Analysis Overview
SHA256
0577ada4871e64c61659a7d5a3d84074a40cfcef27a61eec48e5d19f78d3b127
Threat Level: Known bad
The file VirusShare-00c7e24b52d0f69c114772ed0a27f912 was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Executes dropped EXE
UPX packed file
Maps connected drives based on registry
Installs/modifies Browser Helper Object
Checks installed software on the system
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Program crash
NSIS installer
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer Protected Mode Banner
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-02 22:55
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win7-20231215-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 228
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win10v2004-20231222-en
Max time kernel
92s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5016 wrote to memory of 4864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5016 wrote to memory of 4864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5016 wrote to memory of 4864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4864 -ip 4864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win7-20231215-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vvuprnlnmb = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3EE0F651-C21E-11EE-ACBB-46FAA8558A22} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413076439" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\ = "revenuestreaming browser enhancer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE3F5A3A-7AA7-6E3A-960F-D4A3F936440C}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$_5_.dll
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | creativeadnetwork.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:80 | www.google.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | cx.creativeadnetwork.net | udp |
| GB | 216.58.204.68:80 | www.google.com | tcp |
Files
memory/1900-0-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/1900-1-0x00000000001E0000-0x00000000001E2000-memory.dmp
memory/1900-2-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/1900-6-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/1900-7-0x00000000406E0000-0x00000000407A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8A46.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar8AE6.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6bfa1566161082115c991c0937ad7b85 |
| SHA1 | b1a6be8ea032331655ae7144bc542a9a0c042459 |
| SHA256 | 68fa4685f0a3bee7520588b3d609fd609ef18af2af1bffb3397ede9bcecc416d |
| SHA512 | ff69e01c731f065cb06dd763f11b282e93441eeafcf342a3804db5c274331edfae9e1f229120b224f745d7a3a948d39bb3f22bee0ae1887bd63d727c02fb5594 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 04423c13f7b8ee5cc699e986d3fb3d4c |
| SHA1 | 559c34aead072238a2ae4a36c0b5a43ecfc077ce |
| SHA256 | 5d0bcf536a4a8436782536d13eb2d6bd15f9f67afcadf4b7dded900fe6da52b7 |
| SHA512 | b1131773ac494a1f3f18062e887334736b8e1d02ec2f13931d2276a43da6a96f31fb3f03feb2c55c46e0a2eff1593b3f29b1855d00988eb7d9036b3098c66398 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f48c2ff26fd8cbae18a345372cdd86c5 |
| SHA1 | 62c853d8358a1e05cb99eecd79a7e18cd9fcb606 |
| SHA256 | afac247c5032c6bf196407253d014381aad86cd1d480861fd9f44efb3efd45d7 |
| SHA512 | 6afd14a7059151dc010c5bfcd22a6418a1b4f0b8cb27c942158a9efe655bce6c05838faea7b7a5ca76df98f9a5ff583434700a8f34ec3a1fd57960b4bc59b054 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07a3a9bed6bd0bbf64c5f705c73ea6ec |
| SHA1 | 69ed35ac50fac8943ec6e8578449cc86ea4badab |
| SHA256 | f12eb7c19acdc8c410b8b772de86e312fda2ee43b28cf84d4e6d0a07064988bf |
| SHA512 | 83220133a6996c9bcb396e707f3751e60dc0072cdf1d394dd39dd75fa4345c5b2eb876d2b69b5baf280ef85f46e7fe02c62ca93091a8818575a3c32167733039 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1080ac5dc96d153f6e5c612a124525c0 |
| SHA1 | 238daa9ded361ed3ce58a01b848ebeb90fa6a2bc |
| SHA256 | 84a589c6c57f59b2011c7c06df6658abe43dac1c3f28fd5ffac27cd2d1168343 |
| SHA512 | e4fd463f54304fa8b41f6d2c10e39b0cbe97de70722ffd96de5f09ba4f4e757316f44adca75c35324b18a0cb41a7fa57407a600daf231d48c041b8a73b27894c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fde2e16e9addcefc5ac6930f614d2e5d |
| SHA1 | b92bddab2a1fb3a8edcfb41e5513cf1d6401cfbb |
| SHA256 | 43f11f98a05cc7a179805421f9ec6b48271fb4fd64110d8efd170d2fa154c8ce |
| SHA512 | cf2cc1344ee57a13c8d567f36be591e944ea58cf5ec65511ed2cca1e43de26d0912e907a4b88bce12ebf20b036bbdcf59bc2e80da8621f3b12bf8072311c4637 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a66c4178d3ddfe8172df6c6f2f980a0f |
| SHA1 | c2e78b7b3052c2e02231d11011e9f740e42e9de6 |
| SHA256 | efe69a70741c70c34c323145588f95f336d719fb5e7832f76a22e33fffe49d35 |
| SHA512 | d5134e02c99dc62718d24efe011e06e1d4a13fd53844b4a1291ba2757d08fc7bbd57bf1bbd67e65754698d052e2d553f020e453d0f04be98108b34594fcab743 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f145ffa9d9176554a83e033ba8d9de0 |
