000000400000-0x0000000000468000-memory.dmp
memory/5000-44-0x0000000063080000-0x00000000631EC000-memory.dmp
memory/2512-56-0x0000000063080000-0x00000000631EC000-memory.dmp
memory/2512-77-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2288-76-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2556-78-0x0000000000400000-0x0000000000468000-memory.dmp