Overview

overview

7

Static

static

3

d4b7c5e8c0...93.exe

windows7-x64

7

d4b7c5e8c0...93.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe

  • Size

    2.2MB

  • MD5

    6232bad0a3bccda0f1c379190fef8929

  • SHA1

    3d76146d2ab012f1a6258fbff64627e8d490f0e4

  • SHA256

    d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93

  • SHA512

    5bc0466271c141883a6e054bbbdd6c11292404cdeb4dd7303a8b0e5bf10485c3bef061044349026080ed6050c93db8e864ebee7819a7b5c26fda058ae41a46e3

  • SSDEEP

    49152:8JAKL1A4GFERnJfYMKAUVB7bsxr5fy8ckyyoYXtGqOipLCgvhf:NKL1A4G6nJf9aBHsxr5fy8fy7Y9GqZFd

Score
7/10
adwarebootkitdiscoverypersistencestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 60 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe
    "C:\Users\Admin\AppData\Local\Temp\d4b7c5e8c0c5488748ad197e36beef284edb85704cdf1c290cb3075c87b34b93.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Users\Admin\AppData\Local\Temp\SE205.exe
      "C:\Users\Admin\AppData\Local\Temp\SE205.exe" /VERYSILENT /SP-
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Users\Admin\AppData\Local\Temp\is-SOV3C.tmp\SE205.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-SOV3C.tmp\SE205.tmp" /SL5="$602B8,1954047,54272,C:\Users\Admin\AppData\Local\Temp\SE205.exe" /VERYSILENT /SP-
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Users\Admin\AppData\Local\Temp\is-LARPJ.tmp\IEMaoSvc.exe
          "C:\Users\Admin\AppData\Local\Temp\is-LARPJ.tmp\IEMaoSvc.exe" U
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:448
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IEMao\iemao.dll"
          4⤵
          • Loads dropped DLL
          • Installs/modifies Browser Helper Object
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:368
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\midas.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:556
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IEMao\IEMaoBar.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:3124
        • C:\Program Files (x86)\IEMao\IEMaoSvc.exe
          "C:\Program Files (x86)\IEMao\IEMaoSvc.exe" /regserver
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4632
        • C:\Program Files (x86)\IEMao\IEMaoSvc.exe
          "C:\Program Files (x86)\IEMao\IEMaoSvc.exe" INS C:\Users\Admin\AppData\Local\Temp\SE205.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3584
  • C:\Program Files (x86)\IEMao\IEMaoSvc.exe
    "C:\Program Files (x86)\IEMao\IEMaoSvc.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\IEMao\IEMaoBar.dll
    Filesize

    2.0MB

    MD5

    4fd418575fc880292165cfe1459698a8

    SHA1

    bce2f459b993b51ea12c995795830250d370a228

    SHA256

    f67fd91b26e2a7965d623bf8c6ab500abb92443a474eec5482eb961864e9d40a

    SHA512

    ae8ce98370eec8fc0eb123e008ca91f5fe8e0247dcf3afdb5d03d8a1947d6fdce0eb685fa28683e286266858baf3ce532acd21fbc39fc867026af0e45b61045a

    Download Submit

  • C:\Program Files (x86)\IEMao\Site.ini
    Filesize

    648B

    MD5

    c32cd0022b2903bc8e5df113f1a1c6ed

    SHA1

    5cc5c6f391b3762fd282f4f2a7f3d218179fb1cd

    SHA256

    3bd51bb4288d9e4626e720a04f8b5d45fa02cea665dcc2c6012a73f8686768af

    SHA512

    ea6b0a9fc9d72cf7ce3790f2a0590812cc309781697f14adb371c5c31dad7e8e6e360f1d54a1e960d71bed7934f2b31ea6e574db49c2af3b30c9e18556464197

    Download Submit

  • C:\Program Files (x86)\IEMao\Update.dll
    Filesize

    570KB

    MD5

    c8386a40d92c22459e759ffa9410cea3

    SHA1

    248e1f688b439ad774cd5c6e8b4b537b3f337c6d

    SHA256

    4c2aca3c43cc6bcad5ba469efb4492dafefdf865a1d29e062efec220be512dc0

    SHA512

    c18fdcc47632120af36cd814e0e7bd8a1de39a4e77805c6c193f5f3592aefffc9c3c4f7e2f31150872ebdf84f2aac87f2bb14d4eec4c17730b0f67b2c3d9121f

    Download Submit

  • C:\Program Files (x86)\IEMao\iemao.cg
    Filesize

    94B

    MD5

    20cf1960ee1824fba9105dff39777924

    SHA1

    d5b88d2b3fb9a85fa93875eeadf62002bd46a94a

    SHA256

    9d82213d961433c00ef5e5d9ee265e5e83801c1706e84b45df5d0d7c072a6d98

    SHA512

    95e10f244f9c05a87812f76b012b1d9f75151b72bda95ee8796ccb4a2e1cf322df0759a4dd5193f0bdc99b86030efa24ff00bf95207db2b62f68cc3e38b6b07a

    Download Submit

  • C:\Program Files (x86)\IEMao\iemao.dll
    Filesize

    764KB

    MD5

    f7ba4f7ed7d31e823ad386e44512220d

    SHA1

    393c9c99eb4e7ae040d38c4cbbeaa4df7d36bf3c

    SHA256

    47dde1ea825b5f0dccc2675404c5f545c25225bde240571965f388a05e6d1be9

    SHA512

    bbeb4c9191f2c3d3d758d1de63573fd7250f38e6493a78518bfc07d993401eea0a88d05c0d9178ab88145489a792de7edc645e875e5d83df1453a43cafa95796

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SE205.exe
    Filesize

    2.1MB

    MD5

    9c4905c83ff4757aa4af814ff541dbff

    SHA1

    bb6e9e6a15762146ecaa518dcacf3cec099030ef

    SHA256

    b28f07326f5b491544b74903e691cb69146398be5c2b209c353acd530c1bc6a1

    SHA512

    ebfd4d124442b45f5ee1b760594149148255900a1a4706f939f16600731db2569167e5ad0cb073af2a4fbd09bda10a2ddc8289ca40c7e5e9c9abbdc0c9cd4d39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-LARPJ.tmp\IEMaoSvc.exe
    Filesize

    2.6MB

    MD5

    4af78d4339b984a67f73c7f38d19b898

    SHA1

    5bfe2be35cb0146583c1b8c4ef6ed9080f42a9cf

    SHA256

    36aee391a9711e586c2b92e5a60c106feb593b28735820e8aa1d2fed655d811f

    SHA512

    fb132fca362317d6814448a69068ae99e82c31ce96c3e3a076a6123850ed20610220547a56447308291ebebfa0cfbfc9eae542613e344582bc3eafacfb33b61d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-SOV3C.tmp\SE205.tmp
    Filesize

    696KB

    MD5

    8aa8c628f7b7b7f3e96eff00557bd0bf

    SHA1

    9af9cf61707cbba7bf0d7cbed94e8db91aff8bd6

    SHA256

    14d4fa3ea6c3fbf6e9d284de717e73a1ebb5e77f3d5c8c98808e40ade359ea9d

    SHA512

    5e0a4765873684fce159af81310e37b6918c923ccede0c4de0bd1e2e221425109131830cff02e3f910f15b0401ee3b4ae68700b6d29a5e8466f6d4ee1dcd6eeb

    Download Submit

  • C:\Windows\SysWOW64\midas.dll
    Filesize

    430KB

    MD5

    43b9337ca111defa4da637a3121e7a7d

    SHA1

    40f15faa582609408194e2317f14a949388874ef

    SHA256

    e5d2be36e26d90a1926b641e25689ecd9ae4f796bc3ca40ba75b30ef33f67fbf

    SHA512

    25c34deb29fc478c68dd7dd582571025db4cebd9a3d824caa98e9a1f74c1ffea4c983964d9657517d5fc1522efa6e3dbf23224bd24fa215780e39eae13acac60

    Download Submit

  • memory/368-146-0x0000000002450000-0x0000000002514000-memory.dmp

    Filesize

    784KB

    Download

  • memory/448-30-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/624-25-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/624-169-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/1064-172-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1064-192-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1064-188-0x0000000001DA0000-0x0000000001E34000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1064-184-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3012-170-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3012-13-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3012-16-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3124-152-0x00000000021F0000-0x00000000023F0000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3584-164-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4632-159-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download