Analysis
-
max time kernel
142s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare-011fcece058e729e2c21e7085b600b41.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
VirusShare-011fcece058e729e2c21e7085b600b41.exe
Resource
win10v2004-20231215-en
General
-
Target
VirusShare-011fcece058e729e2c21e7085b600b41.exe
-
Size
100KB
-
MD5
011fcece058e729e2c21e7085b600b41
-
SHA1
5503bce7be753d1b0975811fe33ac0ca808706a8
-
SHA256
c4885eb9ed1b5650c7cbbcda64be9abfafb7b396e85101c0f2c12b4914c632ae
-
SHA512
434f4856a7864f2cfd94b63fd42d91e59ee7ceece71cc2b3032700287c542cab7ee752a50844caf9f25926ad5c45f8e24a559a7386aad5f62d5891b59729e7b1
-
SSDEEP
1536:0AMmzjRQoRKrazFxpwY64ee6d0J+j9NaDJXeUDswIMT+Z3zBP51RbJG1U:BjCoR7XDeY+j9NeZIW+Z9P515Ja
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2980 nsacesh.exe -
Loads dropped DLL 3 IoCs
pid Process 1248 VirusShare-011fcece058e729e2c21e7085b600b41.exe 1248 VirusShare-011fcece058e729e2c21e7085b600b41.exe 2980 nsacesh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000a000000012268-2.dat upx behavioral1/memory/1248-3-0x0000000000310000-0x0000000000396000-memory.dmp upx behavioral1/memory/2980-16-0x0000000000400000-0x0000000000486000-memory.dmp upx behavioral1/memory/2980-19-0x0000000000400000-0x0000000000486000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nvoeuj = "nvoeuj.exe" nsacesh.exe -
Installs/modifies Browser Helper Object 2 TTPs 7 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84695FD5-A8A8-11D8-978E-005022E14DE2} nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ nsacesh.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} nsacesh.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} nsacesh.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} nsacesh.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\screensaver.zip nsacesh.exe File created C:\Windows\SysWOW64\nsacesh.exe VirusShare-011fcece058e729e2c21e7085b600b41.exe File created C:\Windows\SysWOW64\sogbaol.exe VirusShare-011fcece058e729e2c21e7085b600b41.exe File opened for modification C:\Windows\SysWOW64\sogbaol.exe VirusShare-011fcece058e729e2c21e7085b600b41.exe File created C:\WINDOWS\SysWOW64\NVOEUJ.EXE nsacesh.exe File opened for modification C:\WINDOWS\SysWOW64\NVOEUJ.EXE nsacesh.exe File created C:\Windows\SysWOW64\fcmaiuma.dll nsacesh.exe -
Modifies registry class 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\FLAGS nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2} nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2} nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\VersionIndependentProgID\ = "IESpy.SpyBHO" nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2} nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32 nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ = "ISpyBHO" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32\ = "C:\\Windows\\SysWow64\\fcmaiuma.dll" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\Version = "1.0" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1\CLSID\ = "{84695FD5-A8A8-11D8-978E-005022E14DE2}" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\ = "SpyBHO Class" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ = "SpyBHO Class" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\Version = "1.0" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ProgID\ = "IESpy.SpyBHO.1" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\ = "IESpy 1.0 Type Library" nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32 nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32\ThreadingModel = "Apartment" nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\HELPDIR nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2} nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\ = "{84695FC8-A8A8-11D8-978E-005022E14DE2}" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ = "ISpyBHO" nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1\CLSID nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CLSID nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ProgID nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\TypeLib nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\TypeLib\ = "{84695FC8-A8A8-11D8-978E-005022E14DE2}" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\fcmaiuma.dll" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib\ = "{84695FC8-A8A8-11D8-978E-005022E14DE2}" nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CurVer nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CurVer\ = "IESpy.SpyBHO.1" nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\FLAGS\ = "0" nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0 nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0\win32 nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1\ = "SpyBHO Class" nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\Programmable nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0 nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32 nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1 nsacesh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IESpy.SpyBHO\CLSID\ = "{84695FD5-A8A8-11D8-978E-005022E14DE2}" nsacesh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\VersionIndependentProgID nsacesh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1248 wrote to memory of 2980 1248 VirusShare-011fcece058e729e2c21e7085b600b41.exe 29 PID 1248 wrote to memory of 2980 1248 VirusShare-011fcece058e729e2c21e7085b600b41.exe 29 PID 1248 wrote to memory of 2980 1248 VirusShare-011fcece058e729e2c21e7085b600b41.exe 29 PID 1248 wrote to memory of 2980 1248 VirusShare-011fcece058e729e2c21e7085b600b41.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare-011fcece058e729e2c21e7085b600b41.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\nsacesh.exeC:\Windows\system32\nsacesh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
PID:2980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5011fcece058e729e2c21e7085b600b41
SHA15503bce7be753d1b0975811fe33ac0ca808706a8
SHA256c4885eb9ed1b5650c7cbbcda64be9abfafb7b396e85101c0f2c12b4914c632ae
SHA512434f4856a7864f2cfd94b63fd42d91e59ee7ceece71cc2b3032700287c542cab7ee752a50844caf9f25926ad5c45f8e24a559a7386aad5f62d5891b59729e7b1
-
Filesize
76KB
MD5d47460e7a690aa4518595f6943e64a33
SHA199dc72b69d36fdf4a206dc4cbebcee0b0e6fecf6
SHA25620d2dbe3fe247d3b47bb76391ce79081033aefd49698b860c0559663247ecc6f
SHA51208b9d09d397255b6a5edba02d71da04907b0bddcf626e0073a084f7d08ba65e696904a44a000d4eababe370a8a47aa19c0ce104765c1053b1a8f323102b36bda
-
Filesize
73KB
MD54f0d325d862e6691089e6353f24cc723
SHA189a2130b326d498eea816aeeefaf5a19353cddf4
SHA256e27d664a3976999ae06a731ff59db1ffa4950e8285f00516c61acbfc56f98127
SHA5125d6afe8c451d615dd87d88c5fdbd926f1671ebb433ce24f7ea011dcfb26ff6d1c40c8d772021e59bdbd7d7b57dfe9e9b4c89d4a73750e67976437122040cc4ba