Malware Analysis Report

2025-08-05 16:44

Sample ID 240204-tqnx6aeaa8
Target VirusShare_f4cf00ca6e52d151fa796044e6ec4f38
SHA256 c0223074078ab6f1dbd4fd845911bb4e0fbdfb3ce7c5f64295e69a9f62a375c3
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c0223074078ab6f1dbd4fd845911bb4e0fbdfb3ce7c5f64295e69a9f62a375c3

Threat Level: Shows suspicious behavior

The file VirusShare_f4cf00ca6e52d151fa796044e6ec4f38 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "RichMediaViewV1release2941" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\ffRichMediaViewV1release2941.js C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\ffRichMediaViewV1release2941.js C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\ffRichMediaViewV1release2941ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ch\RichMediaViewV1release2941.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ie\RichMediaViewV1release2941.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ch\RichMediaViewV1release2941.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\default\RichMediaViewV1release2941_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\default\RichMediaViewV1release2941_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\ffRichMediaViewV1release2941ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{72bbe8ce-3b01-438a-b737-2be5790a5d07} = 51667a6c4c1d3b1bdef7af6b3568e007a93c6fa57b49181f C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release2941\\ie\\RichMediaViewV1release2941.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\ = "{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\TypeLib\ = "{fcdaec5c-287e-47e7-ac5c-a2de0d2922d2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\ = "{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release2941\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ = "IRichMediaViewV1release2941BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ = "IRichMediaViewV1release2941BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\ = "RichMediaViewV1release2941Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release2941\\ie\\RichMediaViewV1release2941.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "RichMediaViewV1release2941" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2236 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2236 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2236 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2236 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2236 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2236 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2236 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ie\RichMediaViewV1release2941.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd57C2.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ie\RichMediaViewV1release2941.dll

MD5 02123778d68ae8e7227c13181f5128cb
SHA1 29b5364f1d2fc2c15c6dcb1222ccad54202e20c2
SHA256 23c7bcb661bdfd76c37203561bcddaaca8246fb24ba8c1f573ef35ef98f2d98d
SHA512 20c31d31d8a81468a0c017011286d0e1e2e16af07bf0b5588781bb6abe4ad36644ec48787d3c972b8c028461e3144ef833aad1a4c958e72accb1040b3efe3e19

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

93s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release2941chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release2941chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win7-20231215-en

Max time kernel

121s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release2941ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release2941ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

148s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release2941.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "RichMediaViewV1release2941" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\ = "{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\TypeLib\ = "{fcdaec5c-287e-47e7-ac5c-a2de0d2922d2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\ = "{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release2941.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ = "IRichMediaViewV1release2941BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release2941.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ = "IRichMediaViewV1release2941BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "RichMediaViewV1release2941" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\ = "RichMediaViewV1release2941Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 4460 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 4460 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1940 wrote to memory of 4460 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release2941.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release2941.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 1a969265f80fcdb8b8b5d43500ccc9a5
SHA1 e3ab053ccfebd3e4419993133afca21c6df5dc93
SHA256 df5f0605166a700c0635e592106f90d4421c1b210180371dffe623339a4643b0
SHA512 f51ebe965f8389c140870e1b99c403978ba23f0f9afcadbba1a2ffcf1cd5123699e8b92fd650aff710d4040b36d625563f4857525a37228ca5a5cf631be3749a

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 a8f37345b135ad30f106f859d452bb2b
SHA1 d8749bb3f492d7bb604efdf82ea3d899b6441051
SHA256 fe6c0f569fedaeaf8b07bf3fb7e1035b470382375c3bdd34c038286f0b0815c8
SHA512 bb9735598f8c6c0c8ca92379ad11cc995ad70ea0b711b1eef08ec90b3d01563a306f75b5043fb1408b5674fac48a6751b9eb59ff368c22ec863ed83b8b27a840

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 70008ba643b3f2e7bcc589c530132e55
SHA1 8c1f7267ef9b2ffb46a9fcafef0954dce77c6a02
SHA256 4ff50f4677a072933d6e10cd89cf0d0d970fd96aa4b26a57a585f3bbb4b4ff7a
SHA512 e4789de242419e1f3189dd616534771d5c4964c8d0938e991ed285ebaae3c7104db7bb9400b4c303bfb3174c9e581f74aa108a961569e8fd30c9a5bdf332b14a

