Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28/07/2023, 21:08
Behavioral task
behavioral1
Sample
Uninstalr_Portable.exe
Resource
win7-20230712-en
General
-
Target
Uninstalr_Portable.exe
-
Size
4.0MB
-
MD5
a35881a67ec38f9bb4e33a8dbe013061
-
SHA1
7e0c222a5429574b326e2fca275e9629f33e1801
-
SHA256
297f90550fecab224d782ef73f1e2a777b70fcf2f90eb19460861a910e08b3b7
-
SHA512
7f76e13addbcf381f32f634a61d560726812963aa374f2a5810d8f501168366f8c0d606e0200164654f821ca27bcc2ea80f3cc81393eb4c3868bfcd56fdb8133
-
SSDEEP
98304:cJFjFiafJBZhaWQDXiWGUiJBUOXRpg324zzU:UPxfJBZhaWqXHUDozo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation Uninstalr_Portable.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4920-133-0x0000000000400000-0x00000000011C1000-memory.dmp upx behavioral2/memory/4920-153-0x0000000000400000-0x00000000011C1000-memory.dmp upx behavioral2/memory/4920-173-0x0000000000400000-0x00000000011C1000-memory.dmp upx behavioral2/memory/4920-181-0x0000000000400000-0x00000000011C1000-memory.dmp upx behavioral2/memory/4920-183-0x0000000000400000-0x00000000011C1000-memory.dmp upx behavioral2/memory/4920-184-0x0000000000400000-0x00000000011C1000-memory.dmp upx behavioral2/memory/4920-185-0x0000000000400000-0x00000000011C1000-memory.dmp upx behavioral2/memory/4920-188-0x0000000000400000-0x00000000011C1000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Uninstalr_Portable.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Uninstalr_Portable.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Uninstalr_Portable.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Uninstalr_Portable.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Uninstalr_Portable.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Uninstalr_Portable.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4920 Uninstalr_Portable.exe 4920 Uninstalr_Portable.exe 4920 Uninstalr_Portable.exe 4920 Uninstalr_Portable.exe 4920 Uninstalr_Portable.exe 4920 Uninstalr_Portable.exe 3176 powershell.exe 3176 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3176 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4920 Uninstalr_Portable.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4920 Uninstalr_Portable.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4920 wrote to memory of 380 4920 Uninstalr_Portable.exe 88 PID 4920 wrote to memory of 380 4920 Uninstalr_Portable.exe 88 PID 4920 wrote to memory of 380 4920 Uninstalr_Portable.exe 88 PID 4920 wrote to memory of 3176 4920 Uninstalr_Portable.exe 90 PID 4920 wrote to memory of 3176 4920 Uninstalr_Portable.exe 90 PID 4920 wrote to memory of 3176 4920 Uninstalr_Portable.exe 90 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uninstalr_Portable.exe"C:\Users\Admin\AppData\Local\Temp\Uninstalr_Portable.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c winget list --accept-source-agreements > "C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x2_240618515.tmp"2⤵PID:380
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -AllUsers | Out-File "C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x1_240620265.tmp"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD5bd799c1ce0ed4c04aa7ad7ce384b04b8
SHA1522aa08afd33e347613252f4833585ba2e228c81
SHA256f8255037b7abbd17a44defeb9e8417786c7cb406f4695462843dc47636a81c4c
SHA512591274fff64785d1f5bbbda101a284668b2c29da21dbc4d9d6491c1b4335d72896c3a964cdc492498fd9243526256a791327e0fdf58fe77a67f4350935c1f6a3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82