Windows Analysis Report
VALUESearchUpdater.exe

Overview

General Information

Sample name: VALUESearchUpdater.exe
Analysis ID: 1546345
MD5: 4ab61ee925a3c1d719ebce6214ecdb45
SHA1: 42856c8176a27060ddc20d284187cd86183fdfb2
SHA256: 9ad2b8535a844e9da74ab6d99bdc9b6f264ccb7e2fb1fcb143f7de46f2334156
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: VALUESearchUpdater.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 3.36.251.235:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: VALUESearchUpdater.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49704 -> 3.36.251.235:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 3.36.251.235:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49959
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49746
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /files/publish/xlllibver.txt HTTP/1.1Connection: Keep-AliveAccept: application/json, text/plain, */*Accept-Charset: utf-8Accept-Language: ko-KRUser-Agent: Zewus AgentHost: valuesearch.co.kr
Source: global traffic HTTP traffic detected: GET /files/publish/valuesearchn.zip HTTP/1.1Connection: Keep-AliveAccept: application/json, text/plain, */*Accept-Charset: utf-8Accept-Language: ko-KRUser-Agent: Zewus AgentHost: valuesearch.co.kr
Source: global traffic DNS traffic detected: DNS query: valuesearch.co.kr
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 31 Oct 2024 18:46:02 GMTContent-Type: text/html; charset=utf-8Content-Length: 45Connection: closeServer: VALUESearch - 1.95.0.1581
Source: VALUESearchUpdater.exe, 00000000.00000002.1299278175.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000003.1298175516.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000003.1298175516.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000002.1299278175.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://valuesearch.co.kr/
Source: VALUESearchUpdater.exe, 00000000.00000003.1298175516.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000002.1299278175.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://valuesearch.co.kr/70
Source: VALUESearchUpdater.exe String found in binary or memory: https://valuesearch.co.kr/files/publish/
Source: VALUESearchUpdater.exe, 00000000.00000003.1298175516.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000003.1298375804.000000000291B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://valuesearch.co.kr/files/publish/valuesearchn.zip
Source: VALUESearchUpdater.exe, 00000000.00000003.1298175516.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://valuesearch.co.kr/files/publish/valuesearchn.zipGN
Source: VALUESearchUpdater.exe String found in binary or memory: https://valuesearch.co.kr/files/publish/xlllibver.txt
Source: VALUESearchUpdater.exe, 00000000.00000003.1262311074.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://valuesearch.co.kr/files/publish/xlllibver.txtC
Source: VALUESearchUpdater.exe, 00000000.00000003.1262311074.0000000000C81000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://valuesearch.co.kr/files/publish/xlllibver.txttia
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown HTTPS traffic detected: 3.36.251.235:443 -> 192.168.2.7:49703 version: TLS 1.2
PE file contains more sections than normal
Source: VALUESearchUpdater.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: VALUESearchUpdater.exe, 00000000.00000003.1298375804.000000000293C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs VALUESearchUpdater.exe
Uses 32bit PE files
Source: VALUESearchUpdater.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean3.winEXE@1/1@1/1
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe File created: C:\Users\user\Desktop\valuesearchn.zip Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: VALUESearchUpdater.exe String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: VALUESearchUpdater.exe String found in binary or memory: application/vnd.groove-help
Source: VALUESearchUpdater.exe String found in binary or memory: "application/x-install-instructions
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\AddIns\VALUESearch.XLL\ Jump to behavior
Source: VALUESearchUpdater.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: VALUESearchUpdater.exe Static file information: File size 3151872 > 1048576
Source: VALUESearchUpdater.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x290400
Source: VALUESearchUpdater.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: VALUESearchUpdater.exe Static PE information: section name: .didata
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe TID: 7484 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: VALUESearchUpdater.exe, 00000000.00000003.1298175516.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000002.1299182990.0000000000C62000.00000004.00000020.00020000.00000000.sdmp, VALUESearchUpdater.exe, 00000000.00000002.1299278175.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\VALUESearchUpdater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546345 Sample: VALUESearchUpdater.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 3 8 valuesearch.co.kr 2->8 5 VALUESearchUpdater.exe 1 2->5         started        process3 dnsIp4 10 valuesearch.co.kr 3.36.251.235, 443, 49703, 49704 AMAZONEXPANSIONGB United States 5->10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.36.251.235
 valuesearch.co.kr United States
8987 AMAZONEXPANSIONGB false

Contacted Domains

Name IP Active
valuesearch.co.kr 3.36.251.235 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://valuesearch.co.kr/files/publish/valuesearchn.zip false
    		unknown
    https://valuesearch.co.kr/files/publish/xlllibver.txt false
      		unknown