| SHA1 | 8b7bbdf70426225290ff9fcee79a8d4bbbb42022 |
| SHA256 | 1c240836d9613dc3e71e748a891c571c8646a011eb3b66ac05d0285308df9f9f |
| SHA512 | d2a071dc27eea3c81271f4b09732c9b428b248db7b91fdf7f0445087186e8b35571d603d7957ef8f1c5b60fbb6450a1d9542d825095aa2b4e53730e46ce62613 |
memory/1900-440-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/1900-442-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/1900-444-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/1900-445-0x00000000406E0000-0x00000000407A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
144s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swcapjqnjtohq = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nsd4E03.tmp.dll\"" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swcapjqnjtohq = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Windows\\system32\\xavuhwncke.dll\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9} | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\vkogthofyhsyc.exe | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D8BF643-DDA5-8D03-9A9B-BEBB05CDDC2E}\AppPath = "C:\\Windows\\System32" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086123" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D8BF643-DDA5-8D03-9A9B-BEBB05CDDC2E}\AppName = "regsvr32.exe" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D8BF643-DDA5-8D03-9A9B-BEBB05CDDC2E}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086123" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7D8BF643-DDA5-8D03-9A9B-BEBB05CDDC2E} | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "317925786" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413679539" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3E8BFEFF-C21E-11EE-8184-4ECC77D3B663} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086123" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086123" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "318706826" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "317925786" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "318706826" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nsd4E03.tmp.dll" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32\ = "C:\\Windows\\SysWow64\\xavuhwncke.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\ = "revenuestreaming browser enhancer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9} | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EBDEDE1-9B9B-C451-DD8B-52D4134C2FB9}\ = "revenuestreaming browser enhancer" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1620 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1620 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1620 wrote to memory of 2348 | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1244 wrote to memory of 1084 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1244 wrote to memory of 1084 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1244 wrote to memory of 1084 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\xavuhwncke.dll"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | creativeadnetwork.net | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | creativeadnetwork.net | udp |
| GB | 216.58.204.68:80 | www.google.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsz4612.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsd4E03.tmp.dll
| MD5 | 3f2d4a9f33af3e0d07158391f141fbac |
| SHA1 | 49cafcca1de589fcf2906abf4d39769f36cd6e30 |
| SHA256 | 4af4544a7186f81c4a0b6a77eb25540824ab261bd75db18874003498a04edaa8 |
| SHA512 | 597896131750dd276d4d2c5ec84dffdad0d5c65507a18fd616ce841bb8ee3ec7ffcf27698b4f419a89d1805b796c675698945186202958edb977aadaf20a0650 |
memory/1620-14-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/1620-22-0x00000000028A0000-0x0000000002960000-memory.dmp
memory/1620-23-0x00000000028A0000-0x0000000002960000-memory.dmp
memory/1620-26-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/2348-29-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/2348-30-0x00000000406E0000-0x00000000407A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | cb99b6d5040641081530ef8f6049f1aa |
| SHA1 | 3fa9e3148cbee0e561da3787919043483ee5e5c0 |
| SHA256 | 3e1607026f332ae19539f0621c8b18c820245d196febf8bf258253667ebc94d8 |
| SHA512 | 13cdc5995fa4741d474c00491ea55b26101a88ee3495327950249e8bef1e16de29f46d0c1ffef3682eac0e041f0b06545d51ef8152a33606f0e13fe35e6a1d83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 9c54f170946dd2b3c68dc95037aa9807 |
| SHA1 | 6bec595daa95ce9417143d7a2a78f663a1af5350 |
| SHA256 | 86c50d6f5c9904609386d8c7efd9023de8e62d66b4fed7f8918722d0b6cdf30b |
| SHA512 | 3d21d7b6f04998f0b2cda0949b2958d0543b504d35f5bdc5461aededce6d4c6e7df3a0d6cbcabac5855da1dda11079c90f96dd1f167db1a2fe5758c5778f3b38 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC63E.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
memory/2348-46-0x00000000406E0000-0x00000000407A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q15AV1NQ\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
memory/2348-65-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/2348-66-0x00000000406E0000-0x00000000407A0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win7-20231215-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 228
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4184 wrote to memory of 1272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4184 wrote to memory of 1272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4184 wrote to memory of 1272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1272 -ip 1272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win7-20231215-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1976 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1976 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1976 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 1976 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe
"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\
Network
Files
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 154274f2095724e826822bc695dac0bb |
| SHA1 | bf6c7eb599a7039ae6d18a24f120533842a006ef |
| SHA256 | 70d43e3594e461b1baa0574668fcd7d9b2ac7741d3245b8f4f868e5ef07ed986 |
| SHA512 | fff766cc90ff31b47019284d62fdd168977ec199261b93421e0316172324164e718597833f35790ee0e8e050e6e4bf0c1cf136f1ff8948450e2692c814c1fb03 |
\Users\Admin\AppData\Local\Temp\nsd5B5B.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsd5B5B.tmp\validate.ini
| MD5 | 6dcc9c40639344d7ccab94186e42991a |
| SHA1 | 5afcde6bb2a4786fcf490a674c513dad92fd2f64 |
| SHA256 | dceed7449259f6022fb4ecc40fdf70ee9fc4bf36554bcd8b9f5c011f4846b5dd |
| SHA512 | f7297c43335ecbf143f3c0f295033f1710a034c6e199d3634675da0e873cef05de71510ce0bc43f47dd55ed3e3dd6d0fe4128d4f03edf184019c0ba2906607ec |
\Users\Admin\AppData\Local\Temp\nsd5B5B.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsd5B5B.tmp\validate.ini
| MD5 | 9eb036a70bdedec68187d7c7cce9d3b9 |
| SHA1 | 03da275134bccc9d80c2b513d6615e0e68f218a9 |
| SHA256 | 3950ccf060ff14e7cd930e5f8f42eed0b970147f6925acb780ad984c59ea2c58 |
| SHA512 | 5ea29a00642cd8c54c35a6ba190c5a52669cad0e11b20071d9f2a5c728592bed98af1cdbc15fec6f1684e003977edae255f335086239dab31e4241793f943ff9 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dmsjeqcwbhvik = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31086123" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4245701D-C21E-11EE-B6AD-72AC86130FB1} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "388379598" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086123" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "390099488" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31086123" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413679550" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "420722996" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\ = "revenuestreaming browser enhancer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_5_.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C6497A1-3F4B-6C5D-CBA4-119A9464141E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2024 wrote to memory of 3420 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2024 wrote to memory of 3420 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2024 wrote to memory of 3420 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1192 wrote to memory of 4620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1192 wrote to memory of 4620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1192 wrote to memory of 4620 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_5_.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$_5_.dll
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | creativeadnetwork.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 68.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cx.creativeadnetwork.net | udp |
| GB | 216.58.204.68:80 | www.google.com | tcp |
Files
memory/3420-0-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/3420-1-0x00000000406E0000-0x00000000407A0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | cb99b6d5040641081530ef8f6049f1aa |
| SHA1 | 3fa9e3148cbee0e561da3787919043483ee5e5c0 |
| SHA256 | 3e1607026f332ae19539f0621c8b18c820245d196febf8bf258253667ebc94d8 |
| SHA512 | 13cdc5995fa4741d474c00491ea55b26101a88ee3495327950249e8bef1e16de29f46d0c1ffef3682eac0e041f0b06545d51ef8152a33606f0e13fe35e6a1d83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 79ed12ffc57bd2a0ddf3e9ad10d3bb59 |
| SHA1 | 79c42cc3a3b058e228e258a9e94e21ab5983a25a |
| SHA256 | c05bf28cef03f26b4add8bdcfc9b38b5242bc91f77b15e351d811752d53ef184 |
| SHA512 | ada6ee1ced06dc217599544c5113254fad0fe8990c1288331dcf99c49a66c49a14063966cd6ce7ba08edfedac73ea1b52e22e2f890810d8b2c5922cbe9a3355e |
memory/3420-14-0x00000000406E0000-0x00000000407A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
