f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc

General

Target

f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
Size

438KB
MD5

3e4906e5486da3018a6c4997b96944e3
SHA1

6375dc55eb217a19b0cb2304592ba31140b4a7d9
SHA256

f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc
SHA512

98149876250f3015674363f9d290a5a51e4a161235eb57b0620827d1685af7fd6143009d0b3ffe0fc6a2e216d3bbd97fedfdae0230779a057b9f67b8284f391f
SSDEEP

6144:pIZBFT/ylE4AxP4sXp/WdT0RYhHWyG+xgXERMZ0fP+bvE/wDqD1/:EFTKiFNRYh2yGlXERMZdvEf1/

Score

9^/10

Malware Config

Signatures

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 4 IoCs

resource	yara_rule
behavioral2/memory/4028-1-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/1936-18-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/2568-35-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/876-46-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing base64 encoded User Agent 4 IoCs

resource	yara_rule
behavioral2/memory/4028-1-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
behavioral2/memory/1936-18-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
behavioral2/memory/2568-35-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
behavioral2/memory/876-46-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	com3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

Executes dropped EXE 4 IoCs

pid	Process
1936	SearchHelper.exe
2568	com3.exe
4888	SearchHelper.exe
1444	com3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe"	com3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1036	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
1936	SearchHelper.exe
1936	SearchHelper.exe
2568	com3.exe
2568	com3.exe
876	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
876	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
4888	SearchHelper.exe
1444	com3.exe
1444	com3.exe
4888	SearchHelper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	SearchHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1936	SearchHelper.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1936	4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	93
PID 4028 wrote to memory of 1936	4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	93
PID 4028 wrote to memory of 1936	4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	93
PID 4028 wrote to memory of 2568	4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	94
PID 4028 wrote to memory of 2568	4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	94
PID 4028 wrote to memory of 2568	4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	94
PID 4028 wrote to memory of 876	4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	95
PID 4028 wrote to memory of 876	4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	95
PID 4028 wrote to memory of 876	4028	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	95
PID 876 wrote to memory of 4888	876	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	96
PID 876 wrote to memory of 4888	876	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	96
PID 876 wrote to memory of 4888	876	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	96
PID 876 wrote to memory of 1444	876	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	97
PID 876 wrote to memory of 1444	876	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	97
PID 876 wrote to memory of 1444	876	f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe	97
PID 2568 wrote to memory of 1036	2568	com3.exe	103
PID 2568 wrote to memory of 1036	2568	com3.exe	103
PID 2568 wrote to memory of 1036	2568	com3.exe	103

C:\Users\Admin\AppData\Local\Temp\f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
"C:\Users\Admin\AppData\Local\Temp\f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
  "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1036
- C:\Users\Admin\AppData\Local\Temp\f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe
  "C:\Users\Admin\AppData\Local\Temp\f3cd6d7257421153da50a054698afff126b8122067926c9fffc9e9e5a101a3cc.exe" silent pause
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
    "\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe

Filesize
440KB

MD5
e6c6d5c75945b78e4c789a723d279560

SHA1
b8c556b26ee2b3990cc3d66d3a853dabdbec14fe

SHA256
7e8a3dbd16ea9e3504bffae4f5a123a75c0fd1ec448721d29992473a6962dcc8

SHA512
0b1f8aedf55d450a425f45732da8d7a435cfc37b140b46c3af742c54327ab8bc3081d86c90bca1b95be4bfb1e575917d43d2cd64c7ee1321a910e424f76bfe4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe

Filesize
440KB

MD5
6fcd3c65394cda245dd6d6b730732979

SHA1
3fa18947f8c5285427707734fa654ffd41646064

SHA256
ccc93489e20ba187892fb1483026a8337fbb505ba6bc820f316958e04c7b748d

SHA512
193e161963c4084dfc3ad616c85ff8f4046d0f8efbf092402612ac6f7c1c766a6c537ca2b5f325e33da6445c631a038ab2f95cadb0f6c96b0090c90df600f4f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat

Filesize
10B

MD5
570191691922292d919711a91a2d068b

SHA1
9d71459501e7b466424da50e1e273dc9fcddf3f7

SHA256
9c09d4f9c81376ccb25319c190c2a717729e2edba8d93847e8f5e02cac5a595f

SHA512
573f808e0d114f7bd8cb138a5b7b68c59ae89120d4e60b8b11d15b75ef3d5cccf540be14b57c16b89f32cb1ef3f32c05ba480ffc2d98ba93d83c265d92d6c7b2

Download Submit
memory/876-46-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/876-91-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/876-48-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1444-84-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1444-67-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1936-61-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1936-18-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/1936-17-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2568-35-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/2568-34-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2568-90-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4028-47-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4028-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4028-1-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/4888-64-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4888-83-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads