Malware Analysis Report

2025-08-05 14:43

Sample ID 250701-hrsrysgp3y
Target e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2
SHA256 e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2
Tags
bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2

Threat Level: Likely malicious

The file e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Deletes itself

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs ping.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 06:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 06:58

Reported

2025-07-01 07:01

Platform

win10v2004-20250610-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\iybjhu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\iybjhu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\dscxrd\\ineiu.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\iybjhu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A \??\c:\windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe N/A
N/A N/A \??\c:\iybjhu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe C:\Windows\SysWOW64\cmd.exe
PID 5808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe C:\Windows\SysWOW64\cmd.exe
PID 5808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2500 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2500 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2500 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\iybjhu.exe
PID 2500 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\iybjhu.exe
PID 2500 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\iybjhu.exe
PID 3640 wrote to memory of 4496 N/A \??\c:\iybjhu.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3640 wrote to memory of 4496 N/A \??\c:\iybjhu.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3640 wrote to memory of 4496 N/A \??\c:\iybjhu.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 3692 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 3692 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 3692 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3692 wrote to memory of 4616 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 4616 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 4616 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4080 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4616 wrote to memory of 4080 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4616 wrote to memory of 4080 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe

"C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\iybjhu.exe "C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\iybjhu.exe

c:\iybjhu.exe "C:\Users\Admin\AppData\Local\Temp\e414feba0b9c0ce6ae116e32e572ea04bb79cb0bcf8b8d91ad7fd3b16d443ce2.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\dscxrd\ineiu.dll",GetWindowClass c:\iybjhu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\SysWOW64\rundll32.exe "c:\dscxrd\ineiu.dll",GetWindowClass

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\SysWOW64\rundll32.exe "c:\dscxrd\ineiu.dll",GetWindowClass

\??\c:\windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\dscxrd"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 107.163.241.230:6520 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp

Files

memory/5808-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/5808-2-0x0000000000400000-0x000000000041A000-memory.dmp

C:\iybjhu.exe

MD5 3d64bf93c2e3c30a5632431e9d7ce76f
SHA1 80f2e1dc0439a6b971d27b58be76865b06e77cf7
SHA256 b5d6b7b601e826b3fccca926e986bae65bf8a4e7c547aa27c3fefe628ecc1f07
SHA512 6f49b4c3413e2763b37f64b8e784d93ae00305c49e60bdfdcde2ed9be47ba8f38491d019a79fed404f721f2004641ca36b7d366d2867ef82bb61210e690acce6

memory/3640-7-0x0000000000400000-0x000000000041A000-memory.dmp

\??\c:\dscxrd\ineiu.dll

MD5 a3fd41430ddcaa55fde840788925406a
SHA1 dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2
SHA256 f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9
SHA512 23109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9

memory/4496-10-0x0000000010000000-0x000000001002E000-memory.dmp

memory/4496-11-0x0000000010001000-0x000000001001E000-memory.dmp

memory/3692-13-0x0000000010000000-0x000000001002E000-memory.dmp

memory/4496-14-0x0000000010000000-0x000000001002E000-memory.dmp

memory/4496-15-0x0000000010001000-0x000000001001E000-memory.dmp