Overview
overview
10Static
static
10VirusShare...12.exe
windows7-x64
9VirusShare...12.exe
windows10-2004-x64
9$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$_1_.exe
windows7-x64
7$SYSDIR/$_1_.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$_5_.dll
windows7-x64
9$_5_.dll
windows10-2004-x64
9Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 22:55
Behavioral task
behavioral1
Sample
VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
$SYSDIR/$_1_.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
$SYSDIR/$_1_.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
$_5_.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
$_5_.dll
Resource
win10v2004-20231215-en
General
-
Target
$_5_.dll
-
Size
282KB
-
MD5
3f2d4a9f33af3e0d07158391f141fbac
-
SHA1
49cafcca1de589fcf2906abf4d39769f36cd6e30
-
SHA256
4af4544a7186f81c4a0b6a77eb25540824ab261bd75db18874003498a04edaa8
-
SHA512
597896131750dd276d4d2c5ec84dffdad0d5c65507a18fd616ce841bb8ee3ec7ffcf27698b4f419a89d1805b796c675698945186202958edb977aadaf20a0650
-
SSDEEP
6144:N1t6YbbVlodjTzW19I/4GJJ7ZFHEIFlN5GrT5a/q1hv4cbaiEjC2:N1tVbRqdLIIPJJ7wIFlN5GZOqv4cbXUV
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 8 IoCs
resource yara_rule behavioral11/memory/1900-0-0x00000000406E0000-0x00000000407A0000-memory.dmp UPX behavioral11/memory/1900-2-0x00000000406E0000-0x00000000407A0000-memory.dmp UPX behavioral11/memory/1900-6-0x00000000406E0000-0x00000000407A0000-memory.dmp UPX behavioral11/memory/1900-7-0x00000000406E0000-0x00000000407A0000-memory.dmp UPX behavioral11/memory/1900-440-0x00000000406E0000-0x00000000407A0000-memory.dmp UPX behavioral11/memory/1900-442-0x00000000406E0000-0x00000000407A0000-memory.dmp UPX behavioral11/memory/1900-444-0x00000000406E0000-0x00000000407A0000-memory.dmp UPX behavioral11/memory/1900-445-0x00000000406E0000-0x00000000407A0000-memory.dmp UPX -
resource yara_rule behavioral11/memory/1900-0-0x00000000406E0000-0x00000000407A0000-memory.dmp upx behavioral11/memory/1900-2-0x00000000406E0000-0x00000000407A0000-memory.dmp upx behavioral11/memory/1900-6-0x00000000406E0000-0x00000000407A0000-memory.dmp upx behavioral11/memory/1900-7-0x00000000406E0000-0x00000000407A0000-memory.dmp upx behavioral11/memory/1900-440-0x00000000406E0000-0x00000000407A0000-memory.dmp upx behavioral11/memory/1900-442-0x00000000406E0000-0x00000000407A0000-memory.dmp upx behavioral11/memory/1900-444-0x00000000406E0000-0x00000000407A0000-memory.dmp upx behavioral11/memory/1900-445-0x00000000406E0000-0x00000000407A0000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vvuprnlnmb = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll\"" regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\NoExplorer = "1" regsvr32.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 regsvr32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3EE0F651-C21E-11EE-ACBB-46FAA8558A22} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413076439" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\ = "revenuestreaming browser enhancer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll" regsvr32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2332 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2332 iexplore.exe 2332 iexplore.exe 2396 IEXPLORE.EXE 2396 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2056 wrote to memory of 1900 2056 regsvr32.exe 28 PID 2056 wrote to memory of 1900 2056 regsvr32.exe 28 PID 2056 wrote to memory of 1900 2056 regsvr32.exe 28 PID 2056 wrote to memory of 1900 2056 regsvr32.exe 28 PID 2056 wrote to memory of 1900 2056 regsvr32.exe 28 PID 2056 wrote to memory of 1900 2056 regsvr32.exe 28 PID 2056 wrote to memory of 1900 2056 regsvr32.exe 28 PID 2332 wrote to memory of 2396 2332 iexplore.exe 30 PID 2332 wrote to memory of 2396 2332 iexplore.exe 30 PID 2332 wrote to memory of 2396 2332 iexplore.exe 30 PID 2332 wrote to memory of 2396 2332 iexplore.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$_5_.dll2⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Modifies registry class
PID:1900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f48c2ff26fd8cbae18a345372cdd86c5
SHA162c853d8358a1e05cb99eecd79a7e18cd9fcb606
SHA256afac247c5032c6bf196407253d014381aad86cd1d480861fd9f44efb3efd45d7
SHA5126afd14a7059151dc010c5bfcd22a6418a1b4f0b8cb27c942158a9efe655bce6c05838faea7b7a5ca76df98f9a5ff583434700a8f34ec3a1fd57960b4bc59b054
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD507a3a9bed6bd0bbf64c5f705c73ea6ec
SHA169ed35ac50fac8943ec6e8578449cc86ea4badab
SHA256f12eb7c19acdc8c410b8b772de86e312fda2ee43b28cf84d4e6d0a07064988bf
SHA51283220133a6996c9bcb396e707f3751e60dc0072cdf1d394dd39dd75fa4345c5b2eb876d2b69b5baf280ef85f46e7fe02c62ca93091a8818575a3c32167733039
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51080ac5dc96d153f6e5c612a124525c0
SHA1238daa9ded361ed3ce58a01b848ebeb90fa6a2bc
SHA25684a589c6c57f59b2011c7c06df6658abe43dac1c3f28fd5ffac27cd2d1168343
SHA512e4fd463f54304fa8b41f6d2c10e39b0cbe97de70722ffd96de5f09ba4f4e757316f44adca75c35324b18a0cb41a7fa57407a600daf231d48c041b8a73b27894c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fde2e16e9addcefc5ac6930f614d2e5d
SHA1b92bddab2a1fb3a8edcfb41e5513cf1d6401cfbb
SHA25643f11f98a05cc7a179805421f9ec6b48271fb4fd64110d8efd170d2fa154c8ce
SHA512cf2cc1344ee57a13c8d567f36be591e944ea58cf5ec65511ed2cca1e43de26d0912e907a4b88bce12ebf20b036bbdcf59bc2e80da8621f3b12bf8072311c4637
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a66c4178d3ddfe8172df6c6f2f980a0f
SHA1c2e78b7b3052c2e02231d11011e9f740e42e9de6
SHA256efe69a70741c70c34c323145588f95f336d719fb5e7832f76a22e33fffe49d35
SHA512d5134e02c99dc62718d24efe011e06e1d4a13fd53844b4a1291ba2757d08fc7bbd57bf1bbd67e65754698d052e2d553f020e453d0f04be98108b34594fcab743
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52f145ffa9d9176554a83e033ba8d9de0
SHA18b7bbdf70426225290ff9fcee79a8d4bbbb42022
SHA2561c240836d9613dc3e71e748a891c571c8646a011eb3b66ac05d0285308df9f9f
SHA512d2a071dc27eea3c81271f4b09732c9b428b248db7b91fdf7f0445087186e8b35571d603d7957ef8f1c5b60fbb6450a1d9542d825095aa2b4e53730e46ce62613
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56bfa1566161082115c991c0937ad7b85
SHA1b1a6be8ea032331655ae7144bc542a9a0c042459
SHA25668fa4685f0a3bee7520588b3d609fd609ef18af2af1bffb3397ede9bcecc416d
SHA512ff69e01c731f065cb06dd763f11b282e93441eeafcf342a3804db5c274331edfae9e1f229120b224f745d7a3a948d39bb3f22bee0ae1887bd63d727c02fb5594
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD504423c13f7b8ee5cc699e986d3fb3d4c
SHA1559c34aead072238a2ae4a36c0b5a43ecfc077ce
SHA2565d0bcf536a4a8436782536d13eb2d6bd15f9f67afcadf4b7dded900fe6da52b7
SHA512b1131773ac494a1f3f18062e887334736b8e1d02ec2f13931d2276a43da6a96f31fb3f03feb2c55c46e0a2eff1593b3f29b1855d00988eb7d9036b3098c66398
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06