Malware Analysis Report

2025-08-05 16:43

Sample ID 240204-tsbqlseaf5
Target VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5
SHA256 d2019c67c287ba0fdce12b9f623736e65bc1bc53cf7acee37411f2a721feba97
Tags
spyware stealer adware discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d2019c67c287ba0fdce12b9f623736e65bc1bc53cf7acee37411f2a721feba97

Threat Level: Shows suspicious behavior

The file VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer adware discovery

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win7-20231215-en

Max time kernel

120s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 ac26380795ae1a3410ddc372487c88d6
SHA1 4cdb5ee8f25fab513f1f4cf6004653b4961565ab
SHA256 440b458e52ef5af7e2c3447de9a3d2ed3b81b66b131faa4e5cfd9c6ada02e3ee
SHA512 27b549f171094519cd6dcc084fdd0a1d9fc01e192198d62fa27bf50ae6d2443168bf218e8634f129b779419ac8fc4928346b440e1149715ef274b2f62c3544da

C:\Users\Admin\AppData\Local\Temp\nsd9D2A.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win7-20231215-en

Max time kernel

120s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2393.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2393.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win7-20231215-en

Max time kernel

120s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2393ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2393ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win7-20231215-en

Max time kernel

121s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2393.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "MediaWatchV1home2393" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\ = "{D592B338-02A2-4BB7-A463-EA52802CF369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\ = "{D592B338-02A2-4BB7-A463-EA52802CF369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2393.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\TypeLib\ = "{d592b338-02a2-4bb7-a463-ea52802cf369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\ = "MediaWatchV1home2393Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "MediaWatchV1home2393" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ = "IMediaWatchV1home2393BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ = "IMediaWatchV1home2393BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2393.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2284 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 2284 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 2284 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 2284 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 2284 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 2284 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2124 wrote to memory of 2284 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2393.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2393.dll

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 ac26380795ae1a3410ddc372487c88d6
SHA1 4cdb5ee8f25fab513f1f4cf6004653b4961565ab
SHA256 440b458e52ef5af7e2c3447de9a3d2ed3b81b66b131faa4e5cfd9c6ada02e3ee
SHA512 27b549f171094519cd6dcc084fdd0a1d9fc01e192198d62fa27bf50ae6d2443168bf218e8634f129b779419ac8fc4928346b440e1149715ef274b2f62c3544da

C:\Users\Admin\AppData\Local\Temp\nsq7C93.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win7-20231215-en

Max time kernel

118s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2393.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2393.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2393.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "MediaWatchV1home2393" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\ = "MediaWatchV1home2393Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\ = "{D592B338-02A2-4BB7-A463-EA52802CF369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "MediaWatchV1home2393" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2393.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ = "IMediaWatchV1home2393BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\TypeLib\ = "{d592b338-02a2-4bb7-a463-ea52802cf369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\MediaWatchV1home2393.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ = "IMediaWatchV1home2393BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\ = "{D592B338-02A2-4BB7-A463-EA52802CF369}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1808 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1916 wrote to memory of 1808 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1916 wrote to memory of 1808 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2393.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\MediaWatchV1home2393.dll

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "MediaWatchV1home2393" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\ffMediaWatchV1home2393.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ie\MediaWatchV1home2393.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ch\MediaWatchV1home2393.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\ffMediaWatchV1home2393ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\default\MediaWatchV1home2393_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ch\MediaWatchV1home2393.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\ffMediaWatchV1home2393.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\default\MediaWatchV1home2393_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\ffMediaWatchV1home2393ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} = 51667a6c4c1d3b1b7aaaf18baebeb805958c6a59829d2255 C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2393\\ie\\MediaWatchV1home2393.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2393\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ = "IMediaWatchV1home2393BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ = "IMediaWatchV1home2393BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\ = "{D592B338-02A2-4BB7-A463-EA52802CF369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "MediaWatchV1home2393" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\ = "MediaWatchV1home2393Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\ = "{D592B338-02A2-4BB7-A463-EA52802CF369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2393\\ie\\MediaWatchV1home2393.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\TypeLib\ = "{d592b338-02a2-4bb7-a463-ea52802cf369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1228 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1228 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1228 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1228 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1228 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1228 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1228 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1228 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1228 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1228 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1228 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1228 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1228 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ie\MediaWatchV1home2393.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nso56B9.tmp\aminsis.dll

