16bd53faca8c7993da417cee86d52ec1d8df5d876b18134fab008ab11e67ed1c

Analysis

max time kernel
140s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79a4be9c06f2d6acd0f24adde9488037.exe
Size

159KB
MD5

79a4be9c06f2d6acd0f24adde9488037
SHA1

2aae36bfcd5106e3b283e1bf567afb8de961a2de
SHA256

16bd53faca8c7993da417cee86d52ec1d8df5d876b18134fab008ab11e67ed1c
SHA512

bb53f0183e1519d99b244bbc0954cb8301c52e451b7eb425b59b2db25d9fe1eaec1c9e618b7bb356e23de8fda3d64a572c229ecf5770d4ff269a85725de445ed
SSDEEP

3072:v22ihA0m3BJf0AeUoNnC70froVkPl4ggueUNwCZVnqEXnjvp+9:gA0m3T0AeNC70DoVkngudxnqIzpA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2396	biclient.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	79a4be9c06f2d6acd0f24adde9488037.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	biclient.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	biclient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	biclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	biclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	biclient.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2396	biclient.exe
2396	biclient.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2396	1224	79a4be9c06f2d6acd0f24adde9488037.exe	28
PID 1224 wrote to memory of 2396	1224	79a4be9c06f2d6acd0f24adde9488037.exe	28
PID 1224 wrote to memory of 2396	1224	79a4be9c06f2d6acd0f24adde9488037.exe	28
PID 1224 wrote to memory of 2396	1224	79a4be9c06f2d6acd0f24adde9488037.exe	28
PID 1224 wrote to memory of 2396	1224	79a4be9c06f2d6acd0f24adde9488037.exe	28
PID 1224 wrote to memory of 2396	1224	79a4be9c06f2d6acd0f24adde9488037.exe	28
PID 1224 wrote to memory of 2396	1224	79a4be9c06f2d6acd0f24adde9488037.exe	28

C:\Users\Admin\AppData\Local\Temp\79a4be9c06f2d6acd0f24adde9488037.exe
"C:\Users\Admin\AppData\Local\Temp\79a4be9c06f2d6acd0f24adde9488037.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\biclient.exe
  "C:\Users\Admin\AppData\Local\Temp\biclient.exe" /initurl http://bi.bisrv.com/:affid:/:sid:/:uid:? /affid "ffonts" /id "rudiment" /name "Rudiment" /uniqid 79a4be9c06f2d6acd0f24adde9488037
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
babe3307dfb7fe6f9116a92285ef5410

SHA1
f2c5e1a9be68de314fdbf7a7f36c4aa3f3cabd43

SHA256
e1eeba7945758616ecde0f004989360a5903c4b4fdd46f587510b4db61cad98f

SHA512
91c177f75e07c861b68b39de8a9978c6a63ea0342c917d0192ed866283701ffd06f8e240902df80f73a819f7b5773f81db359b98b6b077b64b577384639c4134

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1dc91a1ce6d9c511ef06c3b89ec69c4

SHA1
586bc1a245db9f125e20e45185cefee370f12d16

SHA256
2658031badc0784f97ea1cc5e0ccc0fd1d5de5c0fc84a1e32bbc79f1547708ce

SHA512
4694da3d432be0fb610beb502f2a2b9bd0b24edb56e17e09460b74a4d87f2edd75e3d70beea295e3019625517476ff1e3850236fcd66176996681bc161f9d9d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d02a2cc9298757f63fabcfe451a509d7

SHA1
1e80360cc19267540571b025dc16d948728ef503

SHA256
25ff7477fe02959f74aa0f60d8c385343077df41a28baafa01f856b229ba1d17

SHA512
34edc5bed904f12dfac4507e0d02172f14cdcbe47b68ab396bff850ef40a2dc252d1585bb3616979576ccaad21fcb92f1d1fefc1cfd53897b65832cfc8ae5836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d6afe3973d85883a4268536375cce11

SHA1
b2a275cea8c3b80c3f4d245ae286c0697f61e447

SHA256
26b933d27336a2c16f1466375dede2801ae767c3f1852678329a78663a64fbb0

SHA512
56a5cde2b05e91bd829921504d39c50a6be75de1dabb68e0480d671b011ddf916da3b14640eecd80f81b311c93fb859844fc3ad5123dec76af73dbbf50bbb511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab3206aaacaf6af40abe467f98d83f94

SHA1
77afe93597ba24d580f32b754089c39edd043deb

SHA256
348f96b29f04e1213ca44331e974c570dd446e22008d8aca7c2aaf38b4fc0690

SHA512
f0e55c868015732fb776aa704a44fc507c620359f1e2a4d5c72cc0453c16cb61f49e125db96625c7ffbd889fc9b8158012826e43423acd7a8efcdffa88eb395d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b1b06d43cc79ba055944c9f3906c905

SHA1
20719330cdd552bf9882242d7ad11e1ef367793b

SHA256
f2e4c11f258871a2dc4da3f0daf33182adaa5775d3115d341a01a99389d5bbd7

SHA512
5c5118547d2fdb6a4c20bed783bf97a31c884ea2aecd263f4ec3ca1a1f28574bc8763b7cb52bf8b527067f97dc73ce66a7ef8800d282b243a8e1860be58ab636

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
156d143775dd4517b83f4a590a38881a

SHA1
97a8cd3cfcb0d8d64981bf6f9eb10fcd482e958b

SHA256
579976e6d5b0af6c436d018c3faee016efd68ccb16fb842fc1dfd9755ac71a5b

SHA512
3d1c1f513607014d5f863d729e27295828dfd52491d201536acfcd5d09480bb4460fb4c4eca19ae3fe87ece5035f3c406387acd18b8105ea8de0d58cd73421fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
144943d87b77c8be3b08127a8bba0cd9

SHA1
84afacbe7897bed87a755efc19e0d51f0d1f7291

SHA256
7b7dba459684fd8eaed49f0eece996a9ebd6546245384b84a52c0c01529874d9

SHA512
be52e98ebd0442671201837209fccba1bb4a888a20a411df8c9b796e6643b1dba0ed77aaad9e8a167862c10b8d5c250f73d8b73c52d926465276789d36af57c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45d40d2c7d96b194d7fefd8f26909ae1

SHA1
76dc620f0b518340604ab77296253fbfb7fbfc9b

SHA256
1761652dae7aedda26e257a7eab8511876f1c82c9842eb7582d505f8c06bcaec

SHA512
b540a35eab4f741c6e6d78aa02aed09ec08cb0a5792d6f87c3feb988ea346451d5de6646ad028f2c8dfa2063a62df5eb01930e2a500c134b5557e58c15b4ee56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab126A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar127D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
79B

MD5
94382c9eb2a230a2d1decc02f145474d

SHA1
897c93ad5908cc13d9d8a7afa12b4be5d376de56

SHA256
6e5fae72462f715535bebca2278606bdc8195193cb65a025376599e79b7a881f

SHA512
77f3cc27dbd8c818846b358e0ecc0c78a98aaa24033fb3af2c0e5e91ccef13ed8e6e1b0bf49fd8d262a79d0bc451066179ead138d7e3662d3254a313b7d07aea

Download Submit
\Users\Admin\AppData\Local\Temp\biclient.exe

Filesize
219KB

MD5
c66293ccd7cbe84b1b8f393ca5e4e6d7

SHA1
c24089d407e6280b79bec86532e9de0118e4de71

SHA256
ffbae29e2f233767fd42909720497165ce3552427ef93efb2fc714fb4204755f

SHA512
7ff97aa71f182035f90ba10c3bf8087280e3f34bf717bda139d642f4e043c64aa2b98d82a90a32f1df4b76f9d7610af62390fe934e514c90c703381a421c00b7

Download Submit
memory/1224-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2396-17-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2396-521-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads