Overview
overview
7Static
static
3VirusShare...4e.exe
windows7-x64
7VirusShare...4e.exe
windows10-2004-x64
7$PLUGINSDI...is.dll
windows7-x64
3$PLUGINSDI...is.dll
windows10-2004-x64
3ffRichMedi...ion.js
windows7-x64
1ffRichMedi...ion.js
windows10-2004-x64
1ff/chrome/...116.js
windows7-x64
1ff/chrome/...116.js
windows10-2004-x64
1ff/chrome/...ion.js
windows7-x64
1ff/chrome/...ion.js
windows10-2004-x64
1ie/RichMed...16.dll
windows7-x64
6ie/RichMed...16.dll
windows10-2004-x64
6uninstall.exe
windows7-x64
7uninstall.exe
windows10-2004-x64
7$PLUGINSDI...is.dll
windows7-x64
3$PLUGINSDI...is.dll
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_ef628936d86c881711b36ed9f2fe244e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
VirusShare_ef628936d86c881711b36ed9f2fe244e.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/aminsis.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/aminsis.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
ffRichMediaViewV1release116chaction.js
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
ffRichMediaViewV1release116chaction.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
ff/chrome/content/ffRichMediaViewV1release116.js
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
ff/chrome/content/ffRichMediaViewV1release116.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
ff/chrome/content/ffRichMediaViewV1release116ffaction.js
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
ff/chrome/content/ffRichMediaViewV1release116ffaction.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
ie/RichMediaViewV1release116.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
ie/RichMediaViewV1release116.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
uninstall.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
uninstall.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/aminsis.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/aminsis.dll
Resource
win10v2004-20231215-en
General
-
Target
uninstall.exe
-
Size
289KB
-
MD5
c7d816fa307003c2d95f1a8e81320c65
-
SHA1
d00690f03698b67d6e869d888b5a220bc61b029b
-
SHA256
a6ae21b528c0aadb2abdb052bca5520421be28f6eae029fcbb2170dd910e0047
-
SHA512
e5b7421e77979b8003122bc9bed7e9a70d608d1f9981529e6db12e53b2b9cd50fbb19a7898a0ec7b49670bc02bde637f5de2f098ed384dd4bfb7e41882463abb
-
SSDEEP
6144:Ue346TRg4l8ai5PQtTZ763J8eWW43YLYjn5uO7D32fuCa7Bmk:zTq4OaQQTYJ8eP4/L5uO7D3f5BB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1728 Au_.exe -
Loads dropped DLL 2 IoCs
pid Process 2148 uninstall.exe 1728 Au_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 6 IoCs
resource yara_rule behavioral13/files/0x0009000000012263-2.dat nsis_installer_1 behavioral13/files/0x0009000000012263-2.dat nsis_installer_2 behavioral13/files/0x0009000000012263-5.dat nsis_installer_1 behavioral13/files/0x0009000000012263-5.dat nsis_installer_2 behavioral13/files/0x0009000000012263-6.dat nsis_installer_1 behavioral13/files/0x0009000000012263-6.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2148 wrote to memory of 1728 2148 uninstall.exe 28 PID 2148 wrote to memory of 1728 2148 uninstall.exe 28 PID 2148 wrote to memory of 1728 2148 uninstall.exe 28 PID 2148 wrote to memory of 1728 2148 uninstall.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\uninstall.exe"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
567KB
MD5450753ad96785a240a39deccab3af0d0
SHA121c544064d2ffa6444508268ce258a330d459fc5
SHA2561c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab
-
Filesize
146KB
MD52209fd8c19f9ba3829d10c6dbaba5c93
SHA133f4e63e76a9e19201a63f538e17bfdbe67efade
SHA2560ef5324c4f2dca09451d81f18b23ca7c6e36fb11a396e6685c6f84e52f71daef
SHA512b1e859218341c82ad296d8b18e5105b89e005ca61c2bec831458e9c14438faf5a5f1232ac4a4ab327751d5ee62842c417d322e89eb2f5ac6667eedd74d593c10
-
Filesize
102KB
MD53eea7cf389986a43b7134ab8e14b9971
SHA1fd583f6bbba5ae19ee99bff6ce7d1c0177038a87
SHA2562cf0c6600502227fff466c81cd027dda80ba550c70c38e405cfdf20ac54b4843
SHA5128a5a9951a4175c35f39a795fbe367fb36084fa0be217f11a196b1da75316be35d00f705fc0c8a228d0fa539b70e32397305c1ec105e27145fa7796c611a1dfa5
-
Filesize
250KB
MD55b2ef119a26f0723f8a42711289d1c08
SHA134758c943eb983156339a807c595bd7bff338e56
SHA256882824f4f2f030eb9d717a7371ea9a8df78aa01a5e341d415f6fcc3446bfae4e
SHA51294a10ea57636669b2b7fdcf22e61f642e115782be2ee215c9d13bf4d5f7704ba73803f7804b501c395181b2459e30a3be78ccd7ded36f73daa9b529972e0afdb