Windows Analysis Report
VALUESearch.exe

Overview

General Information

Sample name: VALUESearch.exe
Analysis ID: 1546343
MD5: bf8e1edfd9c8b66f2056d400a532e53d
SHA1: c71fc958d8d1bc031b85426de97e214926799f9c
SHA256: 7e0ab1acded8fb3a35517e2a9a59192a6d29e6b58fb547b20864b47444f0f6c2
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Sigma detected: Office Autorun Keys Modification
Sigma detected: Potential Persistence Via Visual Studio Tools for Office
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: VALUESearch.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 3.39.130.246:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: VALUESearch.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 3.39.130.246:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49705
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:60823
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /files/publish/xlllibver.txt HTTP/1.1Connection: Keep-AliveAccept: application/jsonAccept-Charset: utf-8Accept-Language: ko-KRUser-Agent: Zewus AgentHost: valuesearch.co.kr
Source: global traffic DNS traffic detected: DNS query: valuesearch.co.kr
Source: VALUESearch.exe, 00000000.00000002.3283829238.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://valuesearch.co.kr/8
Source: VALUESearch.exe String found in binary or memory: https://valuesearch.co.kr/files/publish/
Source: VALUESearch.exe String found in binary or memory: https://valuesearch.co.kr/files/publish/VALUESearchUpdater.exe
Source: VALUESearch.exe String found in binary or memory: https://valuesearch.co.kr/files/publish/xlllibver.txt
Source: VALUESearch.exe, 00000000.00000002.3283829238.0000000000B25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://valuesearch.co.kr:443/files/publish/xlllibver.txt
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 3.39.130.246:443 -> 192.168.2.5:49704 version: TLS 1.2
PE file contains executable resources (Code or Archives)
Source: VALUESearch.exe Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
PE file contains more sections than normal
Source: VALUESearch.exe Static PE information: Number of sections : 11 > 10
Uses 32bit PE files
Source: VALUESearch.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean4.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\VALUESearch.exe Mutant created: \Sessions\1\BaseNamedObjects\VS
Source: C:\Users\user\Desktop\VALUESearch.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: VALUESearch.exe String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: VALUESearch.exe String found in binary or memory: application/vnd.groove-help
Source: VALUESearch.exe String found in binary or memory: "application/x-install-instructions
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\AddIns\VALUESearch.XLL\ Jump to behavior
Source: VALUESearch.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: VALUESearch.exe Static file information: File size 3837952 > 1048576
Source: VALUESearch.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2e0200
Source: VALUESearch.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: VALUESearch.exe Static PE information: section name: .didata
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\VALUESearch.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VALUESearch.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: VALUESearch.exe, 00000000.00000002.3283829238.0000000000B25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: VALUESearch.exe, 00000000.00000002.3283829238.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0v
Source: C:\Users\user\Desktop\VALUESearch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546343 Sample: VALUESearch.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 4 8 valuesearch.co.kr 2->8 5 VALUESearch.exe 1 2->5         started        process3 dnsIp4 10 valuesearch.co.kr 3.39.130.246, 443, 49704 AMAZONEXPANSIONGB United States 5->10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.39.130.246
 valuesearch.co.kr United States
8987 AMAZONEXPANSIONGB false

Contacted Domains

Name IP Active
valuesearch.co.kr 3.39.130.246 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://valuesearch.co.kr/files/publish/xlllibver.txt false
    		unknown