Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 21:54
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll
Resource
win10v2004-20240508-en
General
-
Target
VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll
-
Size
88KB
-
MD5
9e6e7284a23918b54a8c6b281c5dc760
-
SHA1
5fa233c2ac8906e228cdb124baa6d5b5ce3a345f
-
SHA256
b1bcab6f7b710ddbcec0ff9ded71c0bc8b40c6dc89f833bbd58d8226a014b32f
-
SHA512
416c80b0ad9a37adc1f6bcddbf7398a6b9a24be0ee7056dd70610567559c56b32d77eb44ae1a87c62a9c5f3d5d73f7c63953f96a8aee6256e0cd4f2b39f99769
-
SSDEEP
1536:HRefR75SyBkhISn/UogEBhre76ONCL9K0Jnacp5BIV0dc8oX:xE1BkyS/Uog+hre709KCnai5cptX
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 2688 rundll32.exe 1316 rundll32.exe 3712 rundll32.exe 1820 rundll32.exe 3600 rundll32.exe 400 rundll32.exe -
Loads dropped DLL 14 IoCs
pid Process 4912 rundll32.exe 4912 rundll32.exe 2688 rundll32.exe 2688 rundll32.exe 1316 rundll32.exe 1316 rundll32.exe 3712 rundll32.exe 3712 rundll32.exe 1820 rundll32.exe 1820 rundll32.exe 400 rundll32.exe 400 rundll32.exe 3600 rundll32.exe 3600 rundll32.exe -
resource yara_rule behavioral2/memory/4912-1-0x0000000002A30000-0x0000000002A5B000-memory.dmp upx behavioral2/memory/4912-9-0x0000000002A30000-0x0000000002A5E000-memory.dmp upx behavioral2/memory/2688-19-0x0000000002340000-0x000000000236B000-memory.dmp upx behavioral2/memory/2688-42-0x0000000002340000-0x000000000236E000-memory.dmp upx behavioral2/memory/4912-41-0x00000000030E0000-0x000000000310E000-memory.dmp upx behavioral2/memory/1316-45-0x0000000000800000-0x000000000082E000-memory.dmp upx behavioral2/memory/400-49-0x0000000001070000-0x000000000109E000-memory.dmp upx behavioral2/memory/3600-48-0x0000000000C80000-0x0000000000CAE000-memory.dmp upx behavioral2/memory/1820-47-0x0000000000E80000-0x0000000000EAE000-memory.dmp upx behavioral2/memory/3712-46-0x0000000000AE0000-0x0000000000B0E000-memory.dmp upx behavioral2/memory/4912-54-0x0000000002A30000-0x0000000002A5B000-memory.dmp upx behavioral2/memory/3600-57-0x0000000000C80000-0x0000000000CAE000-memory.dmp upx behavioral2/memory/400-58-0x0000000001070000-0x000000000109E000-memory.dmp upx behavioral2/memory/2688-61-0x0000000002340000-0x000000000236B000-memory.dmp upx behavioral2/memory/3600-74-0x0000000000C80000-0x0000000000CAE000-memory.dmp upx behavioral2/memory/400-83-0x0000000001070000-0x000000000109E000-memory.dmp upx behavioral2/memory/400-95-0x0000000001070000-0x000000000109E000-memory.dmp upx behavioral2/memory/400-103-0x0000000001070000-0x000000000109E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\PROGRA~3\\rundll32.exe C:\\PROGRA~3\\jedgto.dat,FG00" rundll32.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\PROGRA~3\rundll32.exe rundll32.exe File created C:\PROGRA~3\jedgto.dat rundll32.exe File opened for modification C:\PROGRA~3\otgdej.pad rundll32.exe File created C:\PROGRA~3\otgdej.js rundll32.exe File created C:\PROGRA~3\otgdej.pad rundll32.exe File created C:\PROGRA~3\as98213.txt rundll32.exe File opened for modification C:\PROGRA~3\otgdej.pad rundll32.exe File created C:\PROGRA~3\otgdej.bat rundll32.exe File created C:\PROGRA~3\otgdej.reg rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" rundll32.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{150579FE-2774-11EF-BCA5-527CD1CC5F27} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424218378" iexplore.