b67f59199bd095c15594247e3d90a1e2802c91e020fbaed441d75ea01f64046f

General

Target

13d831dc1a1f847ee12138e3c9a7372b.exe
Size

971KB
MD5

13d831dc1a1f847ee12138e3c9a7372b
SHA1

2a4a6ce1c2eb7dbefa6ddefb9371e75ce24fb82a
SHA256

b67f59199bd095c15594247e3d90a1e2802c91e020fbaed441d75ea01f64046f
SHA512

ca8169a661c97e91563ed78bdd9607918dc894e8f6323f09211af3b1ea05a11fbcc941bdf7ab7481e61fd2cefa4f29ea19181ea1705a49d60d17e6a188944332
SSDEEP

24576:0nGQ1GAbB7wZbsMfjtYf6FsNehkg6MFKrLlKxNmMh++Q:KLQyMs+hW+k9wKrLlsBQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4800	BI.exe
2212	BI.exe

Loads dropped DLL 11 IoCs

pid	Process
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
4800	BI.exe
4800	BI.exe
4800	BI.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
2212	BI.exe
2212	BI.exe
2212	BI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe
1760	13d831dc1a1f847ee12138e3c9a7372b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 4800	1760	13d831dc1a1f847ee12138e3c9a7372b.exe	91
PID 1760 wrote to memory of 4800	1760	13d831dc1a1f847ee12138e3c9a7372b.exe	91
PID 1760 wrote to memory of 4800	1760	13d831dc1a1f847ee12138e3c9a7372b.exe	91
PID 1760 wrote to memory of 2212	1760	13d831dc1a1f847ee12138e3c9a7372b.exe	102
PID 1760 wrote to memory of 2212	1760	13d831dc1a1f847ee12138e3c9a7372b.exe	102
PID 1760 wrote to memory of 2212	1760	13d831dc1a1f847ee12138e3c9a7372b.exe	102

C:\Users\Admin\AppData\Local\Temp\13d831dc1a1f847ee12138e3c9a7372b.exe
"C:\Users\Admin\AppData\Local\Temp\13d831dc1a1f847ee12138e3c9a7372b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\nssA56A.tmp\BI.exe
  C:\Users\Admin\AppData\Local\Temp\nssA56A.tmp\BI.exe { "json_send_time" : "1/1/2024 16:56:49:148" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "52183" , "user_type" : "NULL" , "result" : "Success" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.7.9_NoStatic.130521.01" , "bundle_id" : "493d262d-b4c3-4055-a832-4cc2d2323e08" , "machine_user_id" : "{83B5E9B0-A5BF-49AC-8104-B12C85580D99}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "C382619B-5B4F-4B2B-8999-918E83970240" , "publisher_internal_id" : "1" , "publisher_id" : "Brothersoft" , "publisher_account_id" : "Brothersoft" , "order" : "1.0" , "phase" : "Init" , "Is_Test" : "0" }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\nssA56A.tmp\BI.exe
  C:\Users\Admin\AppData\Local\Temp\nssA56A.tmp\BI.exe { "user_ie_security_level" : "" , "json_send_time" : "1/1/2024 16:57:40:210" , "internal_error_description" : "HttpPost result: try1- SendRequest Error; try2- SendRequest Error; try3- SendRequest Error" , "internal_error_number" : "3" , "is_parallel" : "0" , "mrs_id" : "" , "vector_id" : "" , "rule_id" : "" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "52183" , "general_status_code" : "2" , "duration_details" : " InitPluginsDir:0 initializeParams:140 load_BITool:63 send_BI_Init:31 load_DownloadACC:16 retrieveUISource:0 unpack_webappfolder:0 unpack_icon:15 RetrieveMainOfferKey:0 unpack_OpenCandyDll:141 load_webapphost:0 unpack_ProxyInstaller:0 navigate_loadingUI:656 navigateAsync_constMainOffer:0 BuildUserProfile:0 retrieve cid:0 callService1:19328 callService1:14844 callService1:16031 " , "phase_duration" : "" , "error_details" : "Failed communicate with the DistributionEngineService. Inner Error: SendRequest Error " , "result" : "Error" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.7.9_NoStatic.130521.01" , "bundle_id" : "493d262d-b4c3-4055-a832-4cc2d2323e08" , "machine_user_id" : "{83B5E9B0-A5BF-49AC-8104-B12C85580D99}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "C382619B-5B4F-4B2B-8999-918E83970240" , "publisher_internal_id" : "1" , "publisher_id" : "Brothersoft" , "publisher_account_id" : "Brothersoft" , "order" : "2.0" , "phase" : "InitComplete" , "Is_Test" : "0" }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nssA56A.tmp\BI.exe

Filesize
75KB

MD5
1adf1396f52601d12f1223f403e5626b

SHA1
f9cba0fa24ff2e8e046c56986e8e4216a7a9f44a

SHA256
6661a06ada916833eb5dcc802513c2936e902cbd5acd9884519c99c2f5a7d670

SHA512
eaa583bede82c2b2544108669e8d4e998150a0cd11a79bb6b20f3daeccf06abcc8642debde08612d9690a0636d50b996a8b9da8c2bf16cdeeccd963c6a08362b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA56A.tmp\System.dll

Filesize
17KB

MD5
a4f38d1c7a480f5da1bb8097b8b939db

SHA1
b3129c2a0e61881381463f5e0cbbffa573daa845

SHA256
e1180e1e3344c7536150275e33de53dc1dd1a3ca03be66c4d4875fe5bcd4e436

SHA512
fed89f7ee9364fc2f4b9f82c4563713497043947e98dbb03e7d755681adf3ae661aba80d08e59988a23695fc64481b69d9842b7ec7d2b572cc872c4c9957febc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA56A.tmp\webapphost.dll

Filesize
738KB

MD5
6613cd74e6bd049b4f9b9295a17ae4fd

SHA1
138c5a96b6012f46b88e8b60aac9a365852b9e8b

SHA256
65b7afa0c263db4e3ff726247d5864ae4463c7618bd9756e486a2c206e97c09f

SHA512
906fc13c560cd8f302a3e1b2302071bb64bba05176319d1ba8036524a2d2d5982f20fd10b8dff945bbcebaace1872697108f1da0174c439f34c3a788b48754fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA73E.tmp\inetc.dll

Filesize
29KB

MD5
dccdcb124064a1d9a5eb12232348b898

SHA1
f294fac154cb1c6c18fe054ac584f767594b93fb

SHA256
37adc0183d94ae6ca1895643423dac0c97750d7103e6b00c14299dfc4ad2271e

SHA512
bd89bcd513bb7120db80e1115b4caceaa18c4ea863fe29b232002d447c3813133ff2849fcb2d4df45e3ff67e0e0d9d340d61060b9c74045b17efa5b1c1f5b05e

Download Submit

Analysis

Sharing