Malware Analysis Report

2025-08-10 22:23

Sample ID 240202-2wk3fsdafl
Target VirusShare-00c7e24b52d0f69c114772ed0a27f912
SHA256 0577ada4871e64c61659a7d5a3d84074a40cfcef27a61eec48e5d19f78d3b127
Tags
adware persistence stealer upx discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0577ada4871e64c61659a7d5a3d84074a40cfcef27a61eec48e5d19f78d3b127

Threat Level: Known bad

The file VirusShare-00c7e24b52d0f69c114772ed0a27f912 was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer upx discovery

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Executes dropped EXE

UPX packed file

Maps connected drives based on registry

Installs/modifies Browser Helper Object

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer Protected Mode

Modifies Internet Explorer Protected Mode Banner

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 22:55

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win7-20231215-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 228

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 4864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5016 wrote to memory of 4864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5016 wrote to memory of 4864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4864 -ip 4864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win7-20231215-en

Max time kernel

142s

Max time network

148s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vvuprnlnmb = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3EE0F651-C21E-11EE-ACBB-46FAA8558A22} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413076439" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\ = "revenuestreaming browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 creativeadnetwork.net udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:80 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 cx.creativeadnetwork.net udp
GB 216.58.204.68:80 www.google.com tcp

Files

memory/1900-0-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/1900-1-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1900-2-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/1900-6-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/1900-7-0x00000000406E0000-0x00000000407A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8A46.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar8AE6.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bfa1566161082115c991c0937ad7b85
SHA1 b1a6be8ea032331655ae7144bc542a9a0c042459
SHA256 68fa4685f0a3bee7520588b3d609fd609ef18af2af1bffb3397ede9bcecc416d
SHA512 ff69e01c731f065cb06dd763f11b282e93441eeafcf342a3804db5c274331edfae9e1f229120b224f745d7a3a948d39bb3f22bee0ae1887bd63d727c02fb5594

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04423c13f7b8ee5cc699e986d3fb3d4c
SHA1 559c34aead072238a2ae4a36c0b5a43ecfc077ce
SHA256 5d0bcf536a4a8436782536d13eb2d6bd15f9f67afcadf4b7dded900fe6da52b7
SHA512 b1131773ac494a1f3f18062e887334736b8e1d02ec2f13931d2276a43da6a96f31fb3f03feb2c55c46e0a2eff1593b3f29b1855d00988eb7d9036b3098c66398

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f48c2ff26fd8cbae18a345372cdd86c5
SHA1 62c853d8358a1e05cb99eecd79a7e18cd9fcb606
SHA256 afac247c5032c6bf196407253d014381aad86cd1d480861fd9f44efb3efd45d7
SHA512 6afd14a7059151dc010c5bfcd22a6418a1b4f0b8cb27c942158a9efe655bce6c05838faea7b7a5ca76df98f9a5ff583434700a8f34ec3a1fd57960b4bc59b054

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07a3a9bed6bd0bbf64c5f705c73ea6ec
SHA1 69ed35ac50fac8943ec6e8578449cc86ea4badab
SHA256 f12eb7c19acdc8c410b8b772de86e312fda2ee43b28cf84d4e6d0a07064988bf
SHA512 83220133a6996c9bcb396e707f3751e60dc0072cdf1d394dd39dd75fa4345c5b2eb876d2b69b5baf280ef85f46e7fe02c62ca93091a8818575a3c32167733039

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1080ac5dc96d153f6e5c612a124525c0
SHA1 238daa9ded361ed3ce58a01b848ebeb90fa6a2bc
SHA256 84a589c6c57f59b2011c7c06df6658abe43dac1c3f28fd5ffac27cd2d1168343
SHA512 e4fd463f54304fa8b41f6d2c10e39b0cbe97de70722ffd96de5f09ba4f4e757316f44adca75c35324b18a0cb41a7fa57407a600daf231d48c041b8a73b27894c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fde2e16e9addcefc5ac6930f614d2e5d
SHA1 b92bddab2a1fb3a8edcfb41e5513cf1d6401cfbb
SHA256 43f11f98a05cc7a179805421f9ec6b48271fb4fd64110d8efd170d2fa154c8ce
SHA512 cf2cc1344ee57a13c8d567f36be591e944ea58cf5ec65511ed2cca1e43de26d0912e907a4b88bce12ebf20b036bbdcf59bc2e80da8621f3b12bf8072311c4637

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a66c4178d3ddfe8172df6c6f2f980a0f
SHA1 c2e78b7b3052c2e02231d11011e9f740e42e9de6
SHA256 efe69a70741c70c34c323145588f95f336d719fb5e7832f76a22e33fffe49d35
SHA512 d5134e02c99dc62718d24efe011e06e1d4a13fd53844b4a1291ba2757d08fc7bbd57bf1bbd67e65754698d052e2d553f020e453d0f04be98108b34594fcab743

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f145ffa9d9176554a83e033ba8d9de0
SHA1 8b7bbdf70426225290ff9fcee79a8d4bbbb42022
SHA256 1c240836d9613dc3e71e748a891c571c8646a011eb3b66ac05d0285308df9f9f
SHA512 d2a071dc27eea3c81271f4b09732c9b428b248db7b91fdf7f0445087186e8b35571d603d7957ef8f1c5b60fbb6450a1d9542d825095aa2b4e53730e46ce62613

memory/1900-440-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/1900-442-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/1900-444-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/1900-445-0x00000000406E0000-0x00000000407A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swcapjqnjtohq = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nsd4E03.tmp.dll\"" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swcapjqnjtohq = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Windows\\system32\\xavuhwncke.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9} C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\vkogthofyhsyc.exe C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D8BF643-DDA5-8D03-9A9B-BEBB05CDDC2E}\AppPath = "C:\\Windows\\System32" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086123" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D8BF643-DDA5-8D03-9A9B-BEBB05CDDC2E}\AppName = "regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D8BF643-DDA5-8D03-9A9B-BEBB05CDDC2E}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086123" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D8BF643-DDA5-8D03-9A9B-BEBB05CDDC2E} C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "317925786" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413679539" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3E8BFEFF-C21E-11EE-8184-4ECC77D3B663} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086123" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086123" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "318706826" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "317925786" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "318706826" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nsd4E03.tmp.dll" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32\ = "C:\\Windows\\SysWow64\\xavuhwncke.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\ = "revenuestreaming browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9} C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\ = "revenuestreaming browser enhancer" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\xavuhwncke.dll"

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 creativeadnetwork.net udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:80 www.google.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 creativeadnetwork.net udp
GB 216.58.204.68:80 www.google.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsd4E03.tmp.dll

MD5 3f2d4a9f33af3e0d07158391f141fbac
SHA1 49cafcca1de589fcf2906abf4d39769f36cd6e30
SHA256 4af4544a7186f81c4a0b6a77eb25540824ab261bd75db18874003498a04edaa8
SHA512 597896131750dd276d4d2c5ec84dffdad0d5c65507a18fd616ce841bb8ee3ec7ffcf27698b4f419a89d1805b796c675698945186202958edb977aadaf20a0650

memory/1620-14-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/1620-22-0x00000000028A0000-0x0000000002960000-memory.dmp

memory/1620-23-0x00000000028A0000-0x0000000002960000-memory.dmp

memory/1620-26-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/2348-29-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/2348-30-0x00000000406E0000-0x00000000407A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 cb99b6d5040641081530ef8f6049f1aa
SHA1 3fa9e3148cbee0e561da3787919043483ee5e5c0
SHA256 3e1607026f332ae19539f0621c8b18c820245d196febf8bf258253667ebc94d8
SHA512 13cdc5995fa4741d474c00491ea55b26101a88ee3495327950249e8bef1e16de29f46d0c1ffef3682eac0e041f0b06545d51ef8152a33606f0e13fe35e6a1d83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 9c54f170946dd2b3c68dc95037aa9807
SHA1 6bec595daa95ce9417143d7a2a78f663a1af5350
SHA256 86c50d6f5c9904609386d8c7efd9023de8e62d66b4fed7f8918722d0b6cdf30b
SHA512 3d21d7b6f04998f0b2cda0949b2958d0543b504d35f5bdc5461aededce6d4c6e7df3a0d6cbcabac5855da1dda11079c90f96dd1f167db1a2fe5758c5778f3b38

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC63E.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

memory/2348-46-0x00000000406E0000-0x00000000407A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q15AV1NQ\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/2348-65-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/2348-66-0x00000000406E0000-0x00000000407A0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 228

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4184 wrote to memory of 1272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4184 wrote to memory of 1272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4184 wrote to memory of 1272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1272 -ip 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win7-20231215-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 154274f2095724e826822bc695dac0bb
SHA1 bf6c7eb599a7039ae6d18a24f120533842a006ef
SHA256 70d43e3594e461b1baa0574668fcd7d9b2ac7741d3245b8f4f868e5ef07ed986
SHA512 fff766cc90ff31b47019284d62fdd168977ec199261b93421e0316172324164e718597833f35790ee0e8e050e6e4bf0c1cf136f1ff8948450e2692c814c1fb03

\Users\Admin\AppData\Local\Temp\nsd5B5B.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsd5B5B.tmp\validate.ini

MD5 6dcc9c40639344d7ccab94186e42991a
SHA1 5afcde6bb2a4786fcf490a674c513dad92fd2f64
SHA256 dceed7449259f6022fb4ecc40fdf70ee9fc4bf36554bcd8b9f5c011f4846b5dd
SHA512 f7297c43335ecbf143f3c0f295033f1710a034c6e199d3634675da0e873cef05de71510ce0bc43f47dd55ed3e3dd6d0fe4128d4f03edf184019c0ba2906607ec

\Users\Admin\AppData\Local\Temp\nsd5B5B.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsd5B5B.tmp\validate.ini

MD5 9eb036a70bdedec68187d7c7cce9d3b9
SHA1 03da275134bccc9d80c2b513d6615e0e68f218a9
SHA256 3950ccf060ff14e7cd930e5f8f42eed0b970147f6925acb780ad984c59ea2c58
SHA512 5ea29a00642cd8c54c35a6ba190c5a52669cad0e11b20071d9f2a5c728592bed98af1cdbc15fec6f1684e003977edae255f335086239dab31e4241793f943ff9

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dmsjeqcwbhvik = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E} C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086123" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4245701D-C21E-11EE-B6AD-72AC86130FB1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "388379598" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086123" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "390099488" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086123" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413679550" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "420722996" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\ = "revenuestreaming browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_5_.dll

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 creativeadnetwork.net udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:80 www.google.com tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 cx.creativeadnetwork.net udp
GB 216.58.204.68:80 www.google.com tcp

Files

memory/3420-0-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/3420-1-0x00000000406E0000-0x00000000407A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 cb99b6d5040641081530ef8f6049f1aa
SHA1 3fa9e3148cbee0e561da3787919043483ee5e5c0
SHA256 3e1607026f332ae19539f0621c8b18c820245d196febf8bf258253667ebc94d8
SHA512 13cdc5995fa4741d474c00491ea55b26101a88ee3495327950249e8bef1e16de29f46d0c1ffef3682eac0e041f0b06545d51ef8152a33606f0e13fe35e6a1d83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 79ed12ffc57bd2a0ddf3e9ad10d3bb59
SHA1 79c42cc3a3b058e228e258a9e94e21ab5983a25a
SHA256 c05bf28cef03f26b4add8bdcfc9b38b5242bc91f77b15e351d811752d53ef184
SHA512 ada6ee1ced06dc217599544c5113254fad0fe8990c1288331dcf99c49a66c49a14063966cd6ce7ba08edfedac73ea1b52e22e2f890810d8b2c5922cbe9a3355e

memory/3420-14-0x00000000406E0000-0x00000000407A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/3420-32-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/3420-33-0x00000000406E0000-0x00000000407A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win7-20231215-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mjvzlmsvej = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nsi4B54.tmp.dll\"" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mjvzlmsvej = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Windows\\system32\\tdcxjoeaiqqnv.dll\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5} C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\iqkkiwuhkwwrk.exe C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3FF9F7D1-C21E-11EE-A892-DECE4B73D784} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1674FAD1-6BC9-A33E-C4E4-6AF17CC3D744}\AppName = "regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1674FAD1-6BC9-A33E-C4E4-6AF17CC3D744}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413076442" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1674FAD1-6BC9-A33E-C4E4-6AF17CC3D744}\AppPath = "C:\\Windows\\System32" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1674FAD1-6BC9-A33E-C4E4-6AF17CC3D744} C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\ = "revenuestreaming browser enhancer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5} C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nsi4B54.tmp.dll" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32\ = "C:\\Windows\\SysWow64\\tdcxjoeaiqqnv.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\ = "revenuestreaming browser enhancer" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3052 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 2576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2224 wrote to memory of 2576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2224 wrote to memory of 2576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2224 wrote to memory of 2576 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\tdcxjoeaiqqnv.dll"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 creativeadnetwork.net udp
US 8.8.8.8:53 cx.creativeadnetwork.net udp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:80 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
GB 216.58.204.68:80 www.google.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsi4367.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsi4B54.tmp.dll

MD5 3f2d4a9f33af3e0d07158391f141fbac
SHA1 49cafcca1de589fcf2906abf4d39769f36cd6e30
SHA256 4af4544a7186f81c4a0b6a77eb25540824ab261bd75db18874003498a04edaa8
SHA512 597896131750dd276d4d2c5ec84dffdad0d5c65507a18fd616ce841bb8ee3ec7ffcf27698b4f419a89d1805b796c675698945186202958edb977aadaf20a0650

memory/3052-14-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/3052-19-0x0000000002440000-0x0000000002500000-memory.dmp

memory/3052-22-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/2704-24-0x00000000406E0000-0x00000000407A0000-memory.dmp

memory/2704-25-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2704-26-0x00000000406E0000-0x00000000407A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5BB9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar5BEB.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe

"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 154274f2095724e826822bc695dac0bb
SHA1 bf6c7eb599a7039ae6d18a24f120533842a006ef
SHA256 70d43e3594e461b1baa0574668fcd7d9b2ac7741d3245b8f4f868e5ef07ed986
SHA512 fff766cc90ff31b47019284d62fdd168977ec199261b93421e0316172324164e718597833f35790ee0e8e050e6e4bf0c1cf136f1ff8948450e2692c814c1fb03

C:\Users\Admin\AppData\Local\Temp\nsn9A6D.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsn9A6D.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsn9A6D.tmp\validate.ini

MD5 04765cfa53f80daaea8d1037772c8b50
SHA1 047b84125e531f64cff45086dfa555c82e59af44
SHA256 8aab85fc8f0515c10308d847e09e696e71052aefb8b669bfb31df4a39686fa4c
SHA512 bcf69bf06c648cc4f610dcb484b9a784207710f2814931b47c7d48bf47e94bfbeaf53e03e7dcaa96fc71c1e7aacd45b81af1c611b112faf772a601a2e5c324eb

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 244

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-02 22:55

Reported

2024-02-02 22:58

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 1768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 1768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2140 wrote to memory of 1768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 636

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A