Overview

overview

8

Static

static

??-??.url

windows7_x64

6

??-??.url

windows10-2004_x64

6

DPInst32.exe

windows7_x64

4

DPInst32.exe

windows10-2004_x64

4

DPInst64.exe

windows7_x64

4

DPInst64.exe

windows10-2004_x64

4

Setup.exe

windows7_x64

4

Setup.exe

windows10-2004_x64

4

x32/eSm1_DS.chm

windows7_x64

1

x32/eSm1_DS.chm

windows10-2004_x64

1

x32/eSm1_DS.dll

windows7_x64

8

x32/eSm1_DS.dll

windows10-2004_x64

8

x32/eSm1_DS.dll

windows7_x64

1

x32/eSm1_DS.dll

windows10-2004_x64

1

x32/eSm1_IGFX.dll

windows7_x64

8

x32/eSm1_IGFX.dll

windows10-2004_x64

8

x32/eSm1_IIME.dll

windows7_x64

8

x32/eSm1_IIME.dll

windows10-2004_x64

8

x32/eSm1_ILANG.chm

windows7_x64

1

x32/eSm1_ILANG.chm

windows10-2004_x64

1

x32/eSm1_ILANG.dll

windows7_x64

8

x32/eSm1_ILANG.dll

windows10-2004_x64

8

x32/eSm1_ILOM.dll

windows7_x64

8

x32/eSm1_ILOM.dll

windows10-2004_x64

8

x32/eSm1_IO.dll

windows7_x64

8

x32/eSm1_IO.dll

windows10-2004_x64

8

x32/eSm1_IPPR.dll

windows7_x64

1

x32/eSm1_IPPR.dll

windows10-2004_x64

1

x32/eSm1_ISMON.exe

windows7_x64

8

x32/eSm1_ISMON.exe

windows10-2004_x64

8

x32/eSm1_IUI.dll

windows7_x64

1

x32/eSm1_IUI.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    151s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x32/eSm1_ILANG.dll

  • Size

    3.3MB

  • MD5

    4e54c60f803167319c5660091ac83d21

  • SHA1

    034be8467b8ef50d5600bf63ee6d249126a9cb8e

  • SHA256

    d069781aff820148df82a9f6087075f7e4d615abdeff3f88e5ab1e11664c6392

  • SHA512

    15381c3a275388c09ac2478e20f1ed9aa11322dc70f26c39f4065133006f8d2cc5daa0512c462491bcbdad92db9142dbb01662f279d64c4be0986b6868f29ae6

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\x32\eSm1_ILANG.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\x32\eSm1_ILANG.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:832
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1356

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{33141621-D8D9-11EC-82BB-6280490416C4}.dat
    Filesize

    3KB

    MD5

    48958ec01aa5cc0262f738f40d0824bc

    SHA1

    287fd8fff2301b8d698c408e512cfc125efd6f56

    SHA256

    4fec60402857a684879edbb712a2cca4c461268c7506959d33d24f2b7af89eb6

    SHA512

    e3d9f9c6f2d1de9a42b354d13de426ef6612ad1b5ed0fe37c8056621bf2ccc42aa32055907d36b8d9e70e982b77cccc712653091bfbf69a46b7ad89138af4171

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{331A30A1-D8D9-11EC-82BB-6280490416C4}.dat
    Filesize

    5KB

    MD5

    559594badd946ca1cc323af39c65e3c9

    SHA1

    6c5c4d12dbe2a87143bc15f278ec6f1921b6d903

    SHA256

    8e0526eb541e94bfb3044fd3ce82a0b3ce6a7b32a40f52ceac890c97b28ca030

    SHA512

    ba997439c7f8e2f75dcfa38137c7b8c90caf349932ef697d6823356f8c3a1212bb84591f16ccb392a036c464739dafccad334870383407a19802acb2d20da981

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0F2VQ048.txt
    Filesize

    595B

    MD5

    d73f687ba3c58a50f575de85026dde84

    SHA1

    3034178040cc4a9ed6582d2f6630de2bbd2d82ad

    SHA256

    affc5cb50592b6abe769b010b92f534795541e1b384e23019bde1eaebaa220e3

    SHA512

    1a0f2160bd85c4040903175fd320c37b5c16b26b59d2ccbdb4009ecfa1006680419d6da6e09c0e545a4216fc001c5c2098ed91a903ab04768371abf725e7ff05

    Download Submit
  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    105KB

    MD5

    dfb5daabb95dcfad1a5faf9ab1437076

    SHA1

    4a199569a9b52911bee7fb19ab80570cc5ff9ed1

    SHA256

    54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

    SHA512

    5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

    Download Submit
  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    105KB

    MD5

    dfb5daabb95dcfad1a5faf9ab1437076

    SHA1

    4a199569a9b52911bee7fb19ab80570cc5ff9ed1

    SHA256

    54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

    SHA512

    5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

    Download Submit
  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    105KB

    MD5

    dfb5daabb95dcfad1a5faf9ab1437076

    SHA1

    4a199569a9b52911bee7fb19ab80570cc5ff9ed1

    SHA256

    54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

    SHA512

    5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

    Download Submit
  • memory/1768-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1768-62-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1868-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1868-55-0x0000000075841000-0x0000000075843000-memory.dmp
    Filesize

    8KB

    Download