Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 16:18

General

  • Target

    VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe

  • Size

    634KB

  • MD5

    7b8c8ad756e2e5e0a4ebc1a2b7833e68

  • SHA1

    c963091441fdbac6c66b92114b716cd75fba590c

  • SHA256

    1e48ba42fad238c5eb31848e810360aef3d51bd217797833b9fe6d4e34958431

  • SHA512

    04ef1e105b0d57e04ead621d5501dba22624eb035eaa7b2e3eae45616aa8e9adc3d016b281b47d870d5ecc6b9a098792531a295e3087ca445ff2258ca5b98ebb

  • SSDEEP

    12288:aOcT22WHJG4GjeZHkwuPikQ7lKH5p5H9x1DeZHkwuriZQblKh5pDxXTd8zbk:aOcTuHJG4GjeZEXi37l6Br1DeZEDiObo

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_7b8c8ad756e2e5e0a4ebc1a2b7833e68.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ie\MediaWatchV1home2427.dll" /s
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:2660
    • C:\Windows\SysWOW64\gpupdate.exe
      "C:\Windows\System32\gpupdate.exe" /force
      2⤵
        PID:2904

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2427\ie\MediaWatchV1home2427.dll

            Filesize

            85KB

            MD5

            28c07962e61d1c1e2a3b169be219c961

            SHA1

            7dd1f02d6e181164a14aaadf605a1699897962db

            SHA256

            b290ee17d015b8eb149dcb5265011538f7873d3b73985d4aa53f68ef1ae7e8fd

            SHA512

            fdedb93a0372a8d7628f54bfeaf50a9527ad077f8c8dd35a24b7f7ba8162c4d60a9d747a743ccfb55c1bd3ced5123064a4756a2b73152de5e11b6886c808cd27

          • \Users\Admin\AppData\Local\Temp\nsd5B5A.tmp\aminsis.dll

            Filesize

            559KB

            MD5

            51ba1095f0ae45a2d444bea506cb9ad4

            SHA1

            038a5d53d055a6d440bd2c8864c2f51db206c5e5

            SHA256

            b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539

            SHA512

            f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361