368aef862ede5f8112bb0d096a02a17fe0f21c9bf9b6dbe7ff2737a71ea04d28

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
Size

1.3MB
MD5

3f705a7387cf12af6e397b345b09e241
SHA1

0c0ac5248bcfae2f769d4805347ebb82306c229f
SHA256

dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c
SHA512

29cd6f21330423f4f7ab732b70fe60deb587d6c1cf15803bd5d6a5618586a81dd88a1baf2af4655db39180e85533462d2d9335988473b14706102d52181d63a0
SSDEEP

24576:QTvRhpBjV5A7oL9lbMmaTi1cEWuqpdbfbCuMpc+:QTZhjV20LyacE1qpJjCux+

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2244	BDinit.exe
1440	BDinit.exe

Loads dropped DLL 18 IoCs

pid	Process
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2244	BDinit.exe
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2244	BDinit.exe
1440	BDinit.exe
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\nso24C3.tmp	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File created	C:\Program Files (x86)\Common Files\BDinit.exe	BDinit.exe
File opened for modification	C:\Program Files (x86)\Common Files\BDinit.exe	BDinit.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nso24C2.tmp	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nso24C2.tmp\	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nso24C4.tmp	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nso24C5.tmp	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nso24C4.tmp\	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File created	C:\Program Files (x86)\Common Files\log.dll	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2052	1440	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2244	BDinit.exe
2244	BDinit.exe
2244	BDinit.exe
2244	BDinit.exe
2244	BDinit.exe
2244	BDinit.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2244	BDinit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2244	2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe	28
PID 2616 wrote to memory of 2244	2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe	28
PID 2616 wrote to memory of 2244	2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe	28
PID 2616 wrote to memory of 2244	2616	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe	28
PID 2244 wrote to memory of 1440	2244	BDinit.exe	29
PID 2244 wrote to memory of 1440	2244	BDinit.exe	29
PID 2244 wrote to memory of 1440	2244	BDinit.exe	29
PID 2244 wrote to memory of 1440	2244	BDinit.exe	29
PID 1440 wrote to memory of 2052	1440	BDinit.exe	31
PID 1440 wrote to memory of 2052	1440	BDinit.exe	31
PID 1440 wrote to memory of 2052	1440	BDinit.exe	31
PID 1440 wrote to memory of 2052	1440	BDinit.exe	31

C:\Users\Admin\AppData\Local\Temp\dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
"C:\Users\Admin\AppData\Local\Temp\dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\BDinit.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\BDinit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files (x86)\Common Files\BDinit.exe
    "C:\Program Files (x86)\Common Files\BDinit.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 608
      4⤵
      Loads dropped DLL
      Program crash
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2bf611cf0ffe631fadb108cf68af916a

SHA1
c8a8adbfa456e6d8bde405b4d5f74a8ca05d5234

SHA256
aeec35b9abbcdd094a15f652dd24a9ea1a997f2a6c4e7919d7e075d47fc1ada2

SHA512
076dd4e4169e9afe3482451e5a07f65e46dd09dbdd347e57553378f02de878c7dec98a90650a051520912fce4ab03757327c4002d976999a2038e211565bfb76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dec4c411ab8ecc528bad26170da72b3f

SHA1
de5ed9a550fdfa4c8ef7cce148cc47562dc2c468

SHA256
7cfee3f7629062689cba070b21de4c0a49e691f1de86f9ebca5aa6d9dffb68c2

SHA512
68ebda94038dcf30fa1f7fecbd64d4243981bbb764f9b449b82882b635716a06f7bdbd1ecb127d63ca91d19deb85d601c869678fca362734a546069059b8b641

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab63CA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar63DD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\InetBgDL.dll

Filesize
17KB

MD5
97c607f5d0add72295f8d0f27b448037

SHA1
dfb9a1aa1d3b1f7821152afaac149cad38c8ce3c

SHA256
dc98ed352476af459c91100b8c29073988da19d3adc73e2c2086d25f238544a5

SHA512
ad759062152869089558389c741876029198c5b98fa725e2d2927866dc8b416ae2de871cb2479f614f6d29b6f646bf7191d02837c3cabc15b8185b563bc46268

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\installing.html

Filesize
1KB

MD5
32de55f44c497811dd7ed7f227f5c28d

SHA1
c111be08e7f3d268e7a2ed160d0c30833f25ae4a

SHA256
6259f3a41a703f13466503e6fbd37ca40e94f565a2f4b4087fbcd87a13bf3ee1

SHA512
48bb6f24b3ee2f4b7052205a3843ea34f917ee192b70261d2438c037b0e17d48bce8beb4c31be4141e9618922a45b6b47745b797e5618f18fe00bfc1625309ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\installing.js

Filesize
2KB

MD5
dfa7861bca754036ab853b3bb02b194d

SHA1
46d7c5ba614b39caa4857fcba4bdedbabb2c67c0

SHA256
2c286b6eefd38f032a385f3ac6a1f794deab3bac0fbff71bd0ba21453f477878

SHA512
c58d96fb2496a84261a5e4b18cf4156a30f9ad161bbabc3652b6b5c24976f1ac432dced31927a9443260cdca0292524d1f691766b7c0731f926d37be11fe0c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\installing_page.css

Filesize
1KB

MD5
6582e207592b60a995b4510cf959eb03

SHA1
08afdebde481b653e04f89bedad0cba6c8dbd999

SHA256
43c38801c1746880625f97eee3fe37fe94d1300adf812bfe26e47b094b87523b

SHA512
0a5a5ce944b89f552a38300674c44cc9de4920e87c2aa2c3c63bbceedff1d80ab35ab31274bfa89e0acc518470f466a2d67d483147f2ca8061d68b770e2ebe48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\log.dll

Filesize
643KB

MD5
379559a928d17a3822b1e06483960254

SHA1
750dbd7134e55963f3acc8615f3a944be2b940c8

SHA256
9952f3a2fbf87c6fa1f8e79e81e7dc303048ba2e96c6ffa08abe4295163182b1

SHA512
eeb6b40674b69683408865bb085a0ea6a0410a995d8dafa9d702879cae23c73115260e3fdb67e17cdf25e29d83ff7d46c0b4ce058a61689ba6401e233465baa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\stub_common.css

Filesize
684B

MD5
544b51f11ad19df720669478d28f129d

SHA1
d238b604fd3fa37dfd552eacdc6aacc474fcddad

SHA256
4d9495b6f0e18331659993b79440e414a6e607fcdaeacbc7477e0683cc0fa98b

SHA512
bbbb0f31839316c51464cfd225166145f968ce38995dc2748df5402b7e109ff6119d65b6774fc4738638ad4c9d89776516b00ab5a700097d9d74e1824a11dc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\stub_common.js

Filesize
817B

MD5
58b8ac894c64370cfa137f5848aeb88d

SHA1
6a1ac1f88a918a232b79fe798b2de69cf433945f

SHA256
0e28aa770b0afade30be85c6dc1e50344db8f8cdd3fa01989d81a9e20a4990bd

SHA512
ae309518e0f926021e4d9378950c1a375263247d4f79d8a8cc09464cd01653ae5e707d52a4b0c36d532e649c246f4be6b5ba8648f58fb0e3e40c495ae63180ab

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\BDinit.exe

Filesize
192KB

MD5
8a8db1e20dc508af5a81fc00b1929468

SHA1
32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

SHA256
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

SHA512
9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\CityHash.dll

Filesize
53KB

MD5
2021acc65fa998daa98131e20c4605be

SHA1
2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

SHA256
c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

SHA512
cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24B1.tmp\WebBrowser.dll

Filesize
103KB

MD5
b53cd4ad8562a11f3f7c7890a09df27a

SHA1
db66b94670d47c7ee436c2a5481110ed4f013a48

SHA256
281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

SHA512
bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

Download Submit
memory/2616-28-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2616-197-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download