Malware Analysis Report

2025-08-05 16:43

Sample ID 240204-tv8hcsebf4
Target VirusShare_6562d6e281850ba1684490ac9555280e
SHA256 0f1f6c68c64cbfa3fb88e710df3ccfa29dbff60dba4cff4ad6ebe45ada76733d
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0f1f6c68c64cbfa3fb88e710df3ccfa29dbff60dba4cff4ad6ebe45ada76733d

Threat Level: Shows suspicious behavior

The file VirusShare_6562d6e281850ba1684490ac9555280e was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 16:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "RichMediaViewV1release663" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ch\RichMediaViewV1release663.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\ffRichMediaViewV1release663.js C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ch\RichMediaViewV1release663.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\ffRichMediaViewV1release663.js C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\ffRichMediaViewV1release663ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\default\RichMediaViewV1release663_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\default\RichMediaViewV1release663_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ie\RichMediaViewV1release663.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\ffRichMediaViewV1release663ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} = 51667a6c4c1d3b1bdd7bce8363f69d08bbc250c3eb3a179a C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ = "IRichMediaViewV1release663BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\TypeLib\ = "{0ae1b0d8-0086-46f6-bb18-975cdc8558d3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\ = "{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "RichMediaViewV1release663" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\ = "{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release663\\ie\\RichMediaViewV1release663.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ = "IRichMediaViewV1release663BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release663\\ie\\RichMediaViewV1release663.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release663\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\ = "RichMediaViewV1release663Lib" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1984 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1984 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1984 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1984 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1984 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1984 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1984 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1984 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1984 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1984 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1984 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1984 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1984 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ie\RichMediaViewV1release663.dll" /s

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nst87E6.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ie\RichMediaViewV1release663.dll

MD5 5ba84d8f7b5f9130650fe1a1eb96d9b4
SHA1 279139e03e6acd4d790d1048880ef3641a2f55b4
SHA256 7d2cc860259c82b78e8c32469577a3c20a32773372e5d60c2fe775edd701f87a
SHA512 c64d45a66e1464e83e864e596471c3652abf824c0b1707fa2ac0b18e8afa9110f1ea7468c1df0180c8626fe97a251e9ef3cdefada8dd7f9cdc7a5fd5e4ba7824

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 224

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

122s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release663.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release663.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release663ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release663ffaction.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1160 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2012 -ip 2012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 624

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 500944508b93944c309eb5d0e6402270
SHA1 1ac655b33ebb16e650aefa9178ac1502d4c51b0b
SHA256 9820f4a5bc14e8359ef67b537e573015fada262501b6d7169d75c26b1b468ad8
SHA512 8d337b97f5998019f0f8cff733e98d52510eff2f24d8323063eb07468bbb5fa0803b329b00d72b72ce8c476f11d51d1fd19364aabb1847b06ae3ac0fcf80f873

\Users\Admin\AppData\Local\Temp\nsj7DE8.tmp\aminsis.dll

MD5 226b97cd4b37b2b9d37a5ea8ebd7b468
SHA1 e274e2aa5a8b6eea160d30a487bef91918c8963c
SHA256 7c581ecee63acd6ea54a47fbebbf2af76c277504a0033f53f6086f35b7709768
SHA512 495b6449ccb7a358d829da6681f86f03153c86e8d3a42421f9056127dc8871b8e45943cd0f13c0e98abfd76e2e8b6e9098c0861c1e4ab7204a010875bcf1cd79

C:\Users\Admin\AppData\Local\Temp\nsj7DE8.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231222-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "RichMediaViewV1release663" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\ffRichMediaViewV1release663.js C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\default C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ch\RichMediaViewV1release663.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\install.rdf C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\ffRichMediaViewV1release663.js C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\ffRichMediaViewV1release663ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ie\RichMediaViewV1release663.dll C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\uninstall.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\Thumbs.db C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\ffRichMediaViewV1release663ffaction.js C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\default\RichMediaViewV1release663_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\overlay.xul C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome\content\icons\default\RichMediaViewV1release663_32.png C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File opened for modification C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ch\RichMediaViewV1release663.crx C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
File created C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ff\chrome.manifest C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} = 51667a6c4c1d3b1bdd7bce8268f3990fb7c359c3e33a1295 C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ = "IRichMediaViewV1release663BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\ = "RichMediaViewV1release663Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0\win32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release663\\ie\\RichMediaViewV1release663.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "Rich Media View" C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release663\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\ = "{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\ = "{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32\ = "C:\\Program Files (x86)\\RichMediaViewV1\\RichMediaViewV1release663\\ie\\RichMediaViewV1release663.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "RichMediaViewV1release663" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\TypeLib\ = "{0ae1b0d8-0086-46f6-bb18-975cdc8558d3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ = "IRichMediaViewV1release663BHO" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_6562d6e281850ba1684490ac9555280e.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 "C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ie\RichMediaViewV1release663.dll" /s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\System32\gpupdate.exe" /force

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsu4641.tmp\aminsis.dll

MD5 5dbb58005b9a631c00282a7271f4192f
SHA1 1ab3029a827aa260ebebd69c2454d94215995dc6
SHA256 83a5e35ca2634904828dc92a995bb215f8712a2cf9b1f402acf79a1bdea27a1e
SHA512 a59e47a481faef2875e961af092b8c7e60af303bc8ed888070c4ff9cb0f29fc0a38cdafadc6fb40029fd217fdd0a6f1a9802a759d33b1a271244e06d6b8b65f1

C:\Users\Admin\AppData\Local\Temp\nsu4641.tmp\aminsis.dll

MD5 0d7c6868c06355e67421969b519b341f
SHA1 eeb35622b7d119ec4dcc422ff4a2434e32c65a86
SHA256 20eb95563982fd9cb5d743c6ccb4a7d235510887e1902f3df0052d26027d0319
SHA512 6c3f949a4baffa52c1b71af3b29498d3214a894ec18a61a32572c5136745d6c4402fe67c6cebc5c300f6db1dad4b79b4b2402f44c0ec4d845b2bcdcfaa0f81f6

C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release663\ie\RichMediaViewV1release663.dll

MD5 5ba84d8f7b5f9130650fe1a1eb96d9b4
SHA1 279139e03e6acd4d790d1048880ef3641a2f55b4
SHA256 7d2cc860259c82b78e8c32469577a3c20a32773372e5d60c2fe775edd701f87a
SHA512 c64d45a66e1464e83e864e596471c3652abf824c0b1707fa2ac0b18e8afa9110f1ea7468c1df0180c8626fe97a251e9ef3cdefada8dd7f9cdc7a5fd5e4ba7824

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231129-en

Max time kernel

117s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release663chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release663chaction.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231222-en

Max time kernel

87s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release663chaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ffRichMediaViewV1release663chaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

118s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release663.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "RichMediaViewV1release663" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ = "IRichMediaViewV1release663BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\TypeLib\ = "{0ae1b0d8-0086-46f6-bb18-975cdc8558d3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release663.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ = "IRichMediaViewV1release663BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\ = "{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "RichMediaViewV1release663" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\ = "RichMediaViewV1release663Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release663.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\ = "{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 2540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 2540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 2540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 2540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 2540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2028 wrote to memory of 2540 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release663.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release663.dll

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 500944508b93944c309eb5d0e6402270
SHA1 1ac655b33ebb16e650aefa9178ac1502d4c51b0b
SHA256 9820f4a5bc14e8359ef67b537e573015fada262501b6d7169d75c26b1b468ad8
SHA512 8d337b97f5998019f0f8cff733e98d52510eff2f24d8323063eb07468bbb5fa0803b329b00d72b72ce8c476f11d51d1fd19364aabb1847b06ae3ac0fcf80f873

C:\Users\Admin\AppData\Local\Temp\nst8FFC.tmp\aminsis.dll

MD5 450753ad96785a240a39deccab3af0d0
SHA1 21c544064d2ffa6444508268ce258a330d459fc5
SHA256 1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3
SHA512 c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231222-en

Max time kernel

120s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 2620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 2620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1516 wrote to memory of 2620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\aminsis.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

144s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release663.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release663.js

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231222-en

Max time kernel

119s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release663ffaction.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ff\chrome\content\ffRichMediaViewV1release663ffaction.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-04 16:23

Reported

2024-02-04 16:26

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release663.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "RichMediaViewV1release663" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ = "IRichMediaViewV1release663BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\ = "RichMediaViewV1release663Lib" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release663.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\ = "RichMediaViewV1release663" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ = "IRichMediaViewV1release663BHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\TypeLib\ = "{0ae1b0d8-0086-46f6-bb18-975cdc8558d3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\ = "{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\Version\ = "1.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib\ = "{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ie\\RichMediaViewV1release663.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9bd466cd-a55c-43f7-a2ca-1283e27a5480}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AE1B0D8-0086-46F6-BB18-975CDC8558D3}\1.1\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC2BE37-838E-45DB-A5E7-75B470D0F4D7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 860 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4000 wrote to memory of 860 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4000 wrote to memory of 860 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release663.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ie\RichMediaViewV1release663.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A