8d640da972040cdef95eee8c1f6f81511b2f79e61e6f3cbaeb434d1558a46b44

Analysis

max time kernel
107s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a2b791a2030ff731887e9b1d87d4090N.exe
Size

1.2MB
MD5

3a2b791a2030ff731887e9b1d87d4090
SHA1

9a6f330f6e8861b91bcfcd970dc3020d484cd7e6
SHA256

8d640da972040cdef95eee8c1f6f81511b2f79e61e6f3cbaeb434d1558a46b44
SHA512

f8cd6e916c8fa23a038005b4988509728015cec052c0facac316d044af33311d508f43a96fe7de7f576b57d5644640dc82e508f57518413959b3f00fb4a3bd36
SSDEEP

24576:ZAqAIz8AFJAbmThJW3MSiXFeAoXb0qXHL/qhNJmiljAhQ8nnd/smw/tw:+p28AQqUggbzHLqhHmiljAhQ8nndpw/m

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4020	BI.exe

Loads dropped DLL 6 IoCs

pid	Process
2648	3a2b791a2030ff731887e9b1d87d4090N.exe
2648	3a2b791a2030ff731887e9b1d87d4090N.exe
4020	BI.exe
4020	BI.exe
4020	BI.exe
2648	3a2b791a2030ff731887e9b1d87d4090N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4968	2648	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a2b791a2030ff731887e9b1d87d4090N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BI.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2648	3a2b791a2030ff731887e9b1d87d4090N.exe
2648	3a2b791a2030ff731887e9b1d87d4090N.exe
2648	3a2b791a2030ff731887e9b1d87d4090N.exe
2648	3a2b791a2030ff731887e9b1d87d4090N.exe
2648	3a2b791a2030ff731887e9b1d87d4090N.exe
2648	3a2b791a2030ff731887e9b1d87d4090N.exe
2648	3a2b791a2030ff731887e9b1d87d4090N.exe
2648	3a2b791a2030ff731887e9b1d87d4090N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 4020	2648	3a2b791a2030ff731887e9b1d87d4090N.exe	84
PID 2648 wrote to memory of 4020	2648	3a2b791a2030ff731887e9b1d87d4090N.exe	84
PID 2648 wrote to memory of 4020	2648	3a2b791a2030ff731887e9b1d87d4090N.exe	84

C:\Users\Admin\AppData\Local\Temp\3a2b791a2030ff731887e9b1d87d4090N.exe
"C:\Users\Admin\AppData\Local\Temp\3a2b791a2030ff731887e9b1d87d4090N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\nshBE40.tmp\BI.exe
  C:\Users\Admin\AppData\Local\Temp\nshBE40.tmp\BI.exe { "json_send_time" : "14/8/2024 12:35:2:603" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "442" , "user_type" : "NULL" , "result" : "Success" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.7.7_HF5_SessionId_TS" , "bundle_id" : "c26ae04e-a1f8-4abf-821d-edb75a4c22ec" , "machine_user_id" : "{D4A8446F-57C3-4891-BD2D-165659B3A723}" , "channel_id" : "" , "installation_session_id" : "B8AB2DB3-5EB9-4D73-891C-F84CC60B30A2" , "publisher_internal_id" : "1" , "publisher_id" : "Brothersoft" , "publisher_account_id" : "Brothersoft" , "order" : "1.0" , "phase" : "Init" , "Is_Test" : "0" }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 2356
  2⤵
  - Program crash
  PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2648 -ip 2648
1⤵
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nscBF0B.tmp\inetc.dll

Filesize
28KB

MD5
2d949f5ca08919067c056f0a76c1c747

SHA1
fd1727b91b125b3e85d061cb1a06b45edf7f8701

SHA256
a4c6da1e7cb0691dba1cb6b47239ad5967a107e87221e402b853f64d798f2d94

SHA512
0b9a7f580e09541f9762ac755e056ee683612dec04801dfd2b9b03897765b3ab0d10e2be4b9636316c11cb8eba1cc60d1be60eaa90bbb0b9c1ee8994e01cdc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE40.tmp\BI.exe

Filesize
75KB

MD5
25109dc34d4cc2804714945083cad37f

SHA1
1676f038cb43e72985bebabd24c59d5f2117a38e

SHA256
c733640ab386f03efee67ad0a04168557aac8fc4028d7000060bf0a8b4f3b481

SHA512
5132b6b32f68f3ad6459ea8fffde93f7ed300fa1952a0b1beb23de0c5ee9bc0cc305dd049756c277f8488673e28c80e717211801ec845b0c0682a9255d12afb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE40.tmp\System.dll

Filesize
17KB

MD5
94aeaac642443b43e6d3785ed545a6a9

SHA1
feac08bfd96211a72c6afb4e935b655d9dd9c34f

SHA256
2fc9d23ada84acf3436dbb5199e8cc0ebff8960268777c1789198025de1d9b49

SHA512
0c0d8b2a85eac54c83b45542c5a87afd2c7d65c427361fef0206f304b7f9ad0e130c6976df956a6211bcdb3a66a28d61061ad2ac7296e0add63af8ae44480c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE40.tmp\WebApp\Js\API.js

Filesize
9KB

MD5
0c1797a7fe8c65cf36ca5bc35aad0ff7

SHA1
b2754700c45211e641a59c1ddf55f47d55d43bdc

SHA256
85ec98a0fc8ff6c202e0a01142814a5a5438a71636a4025a2a8506cc7b22edba

SHA512
76e5eefc894f815099e8360d89253505b8f29974b71d63e0a5e0636e6db9f8793bf11e992140b89d478a856402741222ad0bf2acff72f95d13fb60b370b13231

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE40.tmp\WebApp\Js\json2.js

Filesize
3KB

MD5
9b8cf1c97726c080629c98ddec68bebd

SHA1
5d764a5bc2e5cbb5f2569336e4c0c5f472d07f35

SHA256
1b6c626d6a600be68b11133c7bcd32fbcc8015951037bb36beaa067914367715

SHA512
67c590d216e73d0dd58974567dc248e0adb363c59e318efe1e715960a38220c1cfb98328cdb69941888f9e039d60980fd1fcf11084498fcb46f80c135cb60d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE40.tmp\WebApp\Loading.htm

Filesize
2KB

MD5
b0daff66be205df4ad748bf6c2e8cb90

SHA1
a8a0152c4283f1f8a2576280981007a68efcce1f

SHA256
91daf936776000f8fbd417aafedbdb31bcc8c0d23964ecd177d1a5ee767d2e61

SHA512
3f2b1bbea54d650ca4173f0037c1fd6a27707afbb7ab5200d2d72fd3b32cf3e696f27bcffe5f492d2e2134f5879a537167eee568951efffbbeb249b7eff15116

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE40.tmp\inetc.dll

Filesize
29KB

MD5
dccdcb124064a1d9a5eb12232348b898

SHA1
f294fac154cb1c6c18fe054ac584f767594b93fb

SHA256
37adc0183d94ae6ca1895643423dac0c97750d7103e6b00c14299dfc4ad2271e

SHA512
bd89bcd513bb7120db80e1115b4caceaa18c4ea863fe29b232002d447c3813133ff2849fcb2d4df45e3ff67e0e0d9d340d61060b9c74045b17efa5b1c1f5b05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshBE40.tmp\webapphost.dll

Filesize
701KB

MD5
8d0bd6f2bbe8b45ed19906fee1630e60

SHA1
f0d16620562ba2d1db6752198d6bb63c9d410587

SHA256
1267240909fee88f9ca8a7a8bb12186b31eed056c2ee306208956f0f92454449

SHA512
01300d1bece7caf265e08fa93f319004df7cfeaf24aa5c548c079f693882400f6f9c4931e4e77804006999ebaf978aea9ca6f150d76afdfd5bf7b94b9a66da6a

Download Submit