e72ee401fbafa974d76c5acb144a1092501b97b511ed7824e4b641c74cfb79b3

General

Target

iobituninstaller.exe
Size

25.6MB
MD5

b727787fa4f715df94bd2575a4939609
SHA1

ea22275aa4205195c4f96b409524f65bc9d7fa38
SHA256

e72ee401fbafa974d76c5acb144a1092501b97b511ed7824e4b641c74cfb79b3
SHA512

f5cf8265218af35d89c6c0ddb1d6e606c9928b700b96c8bb37c1c7beda2fcef98b6eb03d231498f3e546830472373399370ad561caa1bdd98d9151eb1998a6ba

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

iobituninstaller.tmpSetup.exe

pid process

2684 iobituninstaller.tmp
2892 Setup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exe

pid process

2892 Setup.exe
2892 Setup.exe
2892 Setup.exe
2892 Setup.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Setup.exe

pid process

2892 Setup.exe

pid	process
2684	iobituninstaller.tmp
2892	Setup.exe

pid	process
2892	Setup.exe
2892	Setup.exe
2892	Setup.exe
2892	Setup.exe

pid	process
2892	Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

iobituninstaller.exeiobituninstaller.tmp

description	pid	process	target process
PID 1688 wrote to memory of 2684	1688	iobituninstaller.exe	iobituninstaller.tmp
PID 1688 wrote to memory of 2684	1688	iobituninstaller.exe	iobituninstaller.tmp
PID 1688 wrote to memory of 2684	1688	iobituninstaller.exe	iobituninstaller.tmp
PID 2684 wrote to memory of 2892	2684	iobituninstaller.tmp	Setup.exe
PID 2684 wrote to memory of 2892	2684	iobituninstaller.tmp	Setup.exe
PID 2684 wrote to memory of 2892	2684	iobituninstaller.tmp	Setup.exe

C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\is-1SSMK.tmp\iobituninstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1SSMK.tmp\iobituninstaller.tmp" /SL5="$40038,26267170,139264,C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\is-G0RHT.tmp\IUInstaller\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-G0RHT.tmp\IUInstaller\Setup.exe" /setup "C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe" "" "/Ver=11.1.0.18"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1SSMK.tmp\iobituninstaller.tmp
MD5
b25f095c085e1bc475a31d5b7e89aa21

SHA1
92e5e17188c4671b714bbb5e8993abe8450673ce

SHA256
32df1f1ecdcfb6c620a1f563235920f026994138dc32c4e2e4a1bf84640ea1f4

SHA512
30389bb0a8ab64bfb6251d225990a1d3c21267f43885479be5bae39e531d2b1ee42b9dfa780e7d95ecf7161e3931bcff337def1f8c3de0dda2794e4de009307b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G0RHT.tmp\IUInstaller\Setup.exe
MD5
3a7cffd1b470049dba90374463a1114b

SHA1
72124c648388ec29c62946f492b6c03a083713d4

SHA256
2dd70f2c6d70456c9022728b36d3c478099b85fe9b6d7aac3deded813214952a

SHA512
a6d81fac75143c29c4cecb8fdd5b647803af33b06a6a1be6678e54626a4f3f3efcad2a1eeecd627932116ea2707bfa3a52a493454a363e40d326958104d27010

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G0RHT.tmp\IUInstaller\Setup.exe
MD5
3a7cffd1b470049dba90374463a1114b

SHA1
72124c648388ec29c62946f492b6c03a083713d4

SHA256
2dd70f2c6d70456c9022728b36d3c478099b85fe9b6d7aac3deded813214952a

SHA512
a6d81fac75143c29c4cecb8fdd5b647803af33b06a6a1be6678e54626a4f3f3efcad2a1eeecd627932116ea2707bfa3a52a493454a363e40d326958104d27010

Download Submit
memory/1688-119-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2684-117-0x0000000000000000-mapping.dmp

Download
memory/2684-120-0x0000000000540000-0x00000000005EE000-memory.dmp

Filesize
696KB

Download
memory/2892-121-0x0000000000000000-mapping.dmp

Download
memory/2892-124-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2892-125-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2892-126-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/2892-127-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing