Overview

overview

8

Static

static

??-??.url

windows7_x64

6

??-??.url

windows10-2004_x64

6

DPInst32.exe

windows7_x64

4

DPInst32.exe

windows10-2004_x64

4

DPInst64.exe

windows7_x64

4

DPInst64.exe

windows10-2004_x64

4

Setup.exe

windows7_x64

4

Setup.exe

windows10-2004_x64

4

x32/eSm1_DS.chm

windows7_x64

1

x32/eSm1_DS.chm

windows10-2004_x64

1

x32/eSm1_DS.dll

windows7_x64

8

x32/eSm1_DS.dll

windows10-2004_x64

8

x32/eSm1_DS.dll

windows7_x64

1

x32/eSm1_DS.dll

windows10-2004_x64

1

x32/eSm1_IGFX.dll

windows7_x64

8

x32/eSm1_IGFX.dll

windows10-2004_x64

8

x32/eSm1_IIME.dll

windows7_x64

8

x32/eSm1_IIME.dll

windows10-2004_x64

8

x32/eSm1_ILANG.chm

windows7_x64

1

x32/eSm1_ILANG.chm

windows10-2004_x64

1

x32/eSm1_ILANG.dll

windows7_x64

8

x32/eSm1_ILANG.dll

windows10-2004_x64

8

x32/eSm1_ILOM.dll

windows7_x64

8

x32/eSm1_ILOM.dll

windows10-2004_x64

8

x32/eSm1_IO.dll

windows7_x64

8

x32/eSm1_IO.dll

windows10-2004_x64

8

x32/eSm1_IPPR.dll

windows7_x64

1

x32/eSm1_IPPR.dll

windows10-2004_x64

1

x32/eSm1_ISMON.exe

windows7_x64

8

x32/eSm1_ISMON.exe

windows10-2004_x64

8

x32/eSm1_IUI.dll

windows7_x64

1

x32/eSm1_IUI.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    124s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x32/eSm1_IO.dll

  • Size

    1.1MB

  • MD5

    fcd7cda75dc741881ce9d5d20ea72944

  • SHA1

    f3880aa76f65efdc471a71681dbab6de930d09bb

  • SHA256

    682ebd5f3ba7d41151b2313ab25d97a4376e948bda6496a9bce16d7de34c30ac

  • SHA512

    16b4702012cb661dd1a3f37c74e681b0bb7f47244e027c7fa587ab532447fd2045d0dbf825033d39fe4ffe7563b0d2af00f23c9902f14a1c690f54f4534bd3d7

Score
8/10
upx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\x32\eSm1_IO.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\x32\eSm1_IO.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1348
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1348 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:300
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1420
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:588

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{53054D51-D8D9-11EC-93D3-D2F97027F5CF}.dat
    Filesize

    3KB

    MD5

    0fbe77b13b82a0299332dae111cd75b0

    SHA1

    c8f8e6f645b4a3b00102e5bbaa6747edbc6e778e

    SHA256

    7c957ac4a48886f4887e7996d810d5d340b36e6da76d559f02796aaddd9c060e

    SHA512

    76e5c7ba0c4f31dc6e576ef4e26f72f5084e2abba6cc44dd843b389b2735106af519fe63cc8c06f14c6f0cf6c5eb9f8450835ef148fd217ca1e643c507849191

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C0HC6CDR.txt
    Filesize

    600B

    MD5

    fa2e460aab20f1cc0d6514d69578045a

    SHA1

    69a133cb7775072a41f3077a3cdb1ec3d1272dc6

    SHA256

    8993e91d31cac3988aaa2632495166ebb0694f8008419d0e0fd63f5e70ce7ee1

    SHA512

    146072ec760effd37137b3a348f468051725a653d5177650d0a34c8ca597f63812d588883694559fa711e5c361a208c7e4e34372a8f9f0bb55e51c0f70879a65

    Download Submit
  • C:\Windows\SysWOW64\rundll32mgr.exe
    Filesize

    105KB

    MD5

    dfb5daabb95dcfad1a5faf9ab1437076

    SHA1

    4a199569a9b52911bee7fb19ab80570cc5ff9ed1

    SHA256

    54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

    SHA512

    5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

    Download Submit
  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    105KB

    MD5

    dfb5daabb95dcfad1a5faf9ab1437076

    SHA1

    4a199569a9b52911bee7fb19ab80570cc5ff9ed1

    SHA256

    54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

    SHA512

    5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

    Download Submit
  • \Windows\SysWOW64\rundll32mgr.exe
    Filesize

    105KB

    MD5

    dfb5daabb95dcfad1a5faf9ab1437076

    SHA1

    4a199569a9b52911bee7fb19ab80570cc5ff9ed1

    SHA256

    54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

    SHA512

    5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

    Download Submit
  • memory/820-54-0x0000000000000000-mapping.dmp
    Download
  • memory/820-55-0x0000000075371000-0x0000000075373000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1780-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-60-0x0000000000400000-0x000000000045B000-memory.dmp
    Filesize

    364KB

    Download