2d29c706b447f514f53fc7d4894cd534eb5e33483d22633da1b176946a32da33

Analysis

max time kernel
106s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

4.3MB
MD5

864e2bf430a7b5c15a40fc43f06d612e
SHA1

1e74e009ec5a63d91f2a354fa051d772755b4f51
SHA256

2d29c706b447f514f53fc7d4894cd534eb5e33483d22633da1b176946a32da33
SHA512

141c1b0a8beb5b5be5320fb935a39220f9cc02189ba922eda6a6ee835617b8e433a3aa0ebdb4afc3b7d59a71e18c23a43a6365e05feb5ff728650f54a79b284e
SSDEEP

98304:zqwQ/FTi8zgGKZyyJPy6gxMiODCnFSKnM21uh5H:ziVixbZyyJa53ODYFRb1uh

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Un_A.exe

Executes dropped EXE 1 IoCs

pid	Process
4408	Un_A.exe

Loads dropped DLL 15 IoCs

pid	Process
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe
4408	Un_A.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	4408	Un_A.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 4408	1752	uninst.exe	86
PID 1752 wrote to memory of 4408	1752	uninst.exe	86
PID 1752 wrote to memory of 4408	1752	uninst.exe	86
PID 4408 wrote to memory of 3524	4408	Un_A.exe	101
PID 4408 wrote to memory of 3524	4408	Un_A.exe	101
PID 4408 wrote to memory of 3524	4408	Un_A.exe	101
PID 3524 wrote to memory of 3872	3524	cmd.exe	103
PID 3524 wrote to memory of 3872	3524	cmd.exe	103
PID 3524 wrote to memory of 3872	3524	cmd.exe	103
PID 3872 wrote to memory of 3056	3872	cmd.exe	104
PID 3872 wrote to memory of 3056	3872	cmd.exe	104
PID 3872 wrote to memory of 3056	3872	cmd.exe	104
PID 3872 wrote to memory of 4332	3872	cmd.exe	105
PID 3872 wrote to memory of 4332	3872	cmd.exe	105
PID 3872 wrote to memory of 4332	3872	cmd.exe	105
PID 4408 wrote to memory of 5032	4408	Un_A.exe	106
PID 4408 wrote to memory of 5032	4408	Un_A.exe	106
PID 4408 wrote to memory of 5032	4408	Un_A.exe	106
PID 4408 wrote to memory of 3308	4408	Un_A.exe	108
PID 4408 wrote to memory of 3308	4408	Un_A.exe	108
PID 4408 wrote to memory of 3308	4408	Un_A.exe	108

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c for /f "usebackq tokens=1* delims=\" %# in (`C:\Windows\system32\schtasks /query /fo list ^| findstr /i CCleanerSkipUAC`) do C:\Windows\system32\schtasks /delete /tn "%$" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\schtasks /query /fo list | findstr /i CCleanerSkipUAC
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\system32\schtasks /query /fo list
        5⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /i CCleanerSkipUAC
        5⤵
        
        PID:4332
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks /delete /tn CCleanerCrashReporting /f
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\system32\schtasks /delete /tn CCleanerClean /f
    3⤵
    PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj6B2E.tmp

Filesize
14.2MB

MD5
e432f27341a60258dd7af47e7248101f

SHA1
48c8b8e4915ded9601362e03e17684908f7773c1

SHA256
04b4e8835186f069e3edd558f6188b57903992f97379929c35f7d398e17da828

SHA512
be98725e7cf1b0f55112f1bb0ce2a26cf7d03bc65923f634b9deb8b7bb62910369cf48a07459b85f5f67e33e68f232354e336bc001990b8be08899928690931e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\INetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\p\ServiceUninstaller.dll

Filesize
497KB

MD5
3053907a25371c3ed0c5447d9862b594

SHA1
f39f0363886bb06cb1c427db983bd6da44c01194

SHA256
0b78d56aceefb4ff259660bd55bbb497ce29a5d60206b5d19d05e1442829e495

SHA512
226530658b3e1530f93285962e6b97d61f54039c1bbfcbc5ec27e9ba1489864aecd2d5b58577c8a9d7b25595a03aa35ee97cc7e33e026a89cbf5d470aa65c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\p\pfBL.dll

Filesize
13.2MB

MD5
3aed4b7d1efeafe0378f16977d761c73

SHA1
a5ccfcf504f88cf518e84363bf57c551f0feaf2a

SHA256
586e188297ae45ce41a514191fbfaf9365013205a9f58ebe4a1b1c9ebe6eda3c

SHA512
17db5ec5f7c0691f0718e9ad4728d4b103f54d2a04f2dd3c6c0c587be1c7cef4e414036669fe15a60842b3ef87596d926222cf41775f4c5ccc1c885e07a8a680

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6B3F.tmp\p\pfBL.dll

Filesize
13.2MB

MD5
3aed4b7d1efeafe0378f16977d761c73

SHA1
a5ccfcf504f88cf518e84363bf57c551f0feaf2a

SHA256
586e188297ae45ce41a514191fbfaf9365013205a9f58ebe4a1b1c9ebe6eda3c

SHA512
17db5ec5f7c0691f0718e9ad4728d4b103f54d2a04f2dd3c6c0c587be1c7cef4e414036669fe15a60842b3ef87596d926222cf41775f4c5ccc1c885e07a8a680

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
4.3MB

MD5
864e2bf430a7b5c15a40fc43f06d612e

SHA1
1e74e009ec5a63d91f2a354fa051d772755b4f51

SHA256
2d29c706b447f514f53fc7d4894cd534eb5e33483d22633da1b176946a32da33

SHA512
141c1b0a8beb5b5be5320fb935a39220f9cc02189ba922eda6a6ee835617b8e433a3aa0ebdb4afc3b7d59a71e18c23a43a6365e05feb5ff728650f54a79b284e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
4.3MB

MD5
864e2bf430a7b5c15a40fc43f06d612e

SHA1
1e74e009ec5a63d91f2a354fa051d772755b4f51

SHA256
2d29c706b447f514f53fc7d4894cd534eb5e33483d22633da1b176946a32da33

SHA512
141c1b0a8beb5b5be5320fb935a39220f9cc02189ba922eda6a6ee835617b8e433a3aa0ebdb4afc3b7d59a71e18c23a43a6365e05feb5ff728650f54a79b284e

Download Submit