f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc

General

Target

f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
Size

438KB
MD5

3e4906e5486da3018a6c4997b96944e3
SHA1

6375dc55eb217a19b0cb2304592ba31140b4a7d9
SHA256

f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc
SHA512

98149876250f3015674363f9d290a5a51e4a161235eb57b0620827d1685af7fd6143009d0b3ffe0fc6a2e216d3bbd97fedfdae0230779a057b9f67b8284f391f
SSDEEP

6144:pIZBFT/ylE4AxP4sXp/WdT0RYhHWyG+xgXERMZ0fP+bvE/wDqD1/:EFTKiFNRYh2yGlXERMZdvEf1/

Score

9^/10

Malware Config

Signatures

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral1/memory/2864-1-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2736-81-0x0000000000470000-0x00000000004D9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing base64 encoded User Agent 2 IoCs

resource	yara_rule
behavioral1/memory/2864-1-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
behavioral1/memory/2736-81-0x0000000000470000-0x00000000004D9000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Executes dropped EXE 4 IoCs

pid	Process
2220	SearchHelper.exe
2600	com3.exe
2764	com3.exe
768	SearchHelper.exe

Loads dropped DLL 7 IoCs

pid	Process
2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe"	com3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2204	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
2220	SearchHelper.exe
2600	com3.exe
2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
2764	com3.exe
768	SearchHelper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2220	SearchHelper.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2220	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	28
PID 2864 wrote to memory of 2220	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	28
PID 2864 wrote to memory of 2220	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	28
PID 2864 wrote to memory of 2220	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	28
PID 2864 wrote to memory of 2600	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	29
PID 2864 wrote to memory of 2600	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	29
PID 2864 wrote to memory of 2600	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	29
PID 2864 wrote to memory of 2600	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	29
PID 2864 wrote to memory of 2736	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	30
PID 2864 wrote to memory of 2736	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	30
PID 2864 wrote to memory of 2736	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	30
PID 2864 wrote to memory of 2736	2864	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	30
PID 2736 wrote to memory of 768	2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	31
PID 2736 wrote to memory of 768	2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	31
PID 2736 wrote to memory of 768	2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	31
PID 2736 wrote to memory of 768	2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	31
PID 2736 wrote to memory of 2764	2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	32
PID 2736 wrote to memory of 2764	2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	32
PID 2736 wrote to memory of 2764	2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	32
PID 2736 wrote to memory of 2764	2736	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	32
PID 2600 wrote to memory of 2204	2600	com3.exe	35
PID 2600 wrote to memory of 2204	2600	com3.exe	35
PID 2600 wrote to memory of 2204	2600	com3.exe	35
PID 2600 wrote to memory of 2204	2600	com3.exe	35

C:\Users\Admin\AppData\Local\Temp\f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
"C:\Users\Admin\AppData\Local\Temp\f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2204
- C:\Users\Admin\AppData\Local\Temp\f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
  "C:\Users\Admin\AppData\Local\Temp\f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe" silent pause
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:768
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
0ecbe47bdfffa63c8e8f66589470a517

SHA1
d8c3368891177e83249dd5e607a2b0d8683687a1

SHA256
ede526f6ae5ed1b6d9c89fee45adc0353addae861bf98ca75ff5dcf61baa0383

SHA512
73889c2f56113985e456a6efdac61303c52fe3dc3cd76adffd3c242d11127b083e59e140847fcaf0b91c0550e8e24c59f96fb228b320eb1a2c1b84cf0f3f6bfb

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
440KB

MD5
2cf2cd9c199c02657aebee6a259130a5

SHA1
3084ff2a0a88a0d374be2be7f9bb1c26c4bacd3f

SHA256
89a104a7a269a8f756d2281fceda172f1528c68fc54d740557d53b42ca2cc41f

SHA512
e0fccf4b54cef1a8901ece948aff405581ed546c54f92d6472f86a8f7c5fd838726cea56507d71a66bd57abee1a6451cf6602fe443b40718df07230d479b648d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
440KB

MD5
5beb978fb33f06fd09230348d17f9934

SHA1
abc39274b28dee0653cdb61d651b73b15d3d897d

SHA256
455a47ca90ea28baabfb064942a82bbd4927f2e6185c7d13e194851c61973c4f

SHA512
278e113505c9579f90d7db22e42dd8e3ab59c49355909c6a2036f81ac5f9850426104180ff5ef70b14801f49c5b6ad2f30bea58e412e252cc062b46351b46597

Download Submit
memory/768-87-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/768-100-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2220-78-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2220-25-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2600-47-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2600-104-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2736-108-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2736-112-0x0000000000470000-0x00000000004D9000-memory.dmp

Filesize
420KB

Download
memory/2736-53-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2736-81-0x0000000000470000-0x00000000004D9000-memory.dmp

Filesize
420KB

Download
memory/2764-84-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2764-101-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2864-55-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2864-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2864-44-0x0000000003140000-0x00000000031A9000-memory.dmp

Filesize
420KB

Download
memory/2864-39-0x0000000003140000-0x00000000031A9000-memory.dmp

Filesize
420KB

Download
memory/2864-23-0x0000000003140000-0x00000000031A9000-memory.dmp

Filesize
420KB

Download
memory/2864-20-0x0000000003140000-0x00000000031A9000-memory.dmp

Filesize
420KB

Download
memory/2864-1-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads