Overview

overview

7

Static

static

3

e2117b441b...03.exe

windows7-x64

7

e2117b441b...03.exe

windows10-2004-x64

7

$PLUGINSDI...nt.dll

windows7-x64

3

$PLUGINSDI...nt.dll

windows10-2004-x64

3

$PLUGINSDI...ge.dll

windows7-x64

3

$PLUGINSDI...ge.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...te.dll

windows7-x64

1

$PLUGINSDI...te.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$TEMP/nsisos.dll

windows7-x64

1

$TEMP/nsisos.dll

windows10-2004-x64

1

IDBoan.exe

windows7-x64

6

IDBoan.exe

windows10-2004-x64

7

IDBoanMon.exe

windows7-x64

3

IDBoanMon.exe

windows10-2004-x64

3

IDBoanUpdate.exe

windows7-x64

6

IDBoanUpdate.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2024 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2117b441bb00e4bd08f23ec09ecfe03.exe

  • Size

    1.6MB

  • MD5

    e2117b441bb00e4bd08f23ec09ecfe03

  • SHA1

    af1eb8b5e2c453981579b06346d4762697aa5035

  • SHA256

    469c034a1b0db632b355417177df3872abd056bd300ac457fae4ed4d9cb2ce8b

  • SHA512

    975e802de0d951e154998d3ed487d8e5364674ae8de5be90bef3c554af3af0d9ff62cc6cd06a4367227baf7405e5f23f2f7a64eb566bfc160e2f706500616351

  • SSDEEP

    49152:dPUci59mkTB8cRczJBhE8/iIviTwpIHDY:hUT5Qkec0JjE8K6iToIj

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2117b441bb00e4bd08f23ec09ecfe03.exe
    "C:\Users\Admin\AppData\Local\Temp\e2117b441bb00e4bd08f23ec09ecfe03.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c \DelUS.bat
      2⤵
        PID:3968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c \DelUS.bat
        2⤵
          PID:3088
        • C:\Program Files (x86)\IDBoan\IDBoan.exe
          "C:\Program Files (x86)\IDBoan\IDBoan.exe"
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Program Files (x86)\IDBoan\IDBoanUpdate.exe
            "C:\Program Files (x86)\IDBoan\IDBoanUpdate.exe" /run0
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4052
            • C:\Program Files (x86)\IDBoan\IDBoan.exe
              "C:\Program Files (x86)\IDBoan\IDBoan.exe" /run0
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3868
              • C:\Program Files (x86)\IDBoan\IDBoanMon.exe
                "C:\Program Files (x86)\IDBoan\IDBoanMon.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:5044
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1928
                5⤵
                • Program crash
                PID:5256
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:4624
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1700
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3868 -ip 3868
          1⤵
            PID:3516
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2552 --field-trial-handle=3084,i,11997299123381683778,5904351605020331957,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:5656

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\DelUS.bat
              Filesize

              200B

              MD5

              8154d502b83604f36c4d6adc84ed4598

              SHA1

              c2955f3c695c6fe78ca722016d53afa331459c3f

              SHA256

              523748a7144269e74c808455b06502aa344f4a161910d60e5fe8d33039e1687d

              SHA512

              c934d9e3bb0b56e19aa491d71a286bf325b42704877e7b60fedaf63570af68a97e72e4c3510b52d7fc8cc7e4a9caf466cbbd882ff86074f19ea40caa74a62c07

              Download Submit

            • C:\Program Files (x86)\IDBoan\IDBoan.exe
              Filesize

              4.0MB

              MD5

              4f9997968d4ebf3993f799b39e6d444a

              SHA1

              a6b344f7821cae1740c1e2097ce962f40475bc35

              SHA256

              7590b060295f720bed61f675f0673cb90e6ffc5f9311894e2c5a7b587ac90c07

              SHA512

              c6568028e797cc8d977f701480082483ecc5deda3e9c4ffde9ac80decc9770436a58ac8fc8e853312b3d7d9c6fdd2b8ea1edcd514de87e17e33d4a4a5a50b6f9

              Download Submit

            • C:\Program Files (x86)\IDBoan\IDBoan.exe
              Filesize

              4.6MB

              MD5

              5826ff472ed14d14df0a306a171ac452

              SHA1

              49fd18bb02f8dd5272fa7fa03ae02fba032370f7

              SHA256

              4d9be43a1afc60e525c23ca54b0bcc2f80d15094652b1b791336175b5108635c

              SHA512

              01443b02882d99ab2888609530bb4b30621d79bdb8a5a9d3d773cc8547af9f293a99b1837dfe39de2e36ecd95ebbd22fa20f95923c92126e23076e8dd155dd6d

              Download Submit

            • C:\Program Files (x86)\IDBoan\IDBoanMon.exe
              Filesize

              703KB

              MD5

              0ccf16a3c9d76eada96efd81e341fc5b

              SHA1

              1dd0a95554d0500c0784a0570cff30acf996ef48

              SHA256

              3bc95b546a70fdf885feda183288dcf4535719a4d7411479bd17de75197dbcc6

              SHA512

              40b6100f03e4d14d7871dc471322dee43da5ce554ca029e693eb0211dcb5c4ec9f692cb2cf12765ff902b2c32e9be504cb461b313dcd3ad8a246ba86e61496c1

              Download Submit

            • C:\Program Files (x86)\IDBoan\IDBoanUpdate.exe
              Filesize

              1.8MB

              MD5

              5c26d3ae5bf2eafe78bb906d81047b48

              SHA1

              5badbfe50bca04ca88f4d1f336d1f925ef4da7f0

              SHA256

              7784f1f422aa413a4d556ad0b732b059564527c5d7ac2da5adbb2c9e89f39c5c

              SHA512

              ca7747cd4f4f125dff732bf36fcd2e89a02c01a500f117be650c46d3726cb6b032c5a4148f3618e4fc7b2746be3ee4e6d64b8bfc2edc280ebe4b918b10a6e25f

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CCR56MZ5\suggestions[1].en-US
              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nshB22A.tmp\DLLWebCount.dll
              Filesize

              28KB

              MD5

              0bdd7c6f1046ea4b42839f991ae53fb2

              SHA1

              cb9baefb10159b4a684fa1ee4372e7715865052d

              SHA256

              0a0019b2603dbc4505453c2501255ab0cc0b3c317ece4a6ce0cfb6a02a30907b

              SHA512

              96f41497f25d7bc81f51ab167f74243b4b767089c89c26f9752ef518fa60dedd2722c66ae87dad2334bcce1622bc12f7b9b892ae654ca58cecd9f35c9f1dc163

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nshB22A.tmp\SelfDelete.dll
              Filesize

              24KB

              MD5

              7bf1bd7661385621c7908e36958f582e

              SHA1

              43242d7731c097e95fb96753c8262609ff929410

              SHA256

              c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

              SHA512

              8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nshB22A.tmp\System.dll
              Filesize

              11KB

              MD5

              c17103ae9072a06da581dec998343fc1

              SHA1

              b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

              SHA256

              dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

              SHA512

              d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsisos.dll
              Filesize

              5KB

              MD5

              69806691d649ef1c8703fd9e29231d44

              SHA1

              e2193fcf5b4863605eec2a5eb17bf84c7ac00166

              SHA256

              ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

              SHA512

              5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

              Download Submit