Overview
overview
7Static
static
3VirusShare...4e.exe
windows7-x64
7VirusShare...4e.exe
windows10-2004-x64
7$PLUGINSDI...is.dll
windows7-x64
3$PLUGINSDI...is.dll
windows10-2004-x64
3ffRichMedi...ion.js
windows7-x64
1ffRichMedi...ion.js
windows10-2004-x64
1ff/chrome/...116.js
windows7-x64
1ff/chrome/...116.js
windows10-2004-x64
1ff/chrome/...ion.js
windows7-x64
1ff/chrome/...ion.js
windows10-2004-x64
1ie/RichMed...16.dll
windows7-x64
6ie/RichMed...16.dll
windows10-2004-x64
6uninstall.exe
windows7-x64
7uninstall.exe
windows10-2004-x64
7$PLUGINSDI...is.dll
windows7-x64
3$PLUGINSDI...is.dll
windows10-2004-x64
3Analysis
-
max time kernel
90s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_ef628936d86c881711b36ed9f2fe244e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
VirusShare_ef628936d86c881711b36ed9f2fe244e.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/aminsis.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/aminsis.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
ffRichMediaViewV1release116chaction.js
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
ffRichMediaViewV1release116chaction.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
ff/chrome/content/ffRichMediaViewV1release116.js
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
ff/chrome/content/ffRichMediaViewV1release116.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
ff/chrome/content/ffRichMediaViewV1release116ffaction.js
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
ff/chrome/content/ffRichMediaViewV1release116ffaction.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
ie/RichMediaViewV1release116.dll
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
ie/RichMediaViewV1release116.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
uninstall.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
uninstall.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/aminsis.dll
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/aminsis.dll
Resource
win10v2004-20231215-en
General
-
Target
uninstall.exe
-
Size
289KB
-
MD5
c7d816fa307003c2d95f1a8e81320c65
-
SHA1
d00690f03698b67d6e869d888b5a220bc61b029b
-
SHA256
a6ae21b528c0aadb2abdb052bca5520421be28f6eae029fcbb2170dd910e0047
-
SHA512
e5b7421e77979b8003122bc9bed7e9a70d608d1f9981529e6db12e53b2b9cd50fbb19a7898a0ec7b49670bc02bde637f5de2f098ed384dd4bfb7e41882463abb
-
SSDEEP
6144:Ue346TRg4l8ai5PQtTZ763J8eWW43YLYjn5uO7D32fuCa7Bmk:zTq4OaQQTYJ8eP4/L5uO7D3f5BB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4956 Au_.exe -
Loads dropped DLL 1 IoCs
pid Process 4956 Au_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
resource yara_rule behavioral14/files/0x0008000000023207-4.dat nsis_installer_1 behavioral14/files/0x0008000000023207-4.dat nsis_installer_2 behavioral14/files/0x0008000000023207-3.dat nsis_installer_1 behavioral14/files/0x0008000000023207-3.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3084 wrote to memory of 4956 3084 uninstall.exe 85 PID 3084 wrote to memory of 4956 3084 uninstall.exe 85 PID 3084 wrote to memory of 4956 3084 uninstall.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\uninstall.exe"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
567KB
MD5450753ad96785a240a39deccab3af0d0
SHA121c544064d2ffa6444508268ce258a330d459fc5
SHA2561c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab
-
Filesize
88KB
MD5f5caa1c66725e248566f9ffade1d55a4
SHA112f20dc1b06045934bcf0c9b23490fd799d7cd2c
SHA2567fa7eb7b38ef4d8907ed009b82f5f41b620e6457b794a9f781d26a91b3071498
SHA5129b101f3660b6d5ccf72bbdd7fc1eca021d0571bb115615276a47555646b62d8d7cbd003014464823a508975679949b3ff84e881ce1578b4976fdd0c805eda75d
-
Filesize
98KB
MD51f903feb8cd2da1b88e2836781a5abf2
SHA1e5aa39eee8cb0045f77388c99e16ff65a25dfafd
SHA256caaedd1582a1e4fcbce623e961701ae1bc95a88ecbc90872db3f5be120791dca
SHA51217427ad4cdc220d46e8c958e5844a4f13bf676628c0a2ddd15869af9228f7dab1f3166d5edf9e06d18fca2dcb85d6c732e1eae575af3e5fe91152d239edc0fe6