368aef862ede5f8112bb0d096a02a17fe0f21c9bf9b6dbe7ff2737a71ea04d28

General

Target

dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
Size

1.3MB
MD5

3f705a7387cf12af6e397b345b09e241
SHA1

0c0ac5248bcfae2f769d4805347ebb82306c229f
SHA256

dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c
SHA512

29cd6f21330423f4f7ab732b70fe60deb587d6c1cf15803bd5d6a5618586a81dd88a1baf2af4655db39180e85533462d2d9335988473b14706102d52181d63a0
SSDEEP

24576:QTvRhpBjV5A7oL9lbMmaTi1cEWuqpdbfbCuMpc+:QTZhjV20LyacE1qpJjCux+

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	BDinit.exe

Executes dropped EXE 2 IoCs

pid	Process
1256	BDinit.exe
644	BDinit.exe

Loads dropped DLL 9 IoCs

pid	Process
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
1256	BDinit.exe
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
644	BDinit.exe
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\nsy8BE5.tmp	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsy8BE4.tmp\	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File opened for modification	C:\Program Files (x86)\Common Files\log.dll	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File created	C:\Program Files (x86)\Common Files\BDinit.exe	BDinit.exe
File opened for modification	C:\Program Files (x86)\Common Files\BDinit.exe	BDinit.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsy8BE2.tmp	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsy8BE3.tmp	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsy8BE4.tmp	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsy8BE2.tmp\	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
File created	C:\Program Files (x86)\Common Files\log.dll	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3128	2072	WerFault.exe	16
4928	644	WerFault.exe	48

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1256	BDinit.exe
1256	BDinit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1256	2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe	47
PID 2072 wrote to memory of 1256	2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe	47
PID 2072 wrote to memory of 1256	2072	dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe	47
PID 1256 wrote to memory of 644	1256	BDinit.exe	48
PID 1256 wrote to memory of 644	1256	BDinit.exe	48
PID 1256 wrote to memory of 644	1256	BDinit.exe	48

C:\Users\Admin\AppData\Local\Temp\dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe
"C:\Users\Admin\AppData\Local\Temp\dfe3c14fea77ea02a85f2317ed77f2e2814ce9e6c609404a1a954e22ccb2873c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\nsx8B92.tmp\BDinit.exe
  "C:\Users\Admin\AppData\Local\Temp\nsx8B92.tmp\BDinit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Program Files (x86)\Common Files\BDinit.exe
    "C:\Program Files (x86)\Common Files\BDinit.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1080
      4⤵
      Program crash
      PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 2468
  2⤵
  - Program crash
  PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2072 -ip 2072
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 644 -ip 644
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx8B92.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8B92.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8B92.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit

Analysis

Sharing