Analysis Overview
SHA256
80e2df590d1c70b51f74e359dfae5d20bfd65d7c47f1e1bf3641fa5981ed7a3b
Threat Level: Shows suspicious behavior
The file VirusShare-0108f1f306b06689b0b60600ace91a18 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Adds Run key to start application
Installs/modifies Browser Helper Object
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies Internet Explorer start page
Modifies registry class
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-02 23:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-02 23:14
Reported
2024-02-02 23:17
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1380 wrote to memory of 4372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1380 wrote to memory of 4372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1380 wrote to memory of 4372 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xml.windows-data.info | udp |
| US | 8.8.8.8:53 | directx.ak47.be | udp |
| US | 8.8.8.8:53 | online.refer.cn | udp |
| US | 8.8.8.8:53 | global.look-up.tv | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 23:14
Reported
2024-02-02 23:17
Platform
win7-20231215-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sp = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\se.dll,DllInstall" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "about:blank" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\New Windows | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "res://C:\\Users\\Admin\\AppData\\Local\\Temp\\se.dll/space.html" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\HOMEOldSP = "about:blank" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Bar = "res://C:\\Users\\Admin\\AppData\\Local\\Temp\\se.dll/space.html" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Search | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Search | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\New Windows\PopupMgr = "no" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\New Windows | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\New Windows\PopupMgr = "no" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Search Asst = "no" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Use Custom Search URL = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "about:blank" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "about:blank" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "about:blank" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\HOMEOldSP = "about:blank" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "about:blank" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17628B2B-D418-4DFC-875A-CB48BB509145}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17628B2B-D418-4DFC-875A-CB48BB509145}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17628B2B-D418-4DFC-875A-CB48BB509145} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{17628B2B-D418-4DFC-875A-CB48BB509145}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VirusShare-0108f1f306b06689b0b60600ace91a18.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID = "{17628B2B-D418-4DFC-875A-CB48BB509145}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\CLSID = "{17628B2B-D418-4DFC-875A-CB48BB509145}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4FAEE92-DB49-4891-BC5A-09BD9E221CDE}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VirusShare-0108f1f306b06689b0b60600ace91a18.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\VirusShare-0108f1f306b06689b0b60600ace91a18.dll
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\se.dll,DllInstall
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | global.look-up.tv | udp |
| US | 8.8.8.8:53 | xml.windows-data.info | udp |
| US | 8.8.8.8:53 | directx.ak47.be | udp |
| US | 8.8.8.8:53 | online.refer.cn | udp |
Files
C:\Users\Admin\AppData\Local\Temp\se.dll
| MD5 | 27b7a22cbcc376a2c406c0f592e82d9f |
| SHA1 | bf219f26fbe16eb93fab9560813b8f4a7c980f1a |
| SHA256 | 26aa0e25a7142e86924c15aaf9aa4b8cee65d1f7c750a985ea92678367a9723a |
| SHA512 | 0babe3e2fafeb270e27e1cc9e69d59bad1a3463696f5deec28f898c6f0561e3f38881385036fd7ed118ce0fae9528bf4a6e23c0bb1b04311740e4eaebda0f219 |