Overview

overview

8

Static

static

1

VirusShare...f5.exe

windows7-x64

8

VirusShare...f5.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_9c7e84113b329bea497d963db2ab8bf5.exe

  • Size

    169KB

  • MD5

    9c7e84113b329bea497d963db2ab8bf5

  • SHA1

    27bc2abc7816401130289e916a9c4224fbf1dc87

  • SHA256

    ff23a9eca12dc9f585a201f12907bc04df670dc759277cfe402a3924a0e49adb

  • SHA512

    0c098b40a9c268ac8f5b89ecbbaee59155c5b2ea7888eab22239f5fed111e406b900b9db02620a291f468624c0b3e6f1a17d11969d6310a7fa925feca08a94b0

  • SSDEEP

    3072:8LbjKmmfcRygt+sX4LdVZtJ6rrRczBpb6K3yGHw6rI2Z+yAV1NiP1ry:8LPK/fcRVnIHZtSrRc9cMk6kfiry

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1176
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1220
          • C:\Users\Admin\AppData\Local\Temp\VirusShare_9c7e84113b329bea497d963db2ab8bf5.exe
            "C:\Users\Admin\AppData\Local\Temp\VirusShare_9c7e84113b329bea497d963db2ab8bf5.exe"
            2⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of UnmapMainImage
            • Suspicious use of WriteProcessMemory
            PID:2268
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe8b43860.bat"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2688
              • C:\Windows\SysWOW64\netsh.exe
                netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Etlau\xeahogu.exe"
                4⤵
                • Modifies Windows Firewall
                PID:2728
            • C:\Users\Admin\AppData\Roaming\Etlau\xeahogu.exe
              "C:\Users\Admin\AppData\Roaming\Etlau\xeahogu.exe"
              3⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of UnmapMainImage
              • Suspicious use of WriteProcessMemory
              PID:2684
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp601086aa.bat"
              3⤵
              • Deletes itself
              PID:1556
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1668
          • C:\Program Files\Windows Mail\WinMail.exe
            "C:\Program Files\Windows Mail\WinMail.exe" -Embedding
            1⤵
            • NTFS ADS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:1764
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:896
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:2580
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                  PID:2380

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log
                  Filesize

                  2.0MB

                  MD5

                  ec935767d3210b4d879a314d1c66332b

                  SHA1

                  903b6775a92e64b7f91eef838f2e87038cb11859

                  SHA256

                  84f7dbce61ef67409bc10fb06fb7429d725a78c04d45a212dc7c74fdcd4a3cdf

                  SHA512

                  e75fab3d8473a66c3ac0fc8a59dd527bf2845d475f93125515c9e09e38e48f2491dbac5a2d7158ff3ff656a9998665bd88a2e7d3294ffc8eaa7262a5dc5b0a12

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmp601086aa.bat
                  Filesize

                  265B

                  MD5

                  e581acc3a4f2174923c7ca34737ce7f9

                  SHA1

                  1e39be33467c5c5235f9bade58c45468f91f7c10

                  SHA256

                  2ebc0301b5568afbd88af2aad2334ebb41801f6eef05ce2a0dc13ddb60eb8c18

                  SHA512

                  cc35b0bc42cd62ff48119fc91e308e1473704be996474368a6c607ab27d3551b78a154a0bdf28e35c7d865f2c507463b35d91ce72279017a376a2d40dde4d60c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpe8b43860.bat
                  Filesize

                  202B

                  MD5

                  4e574e22b058c9c4a457a6ff97afa305

                  SHA1

                  8aa3fe6d35856f14cabd80db0146844418143433

                  SHA256

                  7b423a533cc2ba072220630ee6f750997081f153a51c146789ef1d13302461ab

                  SHA512

                  e796712990e34e3adea8027b77966b11aa3576cedc5067ddb043b0e2d52bb85e5978ece9dc26432acacc67d8bcecd6b86bc3ccb4dc4696a6a6278e6b160c86c8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Akov\icyrsu.tyo
                  Filesize

                  377B

                  MD5

                  8bff5e047b7a291c0cdc52264c2baf6c

                  SHA1

                  84fd5e9a02df9f265f3a646f4189c532f9e7ec14

                  SHA256

                  09c962599f3e8d08c810ebd1d87b04875f9d0a8231ce1afc638dddd6c19e8069

                  SHA512

                  6370caf7129631a393e52c15b5f65a41abd4fc264f34b4a9308c72bca1197b420b397346ffac2df6ac0947d81c592bca0ef0a2eb0f2c6c4cd4319f408cb30e39

                  Download Submit

                • \Users\Admin\AppData\Roaming\Etlau\xeahogu.exe
                  Filesize

                  169KB

                  MD5

                  2d2bc760998abe8ecd9fd8221abed940

                  SHA1

                  f6d5e499059866f2e93094284b6b22f4a58713ea

                  SHA256

                  0eb06dedff96ef0528d2483352e4b2149738c0322d44cf0d1f590751b4bef420

                  SHA512

                  5c1934c78f342c1486026dad7d6f53c65d502d2e81f1e4434a83838bef012d4117fb4b6816e44c74981ee560767f8e5a96016a8087aa5ff5888c0eee303adc79

                  Download Submit

                • memory/1116-25-0x0000000000210000-0x0000000000238000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1116-21-0x0000000000210000-0x0000000000238000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1116-23-0x0000000000210000-0x0000000000238000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1116-29-0x0000000000210000-0x0000000000238000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1116-27-0x0000000000210000-0x0000000000238000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1176-33-0x00000000001A0000-0x00000000001C8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1176-37-0x00000000001A0000-0x00000000001C8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1176-39-0x00000000001A0000-0x00000000001C8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1176-35-0x00000000001A0000-0x00000000001C8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1220-43-0x0000000002AC0000-0x0000000002AE8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1220-42-0x0000000002AC0000-0x0000000002AE8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1220-45-0x0000000002AC0000-0x0000000002AE8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1220-44-0x0000000002AC0000-0x0000000002AE8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1556-343-0x0000000000050000-0x0000000000078000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1556-254-0x0000000077730000-0x0000000077731000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1556-252-0x0000000077730000-0x0000000077731000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1556-250-0x0000000000050000-0x0000000000078000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1668-54-0x0000000000270000-0x0000000000298000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1668-48-0x0000000000270000-0x0000000000298000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1668-50-0x0000000000270000-0x0000000000298000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1668-52-0x0000000000270000-0x0000000000298000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-65-0x00000000003D0000-0x00000000003F8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-82-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-80-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-78-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-76-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-74-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-72-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-70-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-68-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-62-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-64-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-60-0x00000000003D0000-0x00000000003F8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-59-0x00000000003D0000-0x00000000003F8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-58-0x00000000003D0000-0x00000000003F8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-57-0x00000000003D0000-0x00000000003F8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-153-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-0-0x0000000000300000-0x0000000000328000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-1-0x0000000000330000-0x000000000035C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/2268-61-0x00000000003D0000-0x00000000003F8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-5-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-4-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-3-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-193-0x0000000000330000-0x000000000035C000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/2268-246-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-247-0x00000000003D0000-0x00000000003F8000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-2-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2268-84-0x0000000000270000-0x0000000000271000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2268-67-0x0000000077730000-0x0000000077731000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2684-16-0x0000000000260000-0x0000000000288000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2684-17-0x0000000000290000-0x00000000002BC000-memory.dmp

                  Filesize

                  176KB

                  Download

                • memory/2684-344-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/2684-18-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download