632e3afccd98120934bce68913c7f8983b79262006325be931ef76fab16225c2

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
16-02-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/uninstall.exe
Size

4.6MB
MD5

bf5cb794c91708f9c63487bc47502f22
SHA1

1c415a2905adb53fcee39b7d488979e962fdf65a
SHA256

c742fbcb2b6ede8188524f636b35bbfdf4cb10dee10a587f847c94330b10e740
SHA512

508aafa73a97cedd81dbbb45fcfb63d79bbb5ad727546bac72a1b7a0c71d125e9884d7c06f75d88720c93256ae0cd5efefa5b02285bb99e9951cd39ce5128e13
SSDEEP

98304:ZD8tFsKQKcUoxQbVUNF/YGxkFzfR3bXqv02NzF/wxt4tdq2:ZD8/QDKjRRLxb0s2

Score

4^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
2316	uninstall.exe
2316	uninstall.exe
2316	uninstall.exe
2316	uninstall.exe
2316	uninstall.exe
2316	uninstall.exe
2316	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	uninstall.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	uninstall.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2948	2316	uninstall.exe	28
PID 2316 wrote to memory of 2948	2316	uninstall.exe	28
PID 2316 wrote to memory of 2948	2316	uninstall.exe	28
PID 2316 wrote to memory of 2948	2316	uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"ati-Windows\",\"user_id\":\"5AC9C16A\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"US Launch App\",\"el\":\"Success\",\"install_productversion\":\"Official-ar-mutaz\",\"install_trackversion\":\"8.8.4.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-TGM4BTG393&api_secret=eGiGdVy9TP-vcp40T0t3QQ""
  2⤵
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi60F5.tmp\nsDui.dll

Filesize
768KB

MD5
8b962cafdee8ef1a66290af7820a7e28

SHA1
8a3f9030ed3f8f06f09daa3ca99a4a2b37ccc615

SHA256
d77aa69da9cddf108cfcb160149cb84635c85253c187ab71d46bda5c9a82b3e5

SHA512
55ed34eb37a0a4d38479bb53a4a644c3c4122baed905be5a036c6a2a9baf6e97e819b37a209ccac98662a01b8f2eaa8e3df9bc7249b0e2b667da998e99dc8488

Download Submit
\Users\Admin\AppData\Local\Temp\nsi60F5.tmp\CheckProVs.dll

Filesize
7KB

MD5
62e85098ce43cb3d5c422e49390b7071

SHA1
df6722f155ce2a1379eff53a9ad1611ddecbb3bf

SHA256
ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

SHA512
dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi60F5.tmp\GoogleTracingLib.dll

Filesize
60KB

MD5
c3acee47a5ab94d9996692b44b63f49e

SHA1
fe117c2d9602ab9b3d7d7e5539c91c43ffae8e91

SHA256
66340abdc75b99f5a49983ac9f606ec880d8551d39ef5643f97a80e2150bbfa8

SHA512
1cc6aad4c8dff4310163d1656a40fdda16901207b46b9064b481377acc00b17b3ddcc026a21a4fb2e98bb2f337a94ae36f790415deccec02699d7803de5ee92f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi60F5.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
\Users\Admin\AppData\Local\Temp\nsi60F5.tmp\libcrypto-1_1.dll

Filesize
2.1MB

MD5
f2897d414a50674f58a0d1aa19614a20

SHA1
adced986562ed4a4e07fc92aff3d30797e2f83df

SHA256
c4372100431007321e8fb3b41eef740dfe6e1c8a694bea251f9637209d76f207

SHA512
a2760bcbb049e9f336802b9302115659bcae39c376ea05485fa3aa0da9bc695fc910f4c93348d4435d07b8448b6db2492dc3564ee94378be7e3b29dca5577396

Download Submit
\Users\Admin\AppData\Local\Temp\nsi60F5.tmp\libssl-1_1.dll

Filesize
389KB

MD5
7b155439f2fe287dca54370ace90d7ea

SHA1
c747c32daf2a7fd35e934a51c4b19a292ae2ca63

SHA256
08d6a4106d5a49658d776b50c5f99dcc244bebd8577eee6f445df0b70f4d758e

SHA512
a8f3b074d3e298f2783ea5aa3535d3ac452ac8c8c85fbd9c9b800294f91d3fc1315766cd8cd5a788b96753bc4177cf724c9c5b51067d71aef8f567d5da244d0b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi60F5.tmp\nsDui.dll

Filesize
489KB

MD5
73e118fed8584600a90dff445650b9bd

SHA1
576217a25f6445e00f350381155721ebf5d18032

SHA256
513ce59046d1f7c03f68a8be15153781f5be12e3a99817e208634ed7f6acafde

SHA512
8b2caf97eec2340495e9482b0870879d469f350b7d38a371c461d276386043f28bcd71af617ff4172b43357930b7ed59397a1c1aedb9e625d423886a7eedf2cf

Download Submit