Malware Analysis Report

2025-08-05 16:44

Sample ID 240204-ts986seba7
Target VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0
SHA256 478d406e968f5a1f656cda098cb3b4b00877ffb6bec4a89ebd7f6b03ec517c75
Tags
adware stealer spyware discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

478d406e968f5a1f656cda098cb3b4b00877ffb6bec4a89ebd7f6b03ec517c75

Threat Level: Shows suspicious behavior

The file VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer spyware discovery

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win7-20231215-en

Max time kernel

119s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release457.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "RichMediaViewV1release457" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\ = "RichMediaViewV1release457Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ = "IRichMediaViewV1release457BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\ = "{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release457.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release457.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\ = "{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ = "IRichMediaViewV1release457BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\TypeLib\ = "{b686f91b-ea6a-4179-8ac3-fdd1ef7ccd36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "RichMediaViewV1release457" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release457.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release457.dll

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 220

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win7-20231215-en

Max time kernel

119s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release457chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release457chaction.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release457.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release457.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release457ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release457ffaction.js

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win7-20231215-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 993a45b3ff49d9bf8c56bb1344f67858
SHA1 a676eff6319511738b3ef4fd8ab4477fbed60ab3
SHA256 1f7ff1ee812ed5ec52fde44cb5ba15ce4c78e163c07236edf09c0fd892554ef8
SHA512 d6b86eb73d616d1cb9ba3fff8671e8dd5caa572d7ca3baaeea86730ebef5fef05324bd736db213b0e0c6ccc7b0c456884d69e7848d597e1fbd8578c6d646e689

\Users\Admin\AppData\Local\Temp\nsi35FF.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 993a45b3ff49d9bf8c56bb1344f67858
SHA1 a676eff6319511738b3ef4fd8ab4477fbed60ab3
SHA256 1f7ff1ee812ed5ec52fde44cb5ba15ce4c78e163c07236edf09c0fd892554ef8
SHA512 d6b86eb73d616d1cb9ba3fff8671e8dd5caa572d7ca3baaeea86730ebef5fef05324bd736db213b0e0c6ccc7b0c456884d69e7848d597e1fbd8578c6d646e689

C:\Users\Admin\AppData\Local\Temp\nsz6AA2.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win7-20231215-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "RichMediaViewV1release457" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\default\RichMediaViewV1release457_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ch\RichMediaViewV1release457.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\default\RichMediaViewV1release457_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ie\RichMediaViewV1release457.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ch\RichMediaViewV1release457.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\ffRichMediaViewV1release457.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\ffRichMediaViewV1release457.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\ffRichMediaViewV1release457ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\ffRichMediaViewV1release457ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{a3f275c8-2d58-4edc-9720-e881900a1c8f} = 51667a6c4c1d3b1bd868e6ba6e7aba01882ca3c196405b97 C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\ = "{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ = "IRichMediaViewV1release457BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release457\\ie\\RichMediaViewV1release457.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\ = "RichMediaViewV1release457Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release457\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "RichMediaViewV1release457" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\ = "{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release457\\ie\\RichMediaViewV1release457.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ = "IRichMediaViewV1release457BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\TypeLib\ = "{b686f91b-ea6a-4179-8ac3-fdd1ef7ccd36}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2088 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ie\RichMediaViewV1release457.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst1CA6.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ie\RichMediaViewV1release457.dll

MD5 d11cb24ddd954e37dafec06d3e8dcc29
SHA1 1fcf4a681e85214060278e23424e4aa0cbf76133
SHA256 62388ed1a1148b38b3199da8c363f15713c167ab7b4602c7720ddd730d893db4
SHA512 ef9fd9e511c03dbb78640e43e8c241a273f482f2c9f4facfbb1251877c4675ddb277c2b7d5ea2bc4d157709e8420635dd2e9661cd82101ce39981c629b01ea74

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win10v2004-20231215-en

Max time kernel

153s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "RichMediaViewV1release457" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ch\RichMediaViewV1release457.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\ffRichMediaViewV1release457ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\ffRichMediaViewV1release457ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ie\RichMediaViewV1release457.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ch\RichMediaViewV1release457.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\ffRichMediaViewV1release457.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\default\RichMediaViewV1release457_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\ffRichMediaViewV1release457.js C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ff\chrome\content\icons\default\RichMediaViewV1release457_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{a3f275c8-2d58-4edc-9720-e881900a1c8f} = 51667a6c4c1d3b1bd868e0bd6c7fba028d23aac1944a5c9b C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "RichMediaViewV1release457" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ = "IRichMediaViewV1release457BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ = "IRichMediaViewV1release457BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\ = "RichMediaViewV1release457Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release457\\ie\\RichMediaViewV1release457.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release457\\ie\\RichMediaViewV1release457.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\ = "{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\TypeLib\ = "{b686f91b-ea6a-4179-8ac3-fdd1ef7ccd36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release457\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\ = "{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89} C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_e7de1b49efca6226d4c1a727b8fb5dc0.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ie\RichMediaViewV1release457.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.238.16.2.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nspF82C.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release457\ie\RichMediaViewV1release457.dll

MD5 d11cb24ddd954e37dafec06d3e8dcc29
SHA1 1fcf4a681e85214060278e23424e4aa0cbf76133
SHA256 62388ed1a1148b38b3199da8c363f15713c167ab7b4602c7720ddd730d893db4
SHA512 ef9fd9e511c03dbb78640e43e8c241a273f482f2c9f4facfbb1251877c4675ddb277c2b7d5ea2bc4d157709e8420635dd2e9661cd82101ce39981c629b01ea74

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 4696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 4696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2420 wrote to memory of 4696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4696 -ip 4696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1144 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1144 wrote to memory of 220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 220 -ip 220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win7-20231215-en

Max time kernel

120s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release457ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release457ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win10v2004-20231215-en

Max time kernel

136s

Max time network

162s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release457.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "RichMediaViewV1release457" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\TypeLib\ = "{b686f91b-ea6a-4179-8ac3-fdd1ef7ccd36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ = "IRichMediaViewV1release457BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\ = "RichMediaViewV1release457Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release457.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\ = "{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release457.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\ = "RichMediaViewV1release457" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\ = "IRichMediaViewV1release457BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89}\TypeLib\ = "{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9DB5BB10-DE6A-4B78-886D-C686E9998D89} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a3f275c8-2d58-4edc-9720-e881900a1c8f} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B686F91B-EA6A-4179-8AC3-FDD1EF7CCD36}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 1544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4620 wrote to memory of 1544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4620 wrote to memory of 1544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release457.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release457.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win10v2004-20231222-en

Max time kernel

90s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release457chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release457chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 16:20

Reported

2024-02-04 16:23

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release457.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release457.js

Network

N/A

Files

N/A