Analysis
-
max time kernel
118s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 22:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
VirusShare-001276b49b0739578e6cc73f468d80ad.dll
Resource
win7-20231215-en
3 signatures
150 seconds
General
-
Target
VirusShare-001276b49b0739578e6cc73f468d80ad.dll
-
Size
607KB
-
MD5
001276b49b0739578e6cc73f468d80ad
-
SHA1
3c9c2db47831475e0511a9427cd9ff4624b346a8
-
SHA256
4988a6a6477d916416988c65fd126f229ce8fbaaa771269dfdf5f53d0884b877
-
SHA512
91b8a1a58d18cc98fd4011affcf1dfb4a624e8e8477e7dbc8ce08a4146b99160a19f54b7dc8678e66717862b67f83bdb78269924ef2fec767b8a94a250647fda
-
SSDEEP
12288:SpIt9HX65cspWkY5DARyLuaIg3Qaoqrdns+IcQz0o/:SetFXsoB7LGnaoqrbIcQz0o
Malware Config
Signatures
-
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CC01FC6C-A5FB-BF23-8223-C45B2B8BC6A6} regsvr32.exe -
Modifies registry class 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-A5FB-BF23-8223-C45B2B8BC6A6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VirusShare-001276b49b0739578e6cc73f468d80ad.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirusShare-001276b49b0739578e6cc73f468d80ad.iwc regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VirusShare-001276b49b0739578e6cc73f468d80ad.iwc\Clsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-A5FB-BF23-8223-C45B2B8BC6A6}\ProgID\ = "VirusShare-001276b49b0739578e6cc73f468d80ad.iwc" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-A5FB-BF23-8223-C45B2B8BC6A6}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-A5FB-BF23-8223-C45B2B8BC6A6}\ = "iwc" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-A5FB-BF23-8223-C45B2B8BC6A6}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirusShare-001276b49b0739578e6cc73f468d80ad.iwc\ = "iwc" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VirusShare-001276b49b0739578e6cc73f468d80ad.iwc\Clsid\ = "{CC01FC6C-A5FB-BF23-8223-C45B2B8BC6A6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-A5FB-BF23-8223-C45B2B8BC6A6}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC01FC6C-A5FB-BF23-8223-C45B2B8BC6A6} regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1984 wrote to memory of 3064 1984 regsvr32.exe 27 PID 1984 wrote to memory of 3064 1984 regsvr32.exe 27 PID 1984 wrote to memory of 3064 1984 regsvr32.exe 27 PID 1984 wrote to memory of 3064 1984 regsvr32.exe 27 PID 1984 wrote to memory of 3064 1984 regsvr32.exe 27 PID 1984 wrote to memory of 3064 1984 regsvr32.exe 27 PID 1984 wrote to memory of 3064 1984 regsvr32.exe 27
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\VirusShare-001276b49b0739578e6cc73f468d80ad.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\VirusShare-001276b49b0739578e6cc73f468d80ad.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:3064
-