b67f59199bd095c15594247e3d90a1e2802c91e020fbaed441d75ea01f64046f

General

Target

13d831dc1a1f847ee12138e3c9a7372b.exe
Size

971KB
MD5

13d831dc1a1f847ee12138e3c9a7372b
SHA1

2a4a6ce1c2eb7dbefa6ddefb9371e75ce24fb82a
SHA256

b67f59199bd095c15594247e3d90a1e2802c91e020fbaed441d75ea01f64046f
SHA512

ca8169a661c97e91563ed78bdd9607918dc894e8f6323f09211af3b1ea05a11fbcc941bdf7ab7481e61fd2cefa4f29ea19181ea1705a49d60d17e6a188944332
SSDEEP

24576:0nGQ1GAbB7wZbsMfjtYf6FsNehkg6MFKrLlKxNmMh++Q:KLQyMs+hW+k9wKrLlsBQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2800	BI.exe
1664	BI.exe

Loads dropped DLL 15 IoCs

pid	Process
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2800	BI.exe
2800	BI.exe
2800	BI.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
1664	BI.exe
1664	BI.exe
1664	BI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main	13d831dc1a1f847ee12138e3c9a7372b.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	13d831dc1a1f847ee12138e3c9a7372b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	13d831dc1a1f847ee12138e3c9a7372b.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe
2236	13d831dc1a1f847ee12138e3c9a7372b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2800	2236	13d831dc1a1f847ee12138e3c9a7372b.exe	28
PID 2236 wrote to memory of 2800	2236	13d831dc1a1f847ee12138e3c9a7372b.exe	28
PID 2236 wrote to memory of 2800	2236	13d831dc1a1f847ee12138e3c9a7372b.exe	28
PID 2236 wrote to memory of 2800	2236	13d831dc1a1f847ee12138e3c9a7372b.exe	28
PID 2236 wrote to memory of 1664	2236	13d831dc1a1f847ee12138e3c9a7372b.exe	32
PID 2236 wrote to memory of 1664	2236	13d831dc1a1f847ee12138e3c9a7372b.exe	32
PID 2236 wrote to memory of 1664	2236	13d831dc1a1f847ee12138e3c9a7372b.exe	32
PID 2236 wrote to memory of 1664	2236	13d831dc1a1f847ee12138e3c9a7372b.exe	32

C:\Users\Admin\AppData\Local\Temp\13d831dc1a1f847ee12138e3c9a7372b.exe
"C:\Users\Admin\AppData\Local\Temp\13d831dc1a1f847ee12138e3c9a7372b.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\nsi4C3E.tmp\BI.exe
  C:\Users\Admin\AppData\Local\Temp\nsi4C3E.tmp\BI.exe { "json_send_time" : "1/1/2024 16:56:33:917" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "52183" , "user_type" : "NULL" , "result" : "Success" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.7.9_NoStatic.130521.01" , "bundle_id" : "493d262d-b4c3-4055-a832-4cc2d2323e08" , "machine_user_id" : "{1E3A8FB5-A891-4C43-A6EC-3C3D995605AF}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "0AEAE980-EC0B-4045-B4CA-6D0777DA0D14" , "publisher_internal_id" : "1" , "publisher_id" : "Brothersoft" , "publisher_account_id" : "Brothersoft" , "order" : "1.0" , "phase" : "Init" , "Is_Test" : "0" }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\nsi4C3E.tmp\BI.exe
  C:\Users\Admin\AppData\Local\Temp\nsi4C3E.tmp\BI.exe { "user_ie_security_level" : "" , "json_send_time" : "1/1/2024 16:57:16:115" , "internal_error_description" : "HttpPost result: try1- SendRequest Error; try2- SendRequest Error; try3- SendRequest Error" , "internal_error_number" : "3" , "is_parallel" : "0" , "mrs_id" : "" , "vector_id" : "" , "rule_id" : "" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "52183" , "general_status_code" : "2" , "duration_details" : " InitPluginsDir:0 initializeParams:249 load_BITool:31 send_BI_Init:63 load_DownloadACC:31 retrieveUISource:0 unpack_webappfolder:0 unpack_icon:0 RetrieveMainOfferKey:0 unpack_OpenCandyDll:47 load_webapphost:0 unpack_ProxyInstaller:0 navigate_loadingUI:546 navigateAsync_constMainOffer:0 BuildUserProfile:0 retrieve cid:0 callService1:12262 callService1:17238 callService1:12012 " , "phase_duration" : "" , "error_details" : "Failed communicate with the DistributionEngineService. Inner Error: SendRequest Error " , "result" : "Error" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.7.9_NoStatic.130521.01" , "bundle_id" : "493d262d-b4c3-4055-a832-4cc2d2323e08" , "machine_user_id" : "{1E3A8FB5-A891-4C43-A6EC-3C3D995605AF}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "0AEAE980-EC0B-4045-B4CA-6D0777DA0D14" , "publisher_internal_id" : "1" , "publisher_id" : "Brothersoft" , "publisher_account_id" : "Brothersoft" , "order" : "2.0" , "phase" : "InitComplete" , "Is_Test" : "0" }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M61DDFBK\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOO61SKS\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4C3E.tmp\Failed.htm

Filesize
6KB

MD5
4bca38bc78f5e8283655b1dda3d81b2c

SHA1
b1e61db910ebc37bcbf4650d773d727b15fc8554

SHA256
16b03f64adc522298a636a117869d821379e341314704a4eb7e2263689e76d91

SHA512
6b4559f2f658835ca3a5a8772f424415838990fd7b22ce9452577c6f1e92c8776fe8f25e2747e91dcf59b390084d82bc48f3bfaafb242c3374b0e98e81db3509

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4C3E.tmp\BI.exe

Filesize
75KB

MD5
1adf1396f52601d12f1223f403e5626b

SHA1
f9cba0fa24ff2e8e046c56986e8e4216a7a9f44a

SHA256
6661a06ada916833eb5dcc802513c2936e902cbd5acd9884519c99c2f5a7d670

SHA512
eaa583bede82c2b2544108669e8d4e998150a0cd11a79bb6b20f3daeccf06abcc8642debde08612d9690a0636d50b996a8b9da8c2bf16cdeeccd963c6a08362b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4C3E.tmp\System.dll

Filesize
17KB

MD5
a4f38d1c7a480f5da1bb8097b8b939db

SHA1
b3129c2a0e61881381463f5e0cbbffa573daa845

SHA256
e1180e1e3344c7536150275e33de53dc1dd1a3ca03be66c4d4875fe5bcd4e436

SHA512
fed89f7ee9364fc2f4b9f82c4563713497043947e98dbb03e7d755681adf3ae661aba80d08e59988a23695fc64481b69d9842b7ec7d2b572cc872c4c9957febc

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4C3E.tmp\webapphost.dll

Filesize
738KB

MD5
6613cd74e6bd049b4f9b9295a17ae4fd

SHA1
138c5a96b6012f46b88e8b60aac9a365852b9e8b

SHA256
65b7afa0c263db4e3ff726247d5864ae4463c7618bd9756e486a2c206e97c09f

SHA512
906fc13c560cd8f302a3e1b2302071bb64bba05176319d1ba8036524a2d2d5982f20fd10b8dff945bbcebaace1872697108f1da0174c439f34c3a788b48754fb

Download Submit
\Users\Admin\AppData\Local\Temp\nst4E03.tmp\inetc.dll

Filesize
29KB

MD5
dccdcb124064a1d9a5eb12232348b898

SHA1
f294fac154cb1c6c18fe054ac584f767594b93fb

SHA256
37adc0183d94ae6ca1895643423dac0c97750d7103e6b00c14299dfc4ad2271e

SHA512
bd89bcd513bb7120db80e1115b4caceaa18c4ea863fe29b232002d447c3813133ff2849fcb2d4df45e3ff67e0e0d9d340d61060b9c74045b17efa5b1c1f5b05e

Download Submit

Analysis

Sharing