03538b8075917a6cd1d61b04a44b29f97a4869fe6fa6625b151a4cd49e27d632

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UNINSTAL.exe
Size

389KB
MD5

8094c584e629c3e92cf4ff5405156f99
SHA1

4b16b1bbe13e0eba69eeb48e54f1fc09033d4914
SHA256

03538b8075917a6cd1d61b04a44b29f97a4869fe6fa6625b151a4cd49e27d632
SHA512

e6cd3da6adaa6582bd413d69044057fee93b0dc8543c3cd39844613f827208ed5e5ccf5c98b9e60947dab2bd3638b259d615a83c508f07a72053c0179b75bf40
SSDEEP

6144:xoRutWMMMMKvtPMy8oxCwvA9WXUSA+nRONUK8R+FgjiUjS1zf75c51Cc:uR6WMMMMKVMNoD8enRQ8R+2fSZlu1Cc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2852	~TMPB855.exe
1028	~clnB855.exe
2940	~clnB855.exe

Loads dropped DLL 14 IoCs

pid	Process
3020	UNINSTAL.exe
2852	~TMPB855.exe
2852	~TMPB855.exe
2852	~TMPB855.exe
2852	~TMPB855.exe
2852	~TMPB855.exe
2852	~TMPB855.exe
2852	~TMPB855.exe
1028	~clnB855.exe
1028	~clnB855.exe
1028	~clnB855.exe
2940	~clnB855.exe
2940	~clnB855.exe
2940	~clnB855.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	UNINSTAL.exe
File opened (read-only)	\??\R:	UNINSTAL.exe
File opened (read-only)	\??\J:	~TMPB855.exe
File opened (read-only)	\??\L:	~TMPB855.exe
File opened (read-only)	\??\N:	~TMPB855.exe
File opened (read-only)	\??\N:	UNINSTAL.exe
File opened (read-only)	\??\P:	UNINSTAL.exe
File opened (read-only)	\??\M:	~TMPB855.exe
File opened (read-only)	\??\Q:	~TMPB855.exe
File opened (read-only)	\??\R:	~TMPB855.exe
File opened (read-only)	\??\Z:	~TMPB855.exe
File opened (read-only)	\??\K:	UNINSTAL.exe
File opened (read-only)	\??\A:	~TMPB855.exe
File opened (read-only)	\??\B:	UNINSTAL.exe
File opened (read-only)	\??\G:	UNINSTAL.exe
File opened (read-only)	\??\H:	UNINSTAL.exe
File opened (read-only)	\??\I:	UNINSTAL.exe
File opened (read-only)	\??\Z:	UNINSTAL.exe
File opened (read-only)	\??\E:	~TMPB855.exe
File opened (read-only)	\??\Y:	~TMPB855.exe
File opened (read-only)	\??\S:	UNINSTAL.exe
File opened (read-only)	\??\V:	UNINSTAL.exe
File opened (read-only)	\??\X:	UNINSTAL.exe
File opened (read-only)	\??\U:	~TMPB855.exe
File opened (read-only)	\??\V:	~TMPB855.exe
File opened (read-only)	\??\X:	~TMPB855.exe
File opened (read-only)	\??\E:	UNINSTAL.exe
File opened (read-only)	\??\J:	UNINSTAL.exe
File opened (read-only)	\??\T:	UNINSTAL.exe
File opened (read-only)	\??\Y:	UNINSTAL.exe
File opened (read-only)	\??\G:	~TMPB855.exe
File opened (read-only)	\??\H:	~TMPB855.exe
File opened (read-only)	\??\W:	~TMPB855.exe
File opened (read-only)	\??\L:	UNINSTAL.exe
File opened (read-only)	\??\M:	UNINSTAL.exe
File opened (read-only)	\??\B:	~TMPB855.exe
File opened (read-only)	\??\I:	~TMPB855.exe
File opened (read-only)	\??\K:	~TMPB855.exe
File opened (read-only)	\??\O:	~TMPB855.exe
File opened (read-only)	\??\S:	~TMPB855.exe
File opened (read-only)	\??\O:	UNINSTAL.exe
File opened (read-only)	\??\Q:	UNINSTAL.exe
File opened (read-only)	\??\U:	UNINSTAL.exe
File opened (read-only)	\??\W:	UNINSTAL.exe
File opened (read-only)	\??\P:	~TMPB855.exe
File opened (read-only)	\??\T:	~TMPB855.exe

