ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407d

Analysis

max time kernel
62s
max time network
64s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
Size

1.2MB
MD5

8045f943941867de6c3704706c1271f0
SHA1

1596132ca55c0590df7cf5ea4dcf6b0449db5374
SHA256

ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407d
SHA512

dddf99d2ed7a0efd6952a3c7910607682e42529fe7c530bdaeeff01223bdb7d07fa25ddde1c205acc78ec48efd29c96ed70889b0a3595435711ecc6be1b4d115
SSDEEP

24576:QjNyguooIjkFWpjzwkXiXHf+2g0NJMtrrqhv/Famxt:gtRRjkkXUHW4CrO1amxt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1644	BI.exe
1332	BI.exe

Loads dropped DLL 15 IoCs

pid	Process
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1644	BI.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1644	BI.exe
1644	BI.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1332	BI.exe
1332	BI.exe
1332	BI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BI.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1644	1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe	30
PID 1916 wrote to memory of 1644	1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe	30
PID 1916 wrote to memory of 1644	1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe	30
PID 1916 wrote to memory of 1644	1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe	30
PID 1916 wrote to memory of 1332	1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe	35
PID 1916 wrote to memory of 1332	1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe	35
PID 1916 wrote to memory of 1332	1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe	35
PID 1916 wrote to memory of 1332	1916	ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe	35

C:\Users\Admin\AppData\Local\Temp\ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe
"C:\Users\Admin\AppData\Local\Temp\ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\BI.exe
  C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\BI.exe { "json_send_time" : "19/9/2024 6:55:47:519" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "6843" , "user_type" : "NULL" , "result" : "Success" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.7.7_HF10" , "bundle_id" : "1bb11ec0-5f97-4aab-9b37-031e6ee6e228" , "machine_user_id" : "{D10451F9-2451-4BAF-A299-8C6E14653AD9}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "E3A4F555-AE85-4974-B75D-BF9F119110DF" , "publisher_internal_id" : "1" , "publisher_id" : "Brothersoft" , "publisher_account_id" : "Brothersoft" , "order" : "1.0" , "phase" : "Init" , "Is_Test" : "0" }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\BI.exe
  C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\BI.exe { "user_ie_security_level" : "Medium-High" , "json_send_time" : "19/9/2024 6:56:31:714" , "is_parallel" : "0" , "vector_id" : "" , "rule_id" : "" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "6843" , "general_status_code" : "2" , "duration_details" : " InitPluginsDir:0 initializeParams:94 load_BITool:15 send_BI_Init:32 load_DownloadACC:15 retrieveUISource:0 unpack_webappfolder:63 unpack_icon:0 RetrieveMainOfferKey:0 unpack_OpenCandyDll:31 load_webapphost:0 unpack_ProxyInstaller:15 navigate_loadingUI:0 navigateAsync_constMainOffer:515 BuildUserProfile:0 retrieve cid:0 callService3:43525 " , "phase_duration" : "" , "error_details" : "Failed communicate with the DistributionEngineService. Inner Error: SendRequest Error " , "result" : "Error" , "user_operating_system_bits" : "64" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "4.0" , "user_acount_type" : "" , "user_ie_version" : "9.11.9600.16428" , "user_default_browser_version" : "9.11.9600.16428" , "user_default_browser" : "IEXPLORE.EXE" , "user_service_pack" : "1.0" , "user_operating_system" : "Windows 7 Ultimate" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.7.7_HF10" , "bundle_id" : "1bb11ec0-5f97-4aab-9b37-031e6ee6e228" , "machine_user_id" : "{D10451F9-2451-4BAF-A299-8C6E14653AD9}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "E3A4F555-AE85-4974-B75D-BF9F119110DF" , "publisher_internal_id" : "1" , "publisher_id" : "Brothersoft" , "publisher_account_id" : "Brothersoft" , "order" : "2.0" , "phase" : "InitComplete" , "Is_Test" : "0" }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\jquery.min[1].js

Filesize
91KB

MD5
ddb84c1587287b2df08966081ef063bf

SHA1
9eb9ac595e9b5544e2dc79fff7cd2d0b4b5ef71f

SHA256
88171413fc76dda23ab32baa17b11e4fff89141c633ece737852445f1ba6c1bd

SHA512
0640605a22f437f10521b2d96064e06e4b0a1b96d2e8fb709d6bd593781c72ff8a86d2bfe3090bc4244687e91e94a897c7b132e237d369b2e0dc01083c2ec434

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\WebApp\Css\Reset.css

Filesize
5KB

MD5
8686e6b0677d062521c425def6e61634

SHA1
1400b4052668923ddb620efd22be4bb42e661f07

SHA256
e49898b23556cc847c1317fbbe9238251fd0023c6219f0ea6916b8d0323ca85f

SHA512
6aeb00eb362e91776586a8cd9020934178b38c19bfb65cf666a7480597aac8f1da94410346744a9b881b1cbb5fa39c76c87757174e5e51424ca98167519484d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\WebApp\Css\css.ltr.css