MD5 250506b6b89bd2a5d5fb9c123998706a
SHA1 bbf2c13179a06294dae38f3d36dc07a83cf7f382
SHA256 6360ed71fd72bb619b103e50f8e13a932bf5441b08085ace682e652cddd2d173
SHA512 8d4de81f60138438637288b62302fddefad5daa49fe0896d800970f11ff315e094006e82581afbdd57515ca574ce623df35e02008884eb18809b5f74b56abf6e

\Users\Admin\AppData\Local\Temp\nso56B9.tmp\aminsis.dll

MD5 90f4afa1429965dc1cd439c85edb1546
SHA1 82a16034058c9e8ac40309d7f5ef46a08404d9aa
SHA256 64109ecb75347e10d7fbad39f1229697cb8c57f68ac59ecc32dc86eb9ae0d496
SHA512 a65d2fcae932c71ece96b40ebed4b8cc60b6787ba4d7da5c3da39c09a4f73941a89d5aeb38e92846151fc3f334c2236f41de5868a3cb423c6f682f482286dd70

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ie\MediaWatchV1home2393.dll

MD5 8305af04e859cb3d2024fa461d340699
SHA1 67f82a7ea03052c499be604c1abce36fd8e46e55
SHA256 b2b03590b85bcf3f20f122d1ae2189bcb12ad6e0c2862072542dc549c492207f
SHA512 7cc58ffe224057cd4e281377f966904c478a0f003f61c6e84bcdd7deedcba800354584a87c9a25976e9ca19ba759032dd72ab32c400b1aa7405bc1e2e7df49ea

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "MediaWatchV1home2393" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ch\MediaWatchV1home2393.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\ffMediaWatchV1home2393.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\default\MediaWatchV1home2393_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ie\MediaWatchV1home2393.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\ffMediaWatchV1home2393.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\ffMediaWatchV1home2393ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\ffMediaWatchV1home2393ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\chrome\content\icons\default\MediaWatchV1home2393_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ch\MediaWatchV1home2393.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File opened for modification C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
File created C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} = 51667a6c4c1d3b1b7aaaf382aabeba0f96886859829e2a58 C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "MediaWatchV1home2393" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\TypeLib\ = "{d592b338-02a2-4bb7-a463-ea52802cf369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\ = "MediaWatchV1home2393Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\ = "Media Watch" C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\InprocServer32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2393\\ie\\MediaWatchV1home2393.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\0\win32\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2393\\ie\\MediaWatchV1home2393.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ = "IMediaWatchV1home2393BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\ = "{D592B338-02A2-4BB7-A463-EA52802CF369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D592B338-02A2-4BB7-A463-EA52802CF369}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\MediaWatchV1\\MediaWatchV1home2393\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\TypeLib\ = "{D592B338-02A2-4BB7-A463-EA52802CF369}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{92e5b56a-ed9a-41d2-8b87-2e1980de674d}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ = "IMediaWatchV1home2393BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5054DF2-6DF2-4E63-ABB3-A0FF3AB7C2AD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_7eefa384bb45f1c587a6c0b9efdd25b5.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ie\MediaWatchV1home2393.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsx3FF8.tmp\aminsis.dll

MD5 51ba1095f0ae45a2d444bea506cb9ad4
SHA1 038a5d53d055a6d440bd2c8864c2f51db206c5e5
SHA256 b620091bf9973e807e12155d2247a6d233b5d13ec38c426675470ab4b26f0539
SHA512 f5fe2dd0f19bcaab47540ceedbec71f7f7c5b833c8772c097594c458e5f1101fe9feb849812b65c175055f71dfb13f11c4ad94fef42cd66f247413e453de3361

C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home2393\ie\MediaWatchV1home2393.dll

MD5 8305af04e859cb3d2024fa461d340699
SHA1 67f82a7ea03052c499be604c1abce36fd8e46e55
SHA256 b2b03590b85bcf3f20f122d1ae2189bcb12ad6e0c2862072542dc549c492207f
SHA512 7cc58ffe224057cd4e281377f966904c478a0f003f61c6e84bcdd7deedcba800354584a87c9a25976e9ca19ba759032dd72ab32c400b1aa7405bc1e2e7df49ea

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2393chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2393chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2393ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffMediaWatchV1home2393ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win7-20231215-en

Max time kernel

122s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win10v2004-20231222-en

Max time kernel

88s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 3456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3456 -ip 3456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2393chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffMediaWatchV1home2393chaction.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 16:18

Reported

2024-02-04 16:21

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2280 wrote to memory of 4900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4900 -ip 4900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A