C:\Users\Admin\AppData\Local\Temp\nso3535.tmp\aminsis.dll

MD5 f627e7c0ffaa38d2d97a49384d1cbfc4
SHA1 06318833f771b1cff4935b5cb7cf57f45a1ff449
SHA256 3d290f199032ac322936f2f79635ed7af415dedbac26507c2ed738fabd5435f1
SHA512 afe6c06e9b986d44940566691176beeb977422970b44761e9a97a53a75a41c05a65c9fb9a783e7c0814819d55d74beebf00bc37cdd8fb1dad7cd5d31a8c21c32

\Users\Admin\AppData\Local\Temp\nso3535.tmp\aminsis.dll

MD5 135ca51dc563ebf59cb18edf40827323
SHA1 e25c802687ff5c02a9a88f54f058534108c49dc3
SHA256 f520f5462b06c36d5e4c90ea46efb80a2e0f0fa7fa4f411655c8c2ea440be501
SHA512 5cb950d6fececf72abb3af01a3ad51f0d231850bedb17f74592b169cf4482d0cc55a846d24aafb982150112597f959e8aebd41f03ecacd7838d27343327b52c0

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win10v2004-20231222-en

Max time kernel

88s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 13bcaba730facbb9e02e1832a704a13a
SHA1 73254c8cb9bb41983d94228e02c361d3c2ba557a
SHA256 95876fb1e00b346987ed8d47205b1f0350e1a988cdeb20fef6bb8bb35b9c19fd
SHA512 b3abfbb6a0e1c6ad121b40e965cb659c1bda1ba65dd63ea095c86a9da09cc2a7850e769cb20cfb148c562f22224eff667006ea174d688da72ebbf24cfc4d18da

C:\Users\Admin\AppData\Local\Temp\nsm6497.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 220

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "RichMediaViewV1release2941" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ie\RichMediaViewV1release2941.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\ffRichMediaViewV1release2941.js C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\ffRichMediaViewV1release2941.js C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ch\RichMediaViewV1release2941.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\ffRichMediaViewV1release2941ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\ffRichMediaViewV1release2941ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\default\RichMediaViewV1release2941_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome\content\icons\default\RichMediaViewV1release2941_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ch\RichMediaViewV1release2941.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{72bbe8ce-3b01-438a-b737-2be5790a5d07} = 51667a6c4c1d3b1bdef4aa623e6de107a83e69a57a4f1d1c C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\ = "RichMediaViewV1release2941Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release2941\\ie\\RichMediaViewV1release2941.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ = "IRichMediaViewV1release2941BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\ = "{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\TypeLib\ = "{fcdaec5c-287e-47e7-ac5c-a2de0d2922d2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release2941\\ie\\RichMediaViewV1release2941.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release2941\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "RichMediaViewV1release2941" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\ = "{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ = "IRichMediaViewV1release2941BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_f4cf00ca6e52d151fa796044e6ec4f38.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ie\RichMediaViewV1release2941.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsn731E.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release2941\ie\RichMediaViewV1release2941.dll

MD5 02123778d68ae8e7227c13181f5128cb
SHA1 29b5364f1d2fc2c15c6dcb1222ccad54202e20c2
SHA256 23c7bcb661bdfd76c37203561bcddaaca8246fb24ba8c1f573ef35ef98f2d98d
SHA512 20c31d31d8a81468a0c017011286d0e1e2e16af07bf0b5588781bb6abe4ad36644ec48787d3c972b8c028461e3144ef833aad1a4c958e72accb1040b3efe3e19

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win10v2004-20231222-en

Max time kernel

87s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 3456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3456 -ip 3456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win7-20231215-en

Max time kernel

121s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release2941.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release2941.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release2941ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release2941ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release2941chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release2941chaction.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release2941.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release2941.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
GB 96.16.110.41:443 tcp
SE 192.229.221.95:80 tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release2941.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "RichMediaViewV1release2941" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ = "IRichMediaViewV1release2941BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\ = "{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\ = "RichMediaViewV1release2941" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\TypeLib\ = "{fcdaec5c-287e-47e7-ac5c-a2de0d2922d2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ = "IRichMediaViewV1release2941BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\ = "RichMediaViewV1release2941Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release2941.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release2941.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72bbe8ce-3b01-438a-b737-2be5790a5d07}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A}\TypeLib\ = "{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FCDAEC5C-287E-47E7-AC5C-A2DE0D2922D2}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33F03F09-900B-4A0D-A42E-39EE20858B6A} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 1664 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release2941.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release2941.dll

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 16:15

Reported

2024-02-04 16:18

Platform

win10v2004-20231222-en

Max time kernel

88s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3800 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3800 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3800 wrote to memory of 2788 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A