Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe
Resource
win10v2004-20240426-en
General
-
Target
VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe
-
Size
358KB
-
MD5
86cb2b525e0d0bbf1351b11b4834bdd7
-
SHA1
22d77c58d1a7bc06adec09bca43668e5dc4241e2
-
SHA256
1e1939ea1961ee1e05285b2ba1a7b7f4e52c41724c8d6d256c2976ecdd919431
-
SHA512
95d4a2775f63ffac5db6a2b924a9fe4ac9ce0db7daa565b3f973db0dd03f222d7a90796cd4eb284aab3fd496d67976769c5f234914da40b2fe545a5d7c61926b
-
SSDEEP
6144:KjbeiH734HMnpRMID1aM1+9RXZE5Yel6ZVgtdKBfZDkZeFoS3RFDoxSuLH:KuLwprD1aAKZNQMnZDHFP3Xcn
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2972 M.exe 2664 M.exe -
Loads dropped DLL 5 IoCs
pid Process 2196 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 2196 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 2972 M.exe 2972 M.exe 2664 M.exe -
resource yara_rule behavioral1/files/0x0036000000015c7f-4.dat upx behavioral1/memory/2196-9-0x00000000007F0000-0x00000000008A8000-memory.dmp upx behavioral1/memory/2972-13-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2972-58-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google_ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\M.exe" M.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2972 set thread context of 2664 2972 M.exe 29 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2972 M.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2972 M.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2972 2196 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 28 PID 2196 wrote to memory of 2972 2196 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 28 PID 2196 wrote to memory of 2972 2196 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 28 PID 2196 wrote to memory of 2972 2196 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 28 PID 2196 wrote to memory of 2972 2196 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 28 PID 2196 wrote to memory of 2972 2196 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 28 PID 2196 wrote to memory of 2972 2196 VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe 28 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29 PID 2972 wrote to memory of 2664 2972 M.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_86cb2b525e0d0bbf1351b11b4834bdd7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2664
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD535bbd7036c62eff49ab752a812f3f965
SHA17eed645d88ea1393003ac47a267e767f8a5b4ba1
SHA25651518fbf0bcfde548d96dfb815144c6af86a90f9ffafbf9cb3d75434813e134b
SHA512acbf7a3dc24442dda1188bfc533e138e59cd0169172ba58409128953dbae7d4c8953d9049fdaa8b9eb590783087374eb4353593862d952faa988d4e2e3796fa1
-
Filesize
104KB
MD542ccd69a3be9618d329de0ea0fde3a81
SHA147e9897f303496eb9cd5883f9cdb283b6eee65d3
SHA25614137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef
SHA51233d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae
-
Filesize
214KB
MD59b381b29157a3dcaa51d1d8d4fc8be43
SHA1f91810ceb1c4a7ee31d31b0d2c7b947388347734
SHA25689a98eb9e19a8158e9f9200e286f56043182ac9b2f5aeab00b5b6848797075da
SHA512e1ea9d244ed3fbad69f5489568857b679e122752da61e57c8e4d9e01a2360ffe9651cdd6e85d8513bf33dd7461d87c93644e5768b1aca65661ccb3662461d537