1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1

General

Target

1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe
Size

56KB
MD5

eebd5e75c2ca74171670e6721c61f880
SHA1

87d623470e31dcf65beed1c0020a3936c7ac7396
SHA256

1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1
SHA512

aa2b9b32eaa1e949fdf766873b3131d4d3a6eeaa4e461b473274ab0f16dc982083e6ac407ae763552d44651109ef109d640aa2a6db7451ec6fe59020fe1a6974
SSDEEP

1536:cbeEh6S+y4Y3tYqda3v1un93YynIeqdTYnX5YytM2:ctmqcHYnGyt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2108	IEwebaa.exe
2772	iewebbc(1).exe

Loads dropped DLL 5 IoCs

pid	Process
3004	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe
3004	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe
2108	IEwebaa.exe
2108	IEwebaa.exe
2108	IEwebaa.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\IEwebaa\Config.ini	IEwebaa.exe
File opened for modification	C:\Program Files (x86)\IEwebaa\IEwebaa.exe	IEwebaa.exe
File opened for modification	C:\Program Files (x86)\IEwebaa\IEwebaa.exe	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe
File opened for modification	C:\Program Files (x86)\IEwebaa\Config.ini	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEwebaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iewebbc(1).exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3004	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe
2108	IEwebaa.exe
2772	iewebbc(1).exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2108	3004	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe	30
PID 3004 wrote to memory of 2108	3004	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe	30
PID 3004 wrote to memory of 2108	3004	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe	30
PID 3004 wrote to memory of 2108	3004	1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe	30
PID 2108 wrote to memory of 2772	2108	IEwebaa.exe	32
PID 2108 wrote to memory of 2772	2108	IEwebaa.exe	32
PID 2108 wrote to memory of 2772	2108	IEwebaa.exe	32
PID 2108 wrote to memory of 2772	2108	IEwebaa.exe	32

C:\Users\Admin\AppData\Local\Temp\1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe
"C:\Users\Admin\AppData\Local\Temp\1d23fc46a2ee6c7e1c29c0db303d5b2617dc561d6b1f41cacb0bcb31340401b1N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files (x86)\IEwebaa\IEwebaa.exe
  "C:\Program Files (x86)\IEwebaa\IEwebaa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\iewebbc(1).exe
    "C:\Users\Admin\AppData\Local\Temp\iewebbc(1).exe" LoadForm2
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IEwebaa\Config.ini

Filesize
50B

MD5
5804227817cbe41dfc19861158467674

SHA1
6c7029f1bb15c0579e6a9b686e0338e4043a01b0

SHA256
4243cd54325600ded784d4cac695976249f93a8030fd853746ad435f4efdd121

SHA512
93c2ebbf53805b4cd2908e98c8d1f9ab00afb2c75d5ab84bb53c759d67f21cff67aa28db988686641ea83c3ecf6c47b3493fd7e360cf076d4f8d7fee5718e936

Download Submit
\Program Files (x86)\IEwebaa\IEwebaa.exe

Filesize
56KB

MD5
3db4828f35f3c3d4bfb13e2ac7661703

SHA1
4fbe482155f0728f5116412acab48f3cf44a03c5

SHA256
4d69888e79811ec71413a1a3a03026f94d2b142f8c019b7591280ee4ab0d20e5

SHA512
2a7b562a010683c868d81cae06854e30eda4906c366df2cfa6601aea78a6f5db2df0a60620803ac60a627d4d04b61ea6e7b744fe480e9e38446fd06ff21dc4c0

Download Submit
\Users\Admin\AppData\Local\Temp\iewebbc(1).exe

Filesize
56KB

MD5
b85d4b639e15a1a72adcb83aee90b6aa

SHA1
b0ce87418322960b7d35d5647eb82dd41a877146

SHA256
55c097f8037af7374de9416db5905697f8ce18dfe373bfaa0db213c014e06047

SHA512
642a2b490be1b448204d75e8f39885b15aca161f43d81767b5854f2e7ddeebfa3fcfe627031c83dad30b8f3fe33ee4d9ed7bb201a5d615d45c903b013b285790

Download Submit

Analysis

Sharing