Overview
overview
10Static
static
748c616cbb1...9e.exe
windows7-x64
748c616cbb1...9e.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/gpyapi.dll
windows7-x64
3$SYSDIR/gpyapi.dll
windows10-2004-x64
3$SYSDIR/gtapi.dll
windows7-x64
3$SYSDIR/gtapi.dll
windows10-2004-x64
3$TEMP/Goog...er.exe
windows7-x64
8$TEMP/Goog...er.exe
windows10-2004-x64
$TEMP/Goog...ed.msi
windows7-x64
6$TEMP/Goog...ed.msi
windows10-2004-x64
6$TEMP/setu...20.exe
windows7-x64
7$TEMP/setu...20.exe
windows10-2004-x64
7ies_uni.exe
windows7-x64
7ies_uni.exe
windows10-2004-x64
7iesuper.dll
windows7-x64
6iesuper.dll
windows10-2004-x64
6UUPlayer.dll
windows7-x64
3UUPlayer.dll
windows10-2004-x64
3UUSeePlayer.exe
windows7-x64
10UUSeePlayer.exe
windows10-2004-x64
10bass-plugins.exe
windows7-x64
7bass-plugins.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 06:51
Behavioral task
behavioral1
Sample
48c616cbb15b33f9f8001ae8074e8f68657f604bb20b923ddb6722f752427a9e.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
48c616cbb15b33f9f8001ae8074e8f68657f604bb20b923ddb6722f752427a9e.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$SYSDIR/gpyapi.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral10
Sample
$SYSDIR/gpyapi.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$SYSDIR/gtapi.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
$SYSDIR/gtapi.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$TEMP/GooglePinyinDownloader.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
$TEMP/GooglePinyinDownloader.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$TEMP/GoogleToolbarInstaller_zh-CN_signed.msi
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
$TEMP/GoogleToolbarInstaller_zh-CN_signed.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$TEMP/setup_iesuper_1020.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral18
Sample
$TEMP/setup_iesuper_1020.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ies_uni.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
ies_uni.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
iesuper.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
iesuper.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
UUPlayer.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
UUPlayer.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
UUSeePlayer.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
UUSeePlayer.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
bass-plugins.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
bass-plugins.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
$TEMP/setup_iesuper_1020.exe
-
Size
164KB
-
MD5
2b869f2b00da6bd7fca714acf29c45d4
-
SHA1
9d9364cfa3b9c497dd5ed96268ec607aac6c587a
-
SHA256
15b3b4b702cc2a3d3b2f9fe0d2887b207a7321f2bea41d14aa67541ac06807bf
-
SHA512
85d78560b46fb4a3687566a7ed56f1fd44ba9001351d1eb040feb25fc8b9fba63f88704cd4344bd943330b749cab88502d9906cd1e35c0266a6e7db852904124
-
SSDEEP
3072:HtbKWzPmJbK5eqOllIx3fchSvJ9Q2cXvw0c8kSLK3NbkoTmOsZDWF7eAYa9Uxfh3:H1AK7vpfcO9t4vwokuMbqZeCXa9UNhmS
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2224 setup_iesuper_1020.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\ = "IESuper" setup_iesuper_1020.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\NoExplorer = "1" setup_iesuper_1020.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\IESuper\iesuper.dll setup_iesuper_1020.exe File created C:\Program Files (x86)\IESuper\ies_uni.exe setup_iesuper_1020.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_iesuper_1020.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj\CurVer setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1} setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\ProgID\ = "IESuperHelper.Obj.1" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\InprocServer32\ThreadingModel = "Apartment" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj\CLSID\ = "{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\ = "IESuperHelper" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj.1\ = "IESuper" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj.1\CLSID\ = "{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj.1\CLSID\ = "{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj\ = "IESuper" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj\CLSID\ = "{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj\CurVer\ = "IESuperHelper.Obj.1" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\VersionIndependentProgID setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\InprocServer32 setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\InprocServer32\ = "C:\\PROGRA~2\\IESuper\\iesuper.dll" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\InprocServer32\ = "C:\\PROGRA~2\\IESuper\\iesuper.dll" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\TypeLib setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj\CLSID setup_iesuper_1020.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC2}\InprocServer32 setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\VersionIndependentProgID\ = "IESuper.Obj" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\ = "IESuper" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj.1\ = "IESuperHelper" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj\CLSID setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\TypeLib\ = "{15BDF1BD-B1E5-4816-A17E-35F5A2554288}" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC2}\ = "IESuper" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj\CurVer setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\TypeLib\ = "{15BDF1BD-B1E5-4816-A17E-35F5A2554289}" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj.1\CLSID setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj.1 setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC2}\InprocServer32 setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\ProgID setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\VersionIndependentProgID\ = "IESuperHelper.Obj" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\Programmable setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC2}\InprocServer32\ThreadingModel = "Apartment" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj\CurVer\ = "IESuper.Obj.1" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj.1\CLSID setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\TypeLib setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC2} setup_iesuper_1020.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC2} setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\VersionIndependentProgID setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\Programmable setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESuper.Obj.1 setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2}\ProgID\ = "IESuper.Obj.1" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41A5-9080-0F41D1A3AEC2}\InprocServer32\ = "C:\\Program Files (x86)\\IESuper\\iesuper.dll" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\InprocServer32\ThreadingModel = "Apartment" setup_iesuper_1020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESuperHelper.Obj\ = "IESuperHelper" setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\ProgID setup_iesuper_1020.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC1}\InprocServer32 setup_iesuper_1020.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2224 setup_iesuper_1020.exe Token: SeBackupPrivilege 2224 setup_iesuper_1020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\setup_iesuper_1020.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\setup_iesuper_1020.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD5c005c3255a6207df7866eaf6a21321a2
SHA1f02b3b3e213dfccef233ee41514a799d88c2b776
SHA256d9cc7ce178d584ee18d01df20310b7b84e6cf2a0e1ad20d713303033a04e7d72
SHA51284d5256ffc9195a444f312c9360249fd85ac1bab4f98915e4d207870a02e2e995fdbb1f502bfcbb52701b1ae121d37d9d583360c9e37d11402edded1547ee299