Suspicious use of SetWindowsHookAW 1 IoCs

pid	Process
2852	~TMPB855.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2852	3020	UNINSTAL.exe	28
PID 3020 wrote to memory of 2852	3020	UNINSTAL.exe	28
PID 3020 wrote to memory of 2852	3020	UNINSTAL.exe	28
PID 3020 wrote to memory of 2852	3020	UNINSTAL.exe	28
PID 3020 wrote to memory of 2852	3020	UNINSTAL.exe	28
PID 3020 wrote to memory of 2852	3020	UNINSTAL.exe	28
PID 3020 wrote to memory of 2852	3020	UNINSTAL.exe	28
PID 2852 wrote to memory of 1028	2852	~TMPB855.exe	29
PID 2852 wrote to memory of 1028	2852	~TMPB855.exe	29
PID 2852 wrote to memory of 1028	2852	~TMPB855.exe	29
PID 2852 wrote to memory of 1028	2852	~TMPB855.exe	29
PID 2852 wrote to memory of 1028	2852	~TMPB855.exe	29
PID 2852 wrote to memory of 1028	2852	~TMPB855.exe	29
PID 2852 wrote to memory of 1028	2852	~TMPB855.exe	29
PID 2852 wrote to memory of 2940	2852	~TMPB855.exe	30
PID 2852 wrote to memory of 2940	2852	~TMPB855.exe	30
PID 2852 wrote to memory of 2940	2852	~TMPB855.exe	30
PID 2852 wrote to memory of 2940	2852	~TMPB855.exe	30
PID 2852 wrote to memory of 2940	2852	~TMPB855.exe	30
PID 2852 wrote to memory of 2940	2852	~TMPB855.exe	30
PID 2852 wrote to memory of 2940	2852	~TMPB855.exe	30

C:\Users\Admin\AppData\Local\Temp\UNINSTAL.exe
"C:\Users\Admin\AppData\Local\Temp\UNINSTAL.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\~TMPB855.exe
  C:\Users\Admin\AppData\Local\Temp\~TMPB855.exe -3 -d"C:\Users\Admin\AppData\Local\Temp\UNINSTAL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookAW
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\~clnB855.exe
    C:\Users\Admin\AppData\Local\Temp\~clnB855.exe #&*%!C:\Users\Admin\AppData\Local\Temp\~TMPB855.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1028
- - C:\Users\Admin\AppData\Local\Temp\~clnB855.exe
    C:\Users\Admin\AppData\Local\Temp\~clnB855.exe #&*%!C:\Users\Admin\AppData\Local\Temp\INST95.DLL
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INST95.DLL

Filesize
152KB

MD5
6b6ec54f90a621f405f1151a3f5f838d

SHA1
a49bc658956b5d47e1d2da59806a297314f5416b

SHA256
66fc8ab5aa23f21990b787c259bcaf67793a95b30fcf9c5d7a4b5e124ebaf2fa

SHA512
b6cce729981a20e5b98d8641e67b30946d4fc5a2f3f6c4e5f2cf474f05a333e3cadefed953fd43026e59dc2d9532447207d63789d04aaabcfdb81b4844d904c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TITLE.BMP

Filesize
2KB

MD5
4b3e827492a548133da84b3647a66165

SHA1
ebef9c177cea14df7ac39df1a152d003135aad65

SHA256
2af2b3c9f549e5a483727c4acb8f6be245f5a909b4f3330b7e2eabc2f434d42d

SHA512
d9251ff404f37e9f2a9441d388f9b07db7faa50fe394d1f7dbf51b5eb5edbcaa0c068f3a573917bfac9a9530a4f7ba3a3d693e4ae76585bd7e40ceb225ea9136

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TMPB855.exe

Filesize
608KB

MD5
ad70a6ba2b6f441e693a18d95a935029

SHA1
2e8877d87b16cae4e42c72a72090e75626ad641c

SHA256
3572773f3e76aa6169c1fd423f54589572a8a4d1b4c46f5c5c5e2d67b1594f92

SHA512
340f9d1622db8d348130788f6a933c1bdeaa6746eff14c14321660251ed4012778f05ddca83ad832c0584b012223975ce23ec9569bfc504944d225f1320f495a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TMPB855.exe

Filesize
608KB

MD5
ad70a6ba2b6f441e693a18d95a935029

SHA1
2e8877d87b16cae4e42c72a72090e75626ad641c

SHA256
3572773f3e76aa6169c1fd423f54589572a8a4d1b4c46f5c5c5e2d67b1594f92

SHA512
340f9d1622db8d348130788f6a933c1bdeaa6746eff14c14321660251ed4012778f05ddca83ad832c0584b012223975ce23ec9569bfc504944d225f1320f495a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
C:\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
C:\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~TMPB855.exe

Filesize
608KB

MD5
ad70a6ba2b6f441e693a18d95a935029

SHA1
2e8877d87b16cae4e42c72a72090e75626ad641c

SHA256
3572773f3e76aa6169c1fd423f54589572a8a4d1b4c46f5c5c5e2d67b1594f92

SHA512
340f9d1622db8d348130788f6a933c1bdeaa6746eff14c14321660251ed4012778f05ddca83ad832c0584b012223975ce23ec9569bfc504944d225f1320f495a

Download Submit
\Users\Admin\AppData\Local\Temp\~TMPB855.exe

Filesize
608KB

MD5
ad70a6ba2b6f441e693a18d95a935029

SHA1
2e8877d87b16cae4e42c72a72090e75626ad641c

SHA256
3572773f3e76aa6169c1fd423f54589572a8a4d1b4c46f5c5c5e2d67b1594f92

SHA512
340f9d1622db8d348130788f6a933c1bdeaa6746eff14c14321660251ed4012778f05ddca83ad832c0584b012223975ce23ec9569bfc504944d225f1320f495a

Download Submit
\Users\Admin\AppData\Local\Temp\~TMPB855.exe

Filesize
608KB

MD5
ad70a6ba2b6f441e693a18d95a935029

SHA1
2e8877d87b16cae4e42c72a72090e75626ad641c

SHA256
3572773f3e76aa6169c1fd423f54589572a8a4d1b4c46f5c5c5e2d67b1594f92

SHA512
340f9d1622db8d348130788f6a933c1bdeaa6746eff14c14321660251ed4012778f05ddca83ad832c0584b012223975ce23ec9569bfc504944d225f1320f495a

Download Submit
\Users\Admin\AppData\Local\Temp\~TMPB855.exe

Filesize
608KB

MD5
ad70a6ba2b6f441e693a18d95a935029

SHA1
2e8877d87b16cae4e42c72a72090e75626ad641c

SHA256
3572773f3e76aa6169c1fd423f54589572a8a4d1b4c46f5c5c5e2d67b1594f92

SHA512
340f9d1622db8d348130788f6a933c1bdeaa6746eff14c14321660251ed4012778f05ddca83ad832c0584b012223975ce23ec9569bfc504944d225f1320f495a

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
\Users\Admin\AppData\Local\Temp\~clnB855.exe

Filesize
11KB

MD5
b2bca3c11e54556f00307781f1315eee

SHA1
256700bf3e584c75c9ecfe9776e517bfd3c9650a

SHA256
c7329d9ee309784201c7bd7e45670002b27e2fbe6a5dce5d75152a03b29eafc4

SHA512
6f4c4fa1676d426fc041cd1071308400bc4065401346bdbf9e40544322b504c02f32596ebb66339d550ba4ab8e6bc3d827bc6a6779f09031568f85db26a7ea37

Download Submit
memory/1028-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2852-18-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2852-25-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2940-34-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3020-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download