Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 16:23

General

  • Target

    VirusShare_6562d6e281850ba1684490ac9555280e.exe

  • Size

    657KB

  • MD5

    6562d6e281850ba1684490ac9555280e

  • SHA1

    7e685220921bf8f560f07f6efa06d65fe151c013

  • SHA256

    0f1f6c68c64cbfa3fb88e710df3ccfa29dbff60dba4cff4ad6ebe45ada76733d

  • SHA512

    a1521238de2b9ae11c942d63cea5cb57161373f70537877568cc423de99a82183aed16fc0ce9a873b00169cb411a9777b596042766625a506b54cbc2bc2b0802

  • SSDEEP

    12288:mEBGYuxVYG4GQTq4OaQQTYJ8eP4/L5uO7D3f5Bvq4qalQTSJ8ePt/t5uO7EU26qk:mEkYWYG4GQm4OaHYJ8eP4D5uOHBBS4qy

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ie\RichMediaViewV1release663.dll" /s
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      PID:4820
    • C:\Windows\SysWOW64\gpupdate.exe
      "C:\Windows\System32\gpupdate.exe" /force
      2⤵
        PID:1088
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:1520
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
        1⤵
          PID:5012

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ie\RichMediaViewV1release663.dll

                Filesize

                85KB

                MD5

                5ba84d8f7b5f9130650fe1a1eb96d9b4

                SHA1

                279139e03e6acd4d790d1048880ef3641a2f55b4

                SHA256

                7d2cc860259c82b78e8c32469577a3c20a32773372e5d60c2fe775edd701f87a

                SHA512

                c64d45a66e1464e83e864e596471c3652abf824c0b1707fa2ac0b18e8afa9110f1ea7468c1df0180c8626fe97a251e9ef3cdefada8dd7f9cdc7a5fd5e4ba7824

              • C:\Users\Admin\AppData\Local\Temp\nsu4641.tmp\aminsis.dll

                Filesize

                382KB

                MD5

                5dbb58005b9a631c00282a7271f4192f

                SHA1

                1ab3029a827aa260ebebd69c2454d94215995dc6

                SHA256

                83a5e35ca2634904828dc92a995bb215f8712a2cf9b1f402acf79a1bdea27a1e

                SHA512

                a59e47a481faef2875e961af092b8c7e60af303bc8ed888070c4ff9cb0f29fc0a38cdafadc6fb40029fd217fdd0a6f1a9802a759d33b1a271244e06d6b8b65f1

              • C:\Users\Admin\AppData\Local\Temp\nsu4641.tmp\aminsis.dll

                Filesize

                536KB

                MD5

                0d7c6868c06355e67421969b519b341f

                SHA1

                eeb35622b7d119ec4dcc422ff4a2434e32c65a86

                SHA256

                20eb95563982fd9cb5d743c6ccb4a7d235510887e1902f3df0052d26027d0319

                SHA512

                6c3f949a4baffa52c1b71af3b29498d3214a894ec18a61a32572c5136745d6c4402fe67c6cebc5c300f6db1dad4b79b4b2402f44c0ec4d845b2bcdcfaa0f81f6