Filesize
23KB

MD5
afb6dc8a990cedb020beea23eb390d6e

SHA1
5bb0ed5026eb27c8e70db7908230eff136f3c938

SHA256
1d64a48ab7506fdb03490fd9222f148d96253ff8404cdf090815bab765d94704

SHA512
eb4eb0bc27ecd76febeaeafb0fbd9f751d7f477c118ef9c3e08a75df8825482e772df47ef5e63d12a99737ce78db6707de910365f39afc46254b9d3b1c117b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\WebApp\Failed.htm

Filesize
4KB

MD5
a058c9da06c529b0130be68ef6faca46

SHA1
cb37a5276007cd3022e2cc90bb998240725c92ab

SHA256
a0b8f5ee67ee63cd5dda92da281126c717e507d4b846976eebe1b5e7d1e23b34

SHA512
85766e7e14fcb306cf88d65035a42385a0ab040d1099096e36d1dcc2e9fac49c678ba156fc0a7027cb84cc027a46cec68b2a6e2598699fbd1bee9ea46b8e4282

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\WebApp\Js\API.js

Filesize
9KB

MD5
0c1797a7fe8c65cf36ca5bc35aad0ff7

SHA1
b2754700c45211e641a59c1ddf55f47d55d43bdc

SHA256
85ec98a0fc8ff6c202e0a01142814a5a5438a71636a4025a2a8506cc7b22edba

SHA512
76e5eefc894f815099e8360d89253505b8f29974b71d63e0a5e0636e6db9f8793bf11e992140b89d478a856402741222ad0bf2acff72f95d13fb60b370b13231

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\WebApp\Js\json2.js

Filesize
3KB

MD5
9b8cf1c97726c080629c98ddec68bebd

SHA1
5d764a5bc2e5cbb5f2569336e4c0c5f472d07f35

SHA256
1b6c626d6a600be68b11133c7bcd32fbcc8015951037bb36beaa067914367715

SHA512
67c590d216e73d0dd58974567dc248e0adb363c59e318efe1e715960a38220c1cfb98328cdb69941888f9e039d60980fd1fcf11084498fcb46f80c135cb60d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB349.tmp\WebApp\Loading.htm

Filesize
2KB

MD5
ceaf4b76e06f907e047cb6184f9f7c25

SHA1
fe1908d411bf27fa16c4255b87ee64300ea2f5ed

SHA256
a1498d823871c6045ea372939e502e8df959ea99f2f6740adad7d26f2bfad380

SHA512
70a134ce6a360c29daf1cdd4b73be8087e3a1bdadcc915ca58d94c1965d381084b2cde74687b77869f5fe1d98df81270656a0b1e5c3b6a581917fbc45e6083b9

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB3F5.tmp\inetc.dll

Filesize
28KB

MD5
dbcd04e7c6a999318e15345ee807be40

SHA1
0f62900856b3c57c595efd83677d0d78f54dfe70

SHA256
b218830ef6006dd1ca5bfde770c859b5f4dcd01a9636b32355340d16dcc34546

SHA512
c56af6635032896b60235975226e911d104f59171aac9a8dd7a339e7c63a110737d14670320e7e1dddc210f7a0d35dccf949932f67c0946048c256e1b4064c1e

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB349.tmp\BI.exe

Filesize
81KB

MD5
c6606a373ecde7cfd604b9970c84edd0

SHA1
2ade77df0b5b02b60a98f60328914c44fb4e0e11

SHA256
e30c962b128d554c672d8f332874f43443529fa7c9cc2165affe403f14d83bb6

SHA512
8379c676d1fb229cf6661c07b9a14fc782261d6b74b35aff3223fdb9b7fe7afb1b33e6205ae35e420da80a22ed30d5b4f3daa6ef19c975caa7d44ea2a44499b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB349.tmp\System.dll

Filesize
17KB

MD5
ea466672af35f704f1e8738ce4381857

SHA1
245a02c01302cf0151c07d915f028e3d822846da

SHA256
54e5770328d8bc66ae751cba53eed2988cff81d9a0c627e006ee8de01ba71ed3

SHA512
619619a5fca42129087b597ef8ff3acb6f423e5c0f6add72d6c2709e6018c66933e16678dcc6e5716f191763cb23929f7cd8ae700f8c919bfa08fad8193dede2

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB349.tmp\inetc.dll

Filesize
29KB

MD5
392f88a1357c739c0825d4fa26fb5286

SHA1
02646547510dcfa5e44d461ae0fa50a2273f1010

SHA256
66d111ed5526e6c43956ea615254bf140eee4c3f07521ee9a1d6f6e760821949

SHA512
79909b909aac3f1a7fb36ee7b3702877b1bf588821df1a0aedcb0f033ff6087dd22ea38408a1505e86c8a300e6b32309924bee901d31f92cf15d697b9a9dcce5

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB349.tmp\webapphost.dll

Filesize
705KB

MD5
0ce8403515ce7835755e23241f833eb6

SHA1
a2bcbb0cc429598dbfe74647d72908c7a7ffcfc2

SHA256
244d24ccdd4cda723c16d0b47a8c0f42c74b33280c6a7c628010e14c894d10cc

SHA512
924e4c9966c50338e9ed2cd93a093c03e6665ec09dbc1722e78edfbd048f0d2f2b637c99eb8abf9e35608eb63bbc890292dbbb7d3b5b175f6e71c967aebe5993

Download Submit