memory/3420-32-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/3420-33-0x00000000406E0000-0x00000000407A0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win7-20231215-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mjvzlmsvej = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nsi4B54.tmp.dll\"" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mjvzlmsvej = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Windows\\system32\\tdcxjoeaiqqnv.dll\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5} | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\iqkkiwuhkwwrk.exe | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Modifies Internet Explorer Protected Mode Banner
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3FF9F7D1-C21E-11EE-A892-DECE4B73D784} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1674FAD1-6BC9-A33E-C4E4-6AF17CC3D744}\AppName = "regsvr32.exe" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1674FAD1-6BC9-A33E-C4E4-6AF17CC3D744}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413076442" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1674FAD1-6BC9-A33E-C4E4-6AF17CC3D744}\AppPath = "C:\\Windows\\System32" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1674FAD1-6BC9-A33E-C4E4-6AF17CC3D744} | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\ = "revenuestreaming browser enhancer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5} | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nsi4B54.tmp.dll" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32\ = "C:\\Windows\\SysWow64\\tdcxjoeaiqqnv.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\ = "revenuestreaming browser enhancer" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BA17B01-B1DD-5E13-F4E6-5472448B71F5}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare-00c7e24b52d0f69c114772ed0a27f912.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\tdcxjoeaiqqnv.dll"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | creativeadnetwork.net | udp |
| US | 8.8.8.8:53 | cx.creativeadnetwork.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:80 | www.google.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| GB | 216.58.204.68:80 | www.google.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsi4367.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsi4B54.tmp.dll
| MD5 | 3f2d4a9f33af3e0d07158391f141fbac |
| SHA1 | 49cafcca1de589fcf2906abf4d39769f36cd6e30 |
| SHA256 | 4af4544a7186f81c4a0b6a77eb25540824ab261bd75db18874003498a04edaa8 |
| SHA512 | 597896131750dd276d4d2c5ec84dffdad0d5c65507a18fd616ce841bb8ee3ec7ffcf27698b4f419a89d1805b796c675698945186202958edb977aadaf20a0650 |
memory/3052-14-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/3052-19-0x0000000002440000-0x0000000002500000-memory.dmp
memory/3052-22-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/2704-24-0x00000000406E0000-0x00000000407A0000-memory.dmp
memory/2704-25-0x00000000001E0000-0x00000000001E2000-memory.dmp
memory/2704-26-0x00000000406E0000-0x00000000407A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5BB9.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar5BEB.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5068 wrote to memory of 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 5068 wrote to memory of 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 5068 wrote to memory of 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe
"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$_1_.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 154274f2095724e826822bc695dac0bb |
| SHA1 | bf6c7eb599a7039ae6d18a24f120533842a006ef |
| SHA256 | 70d43e3594e461b1baa0574668fcd7d9b2ac7741d3245b8f4f868e5ef07ed986 |
| SHA512 | fff766cc90ff31b47019284d62fdd168977ec199261b93421e0316172324164e718597833f35790ee0e8e050e6e4bf0c1cf136f1ff8948450e2692c814c1fb03 |
C:\Users\Admin\AppData\Local\Temp\nsn9A6D.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsn9A6D.tmp\InstallOptions.dll
| MD5 | 325b008aec81e5aaa57096f05d4212b5 |
| SHA1 | 27a2d89747a20305b6518438eff5b9f57f7df5c3 |
| SHA256 | c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b |
| SHA512 | 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf |
C:\Users\Admin\AppData\Local\Temp\nsn9A6D.tmp\validate.ini
| MD5 | 04765cfa53f80daaea8d1037772c8b50 |
| SHA1 | 047b84125e531f64cff45086dfa555c82e59af44 |
| SHA256 | 8aab85fc8f0515c10308d847e09e696e71052aefb8b669bfb31df4a39686fa4c |
| SHA512 | bcf69bf06c648cc4f610dcb484b9a784207710f2814931b47c7d48bf47e94bfbeaf53e03e7dcaa96fc71c1e7aacd45b81af1c611b112faf772a601a2e5c324eb |
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 244
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-02 22:55
Reported
2024-02-02 22:58
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2140 wrote to memory of 1768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2140 wrote to memory of 1768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2140 wrote to memory of 1768 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |