Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 03:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe
-
Size
2.2MB
-
MD5
6232bad0a3bccda0f1c379190fef8929
-
SHA1
3d76146d2ab012f1a6258fbff64627e8d490f0e4
-
SHA256
d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93
-
SHA512
5bc0466271c141883a6e054bbbdd6c11292404cdeb4dd7303a8b0e5bf10485c3bef061044349026080ed6050c93db8e864ebee7819a7b5c26fda058ae41a46e3
-
SSDEEP
49152:8JAKL1A4GFERnJfYMKAUVB7bsxr5fy8ckyyoYXtGqOipLCgvhf:NKL1A4G6nJf9aBHsxr5fy8fy7Y9GqZFd
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2804 SE205.exe 2756 SE205.tmp 2572 IEMaoSvc.exe 2184 IEMaoSvc.exe 1788 IEMaoSvc.exe 2444 IEMaoSvc.exe -
Loads dropped DLL 16 IoCs
pid Process 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 2804 SE205.exe 2756 SE205.tmp 2756 SE205.tmp 2756 SE205.tmp 2756 SE205.tmp 1680 regsvr32.exe 588 regsvr32.exe 1936 regsvr32.exe 2756 SE205.tmp 2756 SE205.tmp 2756 SE205.tmp 2444 IEMaoSvc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0008CBE3-7D12-263A-15FD-39D13B9D1132} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0008CBE3-7D12-263A-15FD-39D13B9D1132}\NoExplorer = "1" regsvr32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 IEMaoSvc.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\is-0QKBU.tmp SE205.tmp File opened for modification C:\Windows\SysWOW64\5859585B.fn IEMaoSvc.exe -
Drops file in Program Files directory 60 IoCs
description ioc Process File created C:\Program Files (x86)\IEMao\Search\is-A5DM4.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-HHVHC.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-H9L5Q.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-52SP0.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-96HQ1.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-N6M4A.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-C9U7Q.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-D3I5U.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\is-OJLAE.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-MKC0H.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-M4DNM.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\is-6OKPQ.tmp SE205.tmp File opened for modification C:\Program Files (x86)\IEMao\iemao.cg IEMaoSvc.exe File created C:\Program Files (x86)\IEMao\unins000.dat SE205.tmp File created C:\Program Files (x86)\IEMao\is-0C4QS.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\is-2N38M.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-65M3R.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-0VVLS.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-QDKB7.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-D4VFT.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-NGCF5.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-SENU1.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-P2E3F.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-8BFVU.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-468QG.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-96FQO.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-KR65O.tmp SE205.tmp File opened for modification C:\Program Files (x86)\IEMao\Site.ini SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-RJA96.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-Q85V8.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-O0BUS.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-J3DJI.tmp SE205.tmp File opened for modification C:\Program Files (x86)\IEMao\iemao.cg IEMaoSvc.exe File created C:\Program Files (x86)\IEMao\Search\is-5RJRO.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-AGSU8.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\is-GFG6J.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-GCG3B.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-N7LL5.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-LJF0A.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\is-A3TJP.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-JJD6T.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-FKIJE.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-IE3U4.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-EQR04.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\is-VEIQM.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-27TPU.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-MVQPI.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-N8QB7.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-V2FM5.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-2SBN9.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-OHJVA.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-COHBT.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-E91FB.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-5USIJ.tmp SE205.tmp File opened for modification C:\Program Files (x86)\IEMao\unins000.dat SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-PCNG6.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-0CEL7.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-06H78.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-8J58A.tmp SE205.tmp File created C:\Program Files (x86)\IEMao\Search\is-MM992.tmp SE205.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SE205.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEMaoSvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEMaoSvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEMaoSvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEMaoSvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SE205.tmp -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{0008CBE3-7D56-263A-18FD-39D13B9D1165} regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 08352e0063000000d0e83400c4002e00e3000000420045008000000050012e00350036002d00320008352e000000000002000002c0a33400e3000000390044003100330000000000ff070000e3000000e30000e3c4002e000100000063000000020000000a00000000002e00c8e8340000000000d80000d80000000028e93400c4002e00c0a33400c002000000002e0008000000c8e8340078e516009e38e47738012e007a38e4777dc590780000000000002e00d0e83400c8e51600d40e2d02feffffff7a38e4777234e47700000000c4002e0008352e0008e5160000002e0050012e000000000068e5160008352e00000000003a02dc768e7dcf28e30000008c244602e3cb0800567d3a2618fd39d13b9d11650000000058000000050000056300000043eaaf75c0a33400000000004e000000d0e83400a8a027020000000008352e00d0e8340064e51600d0e83400c4002e0054e51600e3000000000000004e000001000000001803000064e5010198e416007b003000dce51600cd1ee87745e8650fa8a027021c2446021824460200000000a8a02702340000001c244602a8a027023c2346023823460200000000a8a02702200000003c234602a8a02702d800000001000000ece516000e282602cc252d022a4526027427260234e616000f282602ece516001ce61600dc234602b4244602dc234602000000002ce616002b2b26021ce616004a4b2602010000000000000043da2c024bda2c02f6ff1975dc2146020121460200000000000000003c234602 regsvr32.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion IEMaoSvc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{68F018D4-06B6-465C-B7EA-83AA39D43CC0}\1.0\FLAGS\ = "0" IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{83F57D68-CA9A-11D2-9088-00C04FA35CFA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DSBase.1\Clsid\ = "{9E8D2FA1-591C-11D0-BF52-0020AF32BD64}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8D2FA7-591C-11D0-BF52-0020AF32BD64}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DatapacketWrite.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8D2FA5-591C-11D0-BF52-0020AF32BD64}\ = "Borland Midas DatapacketWrite" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8D2FA5-591C-11D0-BF52-0020AF32BD64}\InProcServer32\ = "C:\\Windows\\SysWow64\\midas.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0008CBE3-7D56-263A-18FD-39D13B9D1165}\InprocServer32\ = "C:\\PROGRA~2\\IEMao\\IEMaoBar.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DE67902-36AB-4DDD-8785-53AB3E78E9D8}\ProxyStubClsid32 IEMaoSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E18AC0D-3260-4BD1-B4D1-181FC9F6ACE2}\ProgID\ = "IEMaoSv.IEMaoFunc" IEMaoSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0008CBE3-7D12-263A-15FD-39D13B9D1132}\InprocServer32\ = "C:\\PROGRA~2\\IEMao\\iemao.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AEFCC20-7A24-11D2-98B0-C69BEB4B5B6D}\ = "IAppServer" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{68F018D4-06B6-465C-B7EA-83AA39D43CC0}\1.0\ = "IEMaoSv Library" IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E18AC0D-3260-4BD1-B4D1-181FC9F6ACE2}\LocalServer32 IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEMaoSv.IEMaoFunc\Clsid IEMaoSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\iemao.IEMaoHelper\Clsid\ = "{0008CBE3-7D12-263A-15FD-39D13B9D1132}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{83F57D68-CA9A-11D2-9088-00C04FA35CFA}\1.0\HELPDIR\ = "C:\\Windows\\system32" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DSBase regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DSCursor.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DE67902-36AB-4DDD-8785-53AB3E78E9D8} IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AEFCC20-7A24-11D2-98B0-C69BEB4B5B6D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AEFCC20-7A24-11D2-98B0-C69BEB4B5B6D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DSBase.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8D2FA1-591C-11D0-BF52-0020AF32BD64} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DatapacketWrite.1\ = "Borland Midas DatapacketWrite" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DFB579ED-8CDF-441A-9900-7EF5D5515383}\ = "IIEMaoFunc" IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iemao.HtmlDrag regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DatapacketRead.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E18AC0D-3260-4BD1-B4D1-181FC9F6ACE2} IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{27331A4D-E394-41D3-AB92-2AE3F5A39EEF} IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iemao.HtmlDrag\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DSBase\ = "Borland Midas DSBase Current" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEMaoBar.IEMao Toolbar\ = "IEèËÑË÷µ¼º½¹¤¾ßÀ¸" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEMaoBar.IEMao Toolbar\Clsid\ = "{0008CBE3-7D56-263A-18FD-39D13B9D1165}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DE67902-36AB-4DDD-8785-53AB3E78E9D8}\TypeLib IEMaoSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFB579ED-8CDF-441A-9900-7EF5D5515383}\TypeLib\ = "{68F018D4-06B6-465C-B7EA-83AA39D43CC0}" IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEMaoSv.BarManage\Clsid IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA33A1D2-892C-4798-8430-50E66C58656A}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AEFCC20-7A24-11D2-98B0-C69BEB4B5B6D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AEFCC20-7A24-11D2-98B0-C69BEB4B5B6D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DSBase.1\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8D2FA1-591C-11D0-BF52-0020AF32BD64}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DatapacketWrite.1\Clsid\ = "{9E8D2FA5-591C-11D0-BF52-0020AF32BD64}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DE67902-36AB-4DDD-8785-53AB3E78E9D8}\TypeLib\Version = "1.0" IEMaoSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEMaoSv.IEMaoFunc\Clsid\ = "{5E18AC0D-3260-4BD1-B4D1-181FC9F6ACE2}" IEMaoSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0008CBE3-7D12-263A-15FD-39D13B9D1132}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AEFCC20-7A24-11D2-98B0-C69BEB4B5B6D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8D2FA1-591C-11D0-BF52-0020AF32BD64}\InProcServer32\ = "C:\\Windows\\SysWow64\\midas.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DSCursor\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8D2FA3-591C-11D0-BF52-0020AF32BD64} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DE67902-36AB-4DDD-8785-53AB3E78E9D8}\ProxyStubClsid32 IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFB579ED-8CDF-441A-9900-7EF5D5515383}\ProxyStubClsid32 IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\iemao.IEMaoHelper\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DSCursor.1\ = "Borland Midas DSCursor 1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8D2FA3-591C-11D0-BF52-0020AF32BD64}\ProgID\ = "Borland.Midas_DSCursor.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DFB579ED-8CDF-441A-9900-7EF5D5515383}\TypeLib\Version = "1.0" IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFB579ED-8CDF-441A-9900-7EF5D5515383} IEMaoSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{27331A4D-E394-41D3-AB92-2AE3F5A39EEF}\LocalService = "IEMaoSvc" IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E18AC0D-3260-4BD1-B4D1-181FC9F6ACE2}\TypeLib IEMaoSvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{83F57D68-CA9A-11D2-9088-00C04FA35CFA}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{83F57D68-CA9A-11D2-9088-00C04FA35CFA}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{83F57D68-CA9A-11D2-9088-00C04FA35CFA}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AEFCC20-7A24-11D2-98B0-C69BEB4B5B6D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Borland.Midas_DSBase.1\ = "Borland Midas DSBase 1" regsvr32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 2572 IEMaoSvc.exe 2184 IEMaoSvc.exe 1788 IEMaoSvc.exe 2444 IEMaoSvc.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2804 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 30 PID 2644 wrote to memory of 2804 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 30 PID 2644 wrote to memory of 2804 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 30 PID 2644 wrote to memory of 2804 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 30 PID 2644 wrote to memory of 2804 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 30 PID 2644 wrote to memory of 2804 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 30 PID 2644 wrote to memory of 2804 2644 d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe 30 PID 2804 wrote to memory of 2756 2804 SE205.exe 31 PID 2804 wrote to memory of 2756 2804 SE205.exe 31 PID 2804 wrote to memory of 2756 2804 SE205.exe 31 PID 2804 wrote to memory of 2756 2804 SE205.exe 31 PID 2804 wrote to memory of 2756 2804 SE205.exe 31 PID 2804 wrote to memory of 2756 2804 SE205.exe 31 PID 2804 wrote to memory of 2756 2804 SE205.exe 31 PID 2756 wrote to memory of 2572 2756 SE205.tmp 32 PID 2756 wrote to memory of 2572 2756 SE205.tmp 32 PID 2756 wrote to memory of 2572 2756 SE205.tmp 32 PID 2756 wrote to memory of 2572 2756 SE205.tmp 32 PID 2756 wrote to memory of 1680 2756 SE205.tmp 33 PID 2756 wrote to memory of 1680 2756 SE205.tmp 33 PID 2756 wrote to memory of 1680 2756 SE205.tmp 33 PID 2756 wrote to memory of 1680 2756 SE205.tmp 33 PID 2756 wrote to memory of 1680 2756 SE205.tmp 33 PID 2756 wrote to memory of 1680 2756 SE205.tmp 33 PID 2756 wrote to memory of 1680 2756 SE205.tmp 33 PID 2756 wrote to memory of 588 2756 SE205.tmp 34 PID 2756 wrote to memory of 588 2756 SE205.tmp 34 PID 2756 wrote to memory of 588 2756 SE205.tmp 34 PID 2756 wrote to memory of 588 2756 SE205.tmp 34 PID 2756 wrote to memory of 588 2756 SE205.tmp 34 PID 2756 wrote to memory of 588 2756 SE205.tmp 34 PID 2756 wrote to memory of 588 2756 SE205.tmp 34 PID 2756 wrote to memory of 1936 2756 SE205.tmp 35 PID 2756 wrote to memory of 1936 2756 SE205.tmp 35 PID 2756 wrote to memory of 1936 2756 SE205.tmp 35 PID 2756 wrote to memory of 1936 2756 SE205.tmp 35 PID 2756 wrote to memory of 1936 2756 SE205.tmp 35 PID 2756 wrote to memory of 1936 2756 SE205.tmp 35 PID 2756 wrote to memory of 1936 2756 SE205.tmp 35 PID 2756 wrote to memory of 2184 2756 SE205.tmp 36 PID 2756 wrote to memory of 2184 2756 SE205.tmp 36 PID 2756 wrote to memory of 2184 2756 SE205.tmp 36 PID 2756 wrote to memory of 2184 2756 SE205.tmp 36 PID 2756 wrote to memory of 1788 2756 SE205.tmp 37 PID 2756 wrote to memory of 1788 2756 SE205.tmp 37 PID 2756 wrote to memory of 1788 2756 SE205.tmp 37 PID 2756 wrote to memory of 1788 2756 SE205.tmp 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe"C:\Users\Admin\AppData\Local\Temp\d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\SE205.exe"C:\Users\Admin\AppData\Local\Temp\SE205.exe" /VERYSILENT /SP-2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\is-722LL.tmp\SE205.tmp"C:\Users\Admin\AppData\Local\Temp\is-722LL.tmp\SE205.tmp" /SL5="$6022E,1954047,54272,C:\Users\Admin\AppData\Local\Temp\SE205.exe" /VERYSILENT /SP-3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\is-S4FB1.tmp\IEMaoSvc.exe"C:\Users\Admin\AppData\Local\Temp\is-S4FB1.tmp\IEMaoSvc.exe" U4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IEMao\iemao.dll"4⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1680
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\midas.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:588
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IEMao\IEMaoBar.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:1936
-
-
C:\Program Files (x86)\IEMao\IEMaoSvc.exe"C:\Program Files (x86)\IEMao\IEMaoSvc.exe" /regserver4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2184
-
-
C:\Program Files (x86)\IEMao\IEMaoSvc.exe"C:\Program Files (x86)\IEMao\IEMaoSvc.exe" INS C:\Users\Admin\AppData\Local\Temp\SE205.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1788
-
-
-
-
C:\Program Files (x86)\IEMao\IEMaoSvc.exe"C:\Program Files (x86)\IEMao\IEMaoSvc.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD54fd418575fc880292165cfe1459698a8
SHA1bce2f459b993b51ea12c995795830250d370a228
SHA256f67fd91b26e2a7965d623bf8c6ab500abb92443a474eec5482eb961864e9d40a
SHA512ae8ce98370eec8fc0eb123e008ca91f5fe8e0247dcf3afdb5d03d8a1947d6fdce0eb685fa28683e286266858baf3ce532acd21fbc39fc867026af0e45b61045a
-
Filesize
648B
MD5c32cd0022b2903bc8e5df113f1a1c6ed
SHA15cc5c6f391b3762fd282f4f2a7f3d218179fb1cd
SHA2563bd51bb4288d9e4626e720a04f8b5d45fa02cea665dcc2c6012a73f8686768af
SHA512ea6b0a9fc9d72cf7ce3790f2a0590812cc309781697f14adb371c5c31dad7e8e6e360f1d54a1e960d71bed7934f2b31ea6e574db49c2af3b30c9e18556464197
-
Filesize
44B
MD552b7ba72c99fbd0a6c6c9c4b9f70cb89
SHA10888b49e3952d6a202b2a5bc6a6d0ba97304a134
SHA2569458985fb8c27599bdf14f013146c382256e1b91de4c397e03c17bb7b4c10a8a
SHA5122a7ba4ef10cf1213f793048c43247d318915a4c246f03dd5dfc245def539b13f2680f44a9833eda4713e32fdbf8b060965f946983d23cc51e88fd29cb354d715
-
Filesize
696KB
MD58aa8c628f7b7b7f3e96eff00557bd0bf
SHA19af9cf61707cbba7bf0d7cbed94e8db91aff8bd6
SHA25614d4fa3ea6c3fbf6e9d284de717e73a1ebb5e77f3d5c8c98808e40ade359ea9d
SHA5125e0a4765873684fce159af81310e37b6918c923ccede0c4de0bd1e2e221425109131830cff02e3f910f15b0401ee3b4ae68700b6d29a5e8466f6d4ee1dcd6eeb
-
Filesize
430KB
MD543b9337ca111defa4da637a3121e7a7d
SHA140f15faa582609408194e2317f14a949388874ef
SHA256e5d2be36e26d90a1926b641e25689ecd9ae4f796bc3ca40ba75b30ef33f67fbf
SHA51225c34deb29fc478c68dd7dd582571025db4cebd9a3d824caa98e9a1f74c1ffea4c983964d9657517d5fc1522efa6e3dbf23224bd24fa215780e39eae13acac60
-
Filesize
570KB
MD5c8386a40d92c22459e759ffa9410cea3
SHA1248e1f688b439ad774cd5c6e8b4b537b3f337c6d
SHA2564c2aca3c43cc6bcad5ba469efb4492dafefdf865a1d29e062efec220be512dc0
SHA512c18fdcc47632120af36cd814e0e7bd8a1de39a4e77805c6c193f5f3592aefffc9c3c4f7e2f31150872ebdf84f2aac87f2bb14d4eec4c17730b0f67b2c3d9121f
-
Filesize
764KB
MD5f7ba4f7ed7d31e823ad386e44512220d
SHA1393c9c99eb4e7ae040d38c4cbbeaa4df7d36bf3c
SHA25647dde1ea825b5f0dccc2675404c5f545c25225bde240571965f388a05e6d1be9
SHA512bbeb4c9191f2c3d3d758d1de63573fd7250f38e6493a78518bfc07d993401eea0a88d05c0d9178ab88145489a792de7edc645e875e5d83df1453a43cafa95796
-
Filesize
2.1MB
MD59c4905c83ff4757aa4af814ff541dbff
SHA1bb6e9e6a15762146ecaa518dcacf3cec099030ef
SHA256b28f07326f5b491544b74903e691cb69146398be5c2b209c353acd530c1bc6a1
SHA512ebfd4d124442b45f5ee1b760594149148255900a1a4706f939f16600731db2569167e5ad0cb073af2a4fbd09bda10a2ddc8289ca40c7e5e9c9abbdc0c9cd4d39
-
Filesize
2.6MB
MD54af78d4339b984a67f73c7f38d19b898
SHA15bfe2be35cb0146583c1b8c4ef6ed9080f42a9cf
SHA25636aee391a9711e586c2b92e5a60c106feb593b28735820e8aa1d2fed655d811f
SHA512fb132fca362317d6814448a69068ae99e82c31ce96c3e3a076a6123850ed20610220547a56447308291ebebfa0cfbfc9eae542613e344582bc3eafacfb33b61d
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3