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 4828 iexplore.exe 4828 iexplore.exe 4828 iexplore.exe 4828 iexplore.exe 4828 iexplore.exe 4828 iexplore.exe 4828 iexplore.exe 4828 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4828 iexplore.exe 4828 iexplore.exe 4504 IEXPLORE.EXE 4504 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2972 wrote to memory of 4912 2972 rundll32.exe 82 PID 2972 wrote to memory of 4912 2972 rundll32.exe 82 PID 2972 wrote to memory of 4912 2972 rundll32.exe 82 PID 4912 wrote to memory of 2688 4912 rundll32.exe 86 PID 4912 wrote to memory of 2688 4912 rundll32.exe 86 PID 4912 wrote to memory of 2688 4912 rundll32.exe 86 PID 2688 wrote to memory of 1316 2688 rundll32.exe 87 PID 2688 wrote to memory of 1316 2688 rundll32.exe 87 PID 2688 wrote to memory of 1316 2688 rundll32.exe 87 PID 2688 wrote to memory of 3712 2688 rundll32.exe 88 PID 2688 wrote to memory of 3712 2688 rundll32.exe 88 PID 2688 wrote to memory of 3712 2688 rundll32.exe 88 PID 2688 wrote to memory of 1820 2688 rundll32.exe 89 PID 2688 wrote to memory of 1820 2688 rundll32.exe 89 PID 2688 wrote to memory of 1820 2688 rundll32.exe 89 PID 2688 wrote to memory of 3600 2688 rundll32.exe 90 PID 2688 wrote to memory of 3600 2688 rundll32.exe 90 PID 2688 wrote to memory of 3600 2688 rundll32.exe 90 PID 2688 wrote to memory of 400 2688 rundll32.exe 91 PID 2688 wrote to memory of 400 2688 rundll32.exe 91 PID 2688 wrote to memory of 400 2688 rundll32.exe 91 PID 1820 wrote to memory of 4828 1820 rundll32.exe 92 PID 1820 wrote to memory of 4828 1820 rundll32.exe 92 PID 4828 wrote to memory of 4504 4828 iexplore.exe 93 PID 4828 wrote to memory of 4504 4828 iexplore.exe 93 PID 4828 wrote to memory of 4504 4828 iexplore.exe 93 PID 1820 wrote to memory of 4828 1820 rundll32.exe 92 PID 1820 wrote to memory of 4828 1820 rundll32.exe 92
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_9e6e7284a23918b54a8c6b281c5dc760.dll,#12⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\PROGRA~3\rundll32.exeC:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG003⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\PROGRA~3\rundll32.exeC:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG014⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316
-
-
C:\PROGRA~3\rundll32.exeC:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG024⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3712
-
-
C:\PROGRA~3\rundll32.exeC:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG034⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4828 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4504
-
-
-
-
C:\PROGRA~3\rundll32.exeC:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG044⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3600
-
-
C:\PROGRA~3\rundll32.exeC:\PROGRA~3\rundll32.exe C:\PROGRA~3\jedgto.dat,FG064⤵
- Executes dropped EXE
- Loads dropped DLL
PID:400
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD59e6e7284a23918b54a8c6b281c5dc760
SHA15fa233c2ac8906e228cdb124baa6d5b5ce3a345f
SHA256b1bcab6f7b710ddbcec0ff9ded71c0bc8b40c6dc89f833bbd58d8226a014b32f
SHA512416c80b0ad9a37adc1f6bcddbf7398a6b9a24be0ee7056dd70610567559c56b32d77eb44ae1a87c62a9c5f3d5d73f7c63953f96a8aee6256e0cd4f2b39f99769
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641