Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 06:58
Static task
static1
Behavioral task
behavioral1
Sample
e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe
Resource
win10v2004-20250610-en
General
-
Target
e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe
-
Size
94KB
-
MD5
f80f897a2e284d64d1d41fa54d6790a9
-
SHA1
46deb64546c3b316e34712bf0e228139207e58cd
-
SHA256
e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2
-
SHA512
b8a13bfbfa076bf218a02e590497bab797f7d04620eeb9fb51863bc1d493dcead9cb5266be94784723d8a020a91504ee08c73dff95966aeb703a36fa17af588b
-
SSDEEP
1536:vRiAXaKD5gxzmwYEM/D3ozc4I8JboecWtX4:piAXaKDeKNnD36cb8tI
Malware Config
Signatures
-
Blocklisted process makes network request 14 IoCs
flow pid Process 27 4496 rundll32.exe 28 4496 rundll32.exe 29 4496 rundll32.exe 30 4496 rundll32.exe 36 4496 rundll32.exe 39 4496 rundll32.exe 62 4496 rundll32.exe 63 4496 rundll32.exe 72 4496 rundll32.exe 73 4496 rundll32.exe 74 4496 rundll32.exe 78 4496 rundll32.exe 79 4496 rundll32.exe 80 4496 rundll32.exe -
Deletes itself 1 IoCs
pid Process 3640 iybjhu.exe -
Executes dropped EXE 1 IoCs
pid Process 3640 iybjhu.exe -
Loads dropped DLL 2 IoCs
pid Process 4496 rundll32.exe 3692 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\dscxrd\\ineiu.dll\",GetWindowClass" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\l: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iybjhu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2500 cmd.exe 2992 PING.EXE 4616 cmd.exe 4080 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2992 PING.EXE 4080 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4496 rundll32.exe 4496 rundll32.exe 4496 rundll32.exe 4496 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4496 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5808 e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe 3640 iybjhu.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5808 wrote to memory of 2500 5808 e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe 87 PID 5808 wrote to memory of 2500 5808 e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe 87 PID 5808 wrote to memory of 2500 5808 e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe 87 PID 2500 wrote to memory of 2992 2500 cmd.exe 89 PID 2500 wrote to memory of 2992 2500 cmd.exe 89 PID 2500 wrote to memory of 2992 2500 cmd.exe 89 PID 2500 wrote to memory of 3640 2500 cmd.exe 91 PID 2500 wrote to memory of 3640 2500 cmd.exe 91 PID 2500 wrote to memory of 3640 2500 cmd.exe 91 PID 3640 wrote to memory of 4496 3640 iybjhu.exe 93 PID 3640 wrote to memory of 4496 3640 iybjhu.exe 93 PID 3640 wrote to memory of 4496 3640 iybjhu.exe 93 PID 3496 wrote to memory of 3692 3496 cmd.exe 100 PID 3496 wrote to memory of 3692 3496 cmd.exe 100 PID 3496 wrote to memory of 3692 3496 cmd.exe 100 PID 3692 wrote to memory of 4616 3692 rundll32.exe 101 PID 3692 wrote to memory of 4616 3692 rundll32.exe 101 PID 3692 wrote to memory of 4616 3692 rundll32.exe 101 PID 4616 wrote to memory of 4080 4616 cmd.exe 103 PID 4616 wrote to memory of 4080 4616 cmd.exe 103 PID 4616 wrote to memory of 4080 4616 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5808 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&c:\iybjhu.exe "C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2992
-
-
\??\c:\iybjhu.exec:\iybjhu.exe "C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\dscxrd\ineiu.dll",GetWindowClass c:\iybjhu.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\SysWOW64\rundll32.exe "c:\dscxrd\ineiu.dll",GetWindowClass1⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\SysWOW64\rundll32.exe "c:\dscxrd\ineiu.dll",GetWindowClass2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\dscxrd"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4080
-
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD53d64bf93c2e3c30a5632431e9d7ce76f
SHA180f2e1dc0439a6b971d27b58be76865b06e77cf7
SHA256b5d6b7b601e826b3fccca926e986bae65bf8a4e7c547aa27c3fefe628ecc1f07
SHA5126f49b4c3413e2763b37f64b8e784d93ae00305c49e60bdfdcde2ed9be47ba8f38491d019a79fed404f721f2004641ca36b7d366d2867ef82bb61210e690acce6
-
Filesize
46KB
MD5a3fd41430ddcaa55fde840788925406a
SHA1dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2
SHA256f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9
SHA51223109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9