Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2025, 06:58

General

  • Target

    e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe

  • Size

    94KB

  • MD5

    f80f897a2e284d64d1d41fa54d6790a9

  • SHA1

    46deb64546c3b316e34712bf0e228139207e58cd

  • SHA256

    e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2

  • SHA512

    b8a13bfbfa076bf218a02e590497bab797f7d04620eeb9fb51863bc1d493dcead9cb5266be94784723d8a020a91504ee08c73dff95966aeb703a36fa17af588b

  • SSDEEP

    1536:vRiAXaKD5gxzmwYEM/D3ozc4I8JboecWtX4:piAXaKDeKNnD36cb8tI

Malware Config

Signatures

  • Blocklisted process makes network request 14 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe
    "C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5808
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&c:\iybjhu.exe "C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2992
      • \??\c:\iybjhu.exe
        c:\iybjhu.exe "C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3640
        • \??\c:\windows\SysWOW64\rundll32.exe
          c:\windows\system32\rundll32.exe "c:\dscxrd\ineiu.dll",GetWindowClass c:\iybjhu.exe
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4496
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\SysWOW64\rundll32.exe "c:\dscxrd\ineiu.dll",GetWindowClass
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3496
    • \??\c:\windows\SysWOW64\rundll32.exe
      c:\windows\SysWOW64\rundll32.exe "c:\dscxrd\ineiu.dll",GetWindowClass
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3692
      • \??\c:\windows\SysWOW64\cmd.exe
        cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\dscxrd"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4080

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\iybjhu.exe

          Filesize

          94KB

          MD5

          3d64bf93c2e3c30a5632431e9d7ce76f

          SHA1

          80f2e1dc0439a6b971d27b58be76865b06e77cf7

          SHA256

          b5d6b7b601e826b3fccca926e986bae65bf8a4e7c547aa27c3fefe628ecc1f07

          SHA512

          6f49b4c3413e2763b37f64b8e784d93ae00305c49e60bdfdcde2ed9be47ba8f38491d019a79fed404f721f2004641ca36b7d366d2867ef82bb61210e690acce6

        • \??\c:\dscxrd\ineiu.dll

          Filesize

          46KB

          MD5

          a3fd41430ddcaa55fde840788925406a

          SHA1

          dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2

          SHA256

          f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9

          SHA512

          23109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9

        • memory/3640-7-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/3692-13-0x0000000010000000-0x000000001002E000-memory.dmp

          Filesize

          184KB

        • memory/4496-10-0x0000000010000000-0x000000001002E000-memory.dmp

          Filesize

          184KB

        • memory/4496-11-0x0000000010001000-0x000000001001E000-memory.dmp

          Filesize

          116KB

        • memory/4496-14-0x0000000010000000-0x000000001002E000-memory.dmp

          Filesize

          184KB

        • memory/4496-15-0x0000000010001000-0x000000001001E000-memory.dmp

          Filesize

          116KB

        • memory/5808-0-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

        • memory/5808-2-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB