Overview
overview
7Static
static
3VirusShare...38.exe
windows7-x64
7VirusShare...38.exe
windows10-2004-x64
7$PLUGINSDI...is.dll
windows7-x64
3$PLUGINSDI...is.dll
windows10-2004-x64
3ffRichMedi...ion.js
windows7-x64
1ffRichMedi...ion.js
windows10-2004-x64
1ff/chrome/...941.js
windows7-x64
1ff/chrome/...941.js
windows10-2004-x64
1ff/chrome/...ion.js
windows7-x64
1ff/chrome/...ion.js
windows10-2004-x64
1ie/RichMed...41.dll
windows7-x64
6ie/RichMed...41.dll
windows10-2004-x64
6uninstall.exe
windows7-x64
7uninstall.exe
windows10-2004-x64
7$PLUGINSDI...is.dll
windows7-x64
3$PLUGINSDI...is.dll
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/aminsis.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/aminsis.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
ffRichMediaViewV1release2941chaction.js
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
ffRichMediaViewV1release2941chaction.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
ff/chrome/content/ffRichMediaViewV1release2941.js
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
ff/chrome/content/ffRichMediaViewV1release2941.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
ff/chrome/content/ffRichMediaViewV1release2941ffaction.js
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
ff/chrome/content/ffRichMediaViewV1release2941ffaction.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
ie/RichMediaViewV1release2941.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
ie/RichMediaViewV1release2941.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
uninstall.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
uninstall.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/aminsis.dll
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/aminsis.dll
Resource
win10v2004-20231222-en
General
-
Target
uninstall.exe
-
Size
289KB
-
MD5
13bcaba730facbb9e02e1832a704a13a
-
SHA1
73254c8cb9bb41983d94228e02c361d3c2ba557a
-
SHA256
95876fb1e00b346987ed8d47205b1f0350e1a988cdeb20fef6bb8bb35b9c19fd
-
SHA512
b3abfbb6a0e1c6ad121b40e965cb659c1bda1ba65dd63ea095c86a9da09cc2a7850e769cb20cfb148c562f22224eff667006ea174d688da72ebbf24cfc4d18da
-
SSDEEP
6144:Ue34nx6Rg4l8ai5PQtTZ763J8eWW43YLYjn5uO7D32fuCa7Bm2:+x6q4OaQQTYJ8eP4/L5uO7D3f5Bv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1708 Au_.exe -
Loads dropped DLL 2 IoCs
pid Process 3040 uninstall.exe 1708 Au_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 6 IoCs
resource yara_rule behavioral13/files/0x000b000000014abe-6.dat nsis_installer_1 behavioral13/files/0x000b000000014abe-6.dat nsis_installer_2 behavioral13/files/0x000b000000014abe-5.dat nsis_installer_1 behavioral13/files/0x000b000000014abe-5.dat nsis_installer_2 behavioral13/files/0x000b000000014abe-2.dat nsis_installer_1 behavioral13/files/0x000b000000014abe-2.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3040 wrote to memory of 1708 3040 uninstall.exe 18 PID 3040 wrote to memory of 1708 3040 uninstall.exe 18 PID 3040 wrote to memory of 1708 3040 uninstall.exe 18 PID 3040 wrote to memory of 1708 3040 uninstall.exe 18
Processes
-
C:\Users\Admin\AppData\Local\Temp\uninstall.exe"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233KB
MD5f627e7c0ffaa38d2d97a49384d1cbfc4
SHA106318833f771b1cff4935b5cb7cf57f45a1ff449
SHA2563d290f199032ac322936f2f79635ed7af415dedbac26507c2ed738fabd5435f1
SHA512afe6c06e9b986d44940566691176beeb977422970b44761e9a97a53a75a41c05a65c9fb9a783e7c0814819d55d74beebf00bc37cdd8fb1dad7cd5d31a8c21c32
-
Filesize
60KB
MD5a8f37345b135ad30f106f859d452bb2b
SHA1d8749bb3f492d7bb604efdf82ea3d899b6441051
SHA256fe6c0f569fedaeaf8b07bf3fb7e1035b470382375c3bdd34c038286f0b0815c8
SHA512bb9735598f8c6c0c8ca92379ad11cc995ad70ea0b711b1eef08ec90b3d01563a306f75b5043fb1408b5674fac48a6751b9eb59ff368c22ec863ed83b8b27a840
-
Filesize
93KB
MD51a969265f80fcdb8b8b5d43500ccc9a5
SHA1e3ab053ccfebd3e4419993133afca21c6df5dc93
SHA256df5f0605166a700c0635e592106f90d4421c1b210180371dffe623339a4643b0
SHA512f51ebe965f8389c140870e1b99c403978ba23f0f9afcadbba1a2ffcf1cd5123699e8b92fd650aff710d4040b36d625563f4857525a37228ca5a5cf631be3749a
-
Filesize
53KB
MD5135ca51dc563ebf59cb18edf40827323
SHA1e25c802687ff5c02a9a88f54f058534108c49dc3
SHA256f520f5462b06c36d5e4c90ea46efb80a2e0f0fa7fa4f411655c8c2ea440be501
SHA5125cb950d6fececf72abb3af01a3ad51f0d231850bedb17f74592b169cf4482d0cc55a846d24aafb982150112597f959e8aebd41f03ecacd7838d27343327b52c0
-
Filesize
155KB
MD570008ba643b3f2e7bcc589c530132e55
SHA18c1f7267ef9b2ffb46a9fcafef0954dce77c6a02
SHA2564ff50f4677a072933d6e10cd89cf0d0d970fd96aa4b26a57a585f3bbb4b4ff7a
SHA512e4789de242419e1f3189dd616534771d5c4964c8d0938e991ed285ebaae3c7104db7bb9400b4c303bfb3174c9e581f74aa108a961569e8fd30c9a5bdf332b14a