3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1

General

Target

3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
Size

493KB
MD5

b5cb180e0403583889e7aae8297db9e4
SHA1

a5bd6722dad912944c7e924c8efc0b047cba1ab6
SHA256

3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1
SHA512

5560d1acabd5d48ef8d123987537dc5321327f6ec96aac25417fb059c200846f46f9f074b13ae16cc6da3b14f072cf2ba31f4c7c4b1d434977e30ba88b129581
SSDEEP

12288:S+qYt531sYtGVWpPz4IDlwLV1nWGYAZeAEdmSL6nju:Sdw5GVW54IBEV1jAmy6ju

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/1640-51-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing base64 encoded User Agent 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1640-0-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent
behavioral1/memory/1640-51-0x0000000063080000-0x00000000631EC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent

Drops startup file 1 IoCs

Processes:

SearchHelper.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe SearchHelper.exe
Executes dropped EXE 4 IoCs

Processes:

SearchHelper.execom3.execom3.exeSearchHelper.exe

pid process

2604 SearchHelper.exe
2672 com3.exe
1536 com3.exe
1656 SearchHelper.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe	SearchHelper.exe

pid	process
2604	SearchHelper.exe
2672	com3.exe
1536	com3.exe
1656	SearchHelper.exe

Loads dropped DLL 7 IoCs

Processes:

3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe

pid	process
1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

com3.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe"	com3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2384 reg.exe

pid	process
2384	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exeSearchHelper.execom3.exe3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.execom3.exeSearchHelper.exe

pid	process
1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
2604	SearchHelper.exe
2672	com3.exe
2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
1536	com3.exe
1656	SearchHelper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SearchHelper.exe

description pid process

Token: SeDebugPrivilege 2604 SearchHelper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchHelper.exe

pid process

2604 SearchHelper.exe

description	pid	process
Token: SeDebugPrivilege	2604	SearchHelper.exe

pid	process
2604	SearchHelper.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.execom3.exe

description	pid	process	target process
PID 1640 wrote to memory of 2604	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	SearchHelper.exe
PID 1640 wrote to memory of 2604	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	SearchHelper.exe
PID 1640 wrote to memory of 2604	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	SearchHelper.exe
PID 1640 wrote to memory of 2604	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	SearchHelper.exe
PID 1640 wrote to memory of 2672	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	com3.exe
PID 1640 wrote to memory of 2672	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	com3.exe
PID 1640 wrote to memory of 2672	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	com3.exe
PID 1640 wrote to memory of 2672	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	com3.exe
PID 1640 wrote to memory of 2580	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
PID 1640 wrote to memory of 2580	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
PID 1640 wrote to memory of 2580	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
PID 1640 wrote to memory of 2580	1640	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
PID 2580 wrote to memory of 1656	2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	SearchHelper.exe
PID 2580 wrote to memory of 1656	2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	SearchHelper.exe
PID 2580 wrote to memory of 1656	2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	SearchHelper.exe
PID 2580 wrote to memory of 1656	2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	SearchHelper.exe
PID 2580 wrote to memory of 1536	2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	com3.exe
PID 2580 wrote to memory of 1536	2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	com3.exe
PID 2580 wrote to memory of 1536	2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	com3.exe
PID 2580 wrote to memory of 1536	2580	3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe	com3.exe
PID 2672 wrote to memory of 2384	2672	com3.exe	reg.exe
PID 2672 wrote to memory of 2384	2672	com3.exe	reg.exe
PID 2672 wrote to memory of 2384	2672	com3.exe	reg.exe
PID 2672 wrote to memory of 2384	2672	com3.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
"C:\Users\Admin\AppData\Local\Temp\3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2384

C:\Users\Admin\AppData\Local\Temp\3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe
"C:\Users\Admin\AppData\Local\Temp\3dfa782678cbffcc92fc97b6c4ace9ff1898b76bdb2fcd6d382d2bd20ce588b1.exe" silent pause
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\persist.dat
Filesize
10B

MD5
f201ec9db9b3222af6e45db08f89129b

SHA1
9863317d3283041486a2c88884d0bce7e0afc264

SHA256
603a14bbd6fd5d296f63f41f823752af469fb3a1afa2b4e88bb3207be13d8986

SHA512
9c3b47766234d925b412911eb70bd08bd3fbdc98c85e9dcfa4fc21eb8058b533c797ce508e1b694dcb7fc0c658b24162baba0d8e956350bd95e12b89c4b32ffe

Download Submit
\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe
Filesize
495KB

MD5
a4cc07e1c8d1538f895ba56df9452fdf

SHA1
28e928bad43387da990b55845a76778d6c1d6aed

SHA256
6f1294f5b29ee02f7b309b0db54a0d1117d0e0f151d94c8d164ccf0ee0ff863d

SHA512
0bd0b57a49aa2a131f7c70139cf9897a8b15b5dcf21caf7f3538d8787ea48011ea6ab9fa858fe9f188ad30e19224f7190141c5c8b45493da5e2c61903ee59552

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe
Filesize
495KB

MD5
8fef127e00bc89d74f0a9974de2239df

SHA1
d736b602d30cb0d9998a3fa21ce65a6d809c21db

SHA256
0f30cc037c1aeb841a12148d2af5d9ff59696c1dd602b00dd08b8d0d6c1545b0

SHA512
801540b2dc44d511756fe7d1b68d2aba0e96a782ac8959dd154063601fa22ff6f255196047f99bdb1a6ad545e7292be17231d915dee67831694962dca35e5a8e

Download Submit
memory/1536-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1640-0-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/1640-51-0x0000000063080000-0x00000000631EC000-memory.dmp

Filesize
1.4MB

Download
memory/1640-52-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1656-89-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads