Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 13:29
General
-
Target
iobituninstaller.exe
-
Size
25.6MB
-
MD5
b727787fa4f715df94bd2575a4939609
-
SHA1
ea22275aa4205195c4f96b409524f65bc9d7fa38
-
SHA256
e72ee401fbafa974d76c5acb144a1092501b97b511ed7824e4b641c74cfb79b3
-
SHA512
f5cf8265218af35d89c6c0ddb1d6e606c9928b700b96c8bb37c1c7beda2fcef98b6eb03d231498f3e546830472373399370ad561caa1bdd98d9151eb1998a6ba
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe"C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-FULAG.tmp\iobituninstaller.tmp"C:\Users\Admin\AppData\Local\Temp\is-FULAG.tmp\iobituninstaller.tmp" /SL5="$400EA,26267170,139264,C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-9ET1E.tmp\IUInstaller\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-9ET1E.tmp\IUInstaller\Setup.exe" /setup "C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe" "" "/Ver=11.1.0.18"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-9ET1E.tmp\IUInstaller\Setup.exeMD5
3a7cffd1b470049dba90374463a1114b
SHA172124c648388ec29c62946f492b6c03a083713d4
SHA2562dd70f2c6d70456c9022728b36d3c478099b85fe9b6d7aac3deded813214952a
SHA512a6d81fac75143c29c4cecb8fdd5b647803af33b06a6a1be6678e54626a4f3f3efcad2a1eeecd627932116ea2707bfa3a52a493454a363e40d326958104d27010
-
C:\Users\Admin\AppData\Local\Temp\is-9ET1E.tmp\IUInstaller\Setup.exeMD5
3a7cffd1b470049dba90374463a1114b
SHA172124c648388ec29c62946f492b6c03a083713d4
SHA2562dd70f2c6d70456c9022728b36d3c478099b85fe9b6d7aac3deded813214952a
SHA512a6d81fac75143c29c4cecb8fdd5b647803af33b06a6a1be6678e54626a4f3f3efcad2a1eeecd627932116ea2707bfa3a52a493454a363e40d326958104d27010
-
C:\Users\Admin\AppData\Local\Temp\is-FULAG.tmp\iobituninstaller.tmpMD5
b25f095c085e1bc475a31d5b7e89aa21
SHA192e5e17188c4671b714bbb5e8993abe8450673ce
SHA25632df1f1ecdcfb6c620a1f563235920f026994138dc32c4e2e4a1bf84640ea1f4
SHA51230389bb0a8ab64bfb6251d225990a1d3c21267f43885479be5bae39e531d2b1ee42b9dfa780e7d95ecf7161e3931bcff337def1f8c3de0dda2794e4de009307b
-
\Users\Admin\AppData\Local\Temp\is-9ET1E.tmp\IUInstaller\Setup.exeMD5
3a7cffd1b470049dba90374463a1114b
SHA172124c648388ec29c62946f492b6c03a083713d4
SHA2562dd70f2c6d70456c9022728b36d3c478099b85fe9b6d7aac3deded813214952a
SHA512a6d81fac75143c29c4cecb8fdd5b647803af33b06a6a1be6678e54626a4f3f3efcad2a1eeecd627932116ea2707bfa3a52a493454a363e40d326958104d27010
-
\Users\Admin\AppData\Local\Temp\is-9ET1E.tmp\Setup.exeMD5
3a7cffd1b470049dba90374463a1114b
SHA172124c648388ec29c62946f492b6c03a083713d4
SHA2562dd70f2c6d70456c9022728b36d3c478099b85fe9b6d7aac3deded813214952a
SHA512a6d81fac75143c29c4cecb8fdd5b647803af33b06a6a1be6678e54626a4f3f3efcad2a1eeecd627932116ea2707bfa3a52a493454a363e40d326958104d27010
-
\Users\Admin\AppData\Local\Temp\is-9ET1E.tmp\Setup.exeMD5
3a7cffd1b470049dba90374463a1114b
SHA172124c648388ec29c62946f492b6c03a083713d4
SHA2562dd70f2c6d70456c9022728b36d3c478099b85fe9b6d7aac3deded813214952a
SHA512a6d81fac75143c29c4cecb8fdd5b647803af33b06a6a1be6678e54626a4f3f3efcad2a1eeecd627932116ea2707bfa3a52a493454a363e40d326958104d27010
-
\Users\Admin\AppData\Local\Temp\is-FULAG.tmp\iobituninstaller.tmpMD5
b25f095c085e1bc475a31d5b7e89aa21
SHA192e5e17188c4671b714bbb5e8993abe8450673ce
SHA25632df1f1ecdcfb6c620a1f563235920f026994138dc32c4e2e4a1bf84640ea1f4
SHA51230389bb0a8ab64bfb6251d225990a1d3c21267f43885479be5bae39e531d2b1ee42b9dfa780e7d95ecf7161e3931bcff337def1f8c3de0dda2794e4de009307b
-
memory/520-58-0x0000000000000000-mapping.dmp
-
memory/520-62-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1420-70-0x0000000074051000-0x0000000074053000-memory.dmpFilesize
8KB
-
memory/1420-66-0x0000000000000000-mapping.dmp
-
memory/1420-71-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/1420-72-0x0000000003D80000-0x0000000003D81000-memory.dmpFilesize
4KB
-
memory/1420-73-0x0000000003DA0000-0x0000000003DA1000-memory.dmpFilesize
4KB
-
memory/1420-74-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB
-
memory/1572-61-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1572-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB