Malware Analysis Report

2025-08-10 22:23

Sample ID 240202-28aggsdehr
Target VirusShare-0108f1f306b06689b0b60600ace91a18
SHA256 80e2df590d1c70b51f74e359dfae5d20bfd65d7c47f1e1bf3641fa5981ed7a3b
Tags
adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

80e2df590d1c70b51f74e359dfae5d20bfd65d7c47f1e1bf3641fa5981ed7a3b

Threat Level: Shows suspicious behavior

The file VirusShare-0108f1f306b06689b0b60600ace91a18 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Loads dropped DLL

Adds Run key to start application

Installs/modifies Browser Helper Object

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 23:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 23:14

Reported

2024-02-02 23:17

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

157s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 4372 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1380 wrote to memory of 4372 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1380 wrote to memory of 4372 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 xml.windows-data.info udp
US 8.8.8.8:53 directx.ak47.be udp
US 8.8.8.8:53 online.refer.cn udp
US 8.8.8.8:53 global.look-up.tv udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 23:14

Reported

2024-02-02 23:17

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sp = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\se.dll,DllInstall" C:\Windows\SysWOW64\rundll32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\New Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "res://C:\\Users\\Admin\\AppData\\Local\\Temp\\se.dll/space.html" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\HOMEOldSP = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Bar = "res://C:\\Users\\Admin\\AppData\\Local\\Temp\\se.dll/space.html" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Search C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Search C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "no" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\New Windows C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\New Windows\PopupMgr = "no" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Search Asst = "no" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Custom Search URL = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\HOMEOldSP = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "about:blank" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17628B2B-D418-4DFC-875A-CB48BB509145}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17628B2B-D418-4DFC-875A-CB48BB509145}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17628B2B-D418-4DFC-875A-CB48BB509145} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17628B2B-D418-4DFC-875A-CB48BB509145}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VirusShare-0108f1f306b06689b0b60600ace91a18.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{17628B2B-D418-4DFC-875A-CB48BB509145}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{17628B2B-D418-4DFC-875A-CB48BB509145}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VirusShare-0108f1f306b06689b0b60600ace91a18.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 1068 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2336 wrote to memory of 1068 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2336 wrote to memory of 1068 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2336 wrote to memory of 1068 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2336 wrote to memory of 1068 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2336 wrote to memory of 1068 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2336 wrote to memory of 1068 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1068 wrote to memory of 1892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1068 wrote to memory of 1892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1068 wrote to memory of 1892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1068 wrote to memory of 1892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1068 wrote to memory of 1892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1068 wrote to memory of 1892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1068 wrote to memory of 1892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\se.dll,DllInstall

Network

Country Destination Domain Proto
US 8.8.8.8:53 global.look-up.tv udp
US 8.8.8.8:53 xml.windows-data.info udp
US 8.8.8.8:53 directx.ak47.be udp
US 8.8.8.8:53 online.refer.cn udp

Files

C:\Users\Admin\AppData\Local\Temp\se.dll

MD5 27b7a22cbcc376a2c406c0f592e82d9f
SHA1 bf219f26fbe16eb93fab9560813b8f4a7c980f1a
SHA256 26aa0e25a7142e86924c15aaf9aa4b8cee65d1f7c750a985ea92678367a9723a
SHA512 0babe3e2fafeb270e27e1cc9e69d59bad1a3463696f5deec28f898c6f0561e3f38881385036fd7ed118ce0fae9528bf4a6e23c0bb1b04311740e4eaebda0f219