Overview

overview

7

Static

static

3

tmp.exe

windows7-x64

4

tmp.exe

windows10-2004-x64

5

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...Vs.dll

windows7-x64

3

$PLUGINSDI...Vs.dll

windows10-2004-x64

3

$PLUGINSDI...ib.dll

windows7-x64

1

$PLUGINSDI...ib.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...up.exe

windows7-x64

7

$PLUGINSDI...up.exe

windows10-2004-x64

7

$PLUGINSDI...00.dll

windows7-x64

1

$PLUGINSDI...00.dll

windows10-2004-x64

1

$PLUGINSDI...00.dll

windows7-x64

1

$PLUGINSDI...00.dll

windows10-2004-x64

1

$PLUGINSDIR/nsDui.dll

windows7-x64

3

$PLUGINSDIR/nsDui.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

$PLUGINSDI...ll.exe

windows7-x64

4

$PLUGINSDI...ll.exe

windows10-2004-x64

5

$PLUGINSDI...Vs.dll

windows7-x64

3

$PLUGINSDI...Vs.dll

windows10-2004-x64

3

$PLUGINSDI...ib.dll

windows7-x64

3

$PLUGINSDI...ib.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2024 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/uninstall.exe

  • Size

    4.6MB

  • MD5

    bf5cb794c91708f9c63487bc47502f22

  • SHA1

    1c415a2905adb53fcee39b7d488979e962fdf65a

  • SHA256

    c742fbcb2b6ede8188524f636b35bbfdf4cb10dee10a587f847c94330b10e740

  • SHA512

    508aafa73a97cedd81dbbb45fcfb63d79bbb5ad727546bac72a1b7a0c71d125e9884d7c06f75d88720c93256ae0cd5efefa5b02285bb99e9951cd39ce5128e13

  • SSDEEP

    98304:ZD8tFsKQKcUoxQbVUNF/YGxkFzfR3bXqv02NzF/wxt4tdq2:ZD8/QDKjRRLxb0s2

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"ati-Windows\",\"user_id\":\"8F3FD383\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"US Launch App\",\"el\":\"Success\",\"install_productversion\":\"Official-ar-mutaz\",\"install_trackversion\":\"8.8.4.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-TGM4BTG393&api_secret=eGiGdVy9TP-vcp40T0t3QQ""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5004
      • C:\Windows\SysWOW64\curl.exe
        curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"ati-Windows\",\"user_id\":\"8F3FD383\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"US Launch App\",\"el\":\"Success\",\"install_productversion\":\"Official-ar-mutaz\",\"install_trackversion\":\"8.8.4.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-TGM4BTG393&api_secret=eGiGdVy9TP-vcp40T0t3QQ"
        3⤵
          PID:3692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsz6A54.tmp\CheckProVs.dll
      Filesize

      7KB

      MD5

      62e85098ce43cb3d5c422e49390b7071

      SHA1

      df6722f155ce2a1379eff53a9ad1611ddecbb3bf

      SHA256

      ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

      SHA512

      dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsz6A54.tmp\GoogleTracingLib.dll
      Filesize

      60KB

      MD5

      c3acee47a5ab94d9996692b44b63f49e

      SHA1

      fe117c2d9602ab9b3d7d7e5539c91c43ffae8e91

      SHA256

      66340abdc75b99f5a49983ac9f606ec880d8551d39ef5643f97a80e2150bbfa8

      SHA512

      1cc6aad4c8dff4310163d1656a40fdda16901207b46b9064b481377acc00b17b3ddcc026a21a4fb2e98bb2f337a94ae36f790415deccec02699d7803de5ee92f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsz6A54.tmp\System.dll
      Filesize

      11KB

      MD5

      ca332bb753b0775d5e806e236ddcec55

      SHA1

      f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

      SHA256

      df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

      SHA512

      2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsz6A54.tmp\libcrypto-1_1.dll
      Filesize

      2.1MB

      MD5

      f2897d414a50674f58a0d1aa19614a20

      SHA1

      adced986562ed4a4e07fc92aff3d30797e2f83df

      SHA256

      c4372100431007321e8fb3b41eef740dfe6e1c8a694bea251f9637209d76f207

      SHA512

      a2760bcbb049e9f336802b9302115659bcae39c376ea05485fa3aa0da9bc695fc910f4c93348d4435d07b8448b6db2492dc3564ee94378be7e3b29dca5577396

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsz6A54.tmp\libssl-1_1.dll
      Filesize

      389KB

      MD5

      7b155439f2fe287dca54370ace90d7ea

      SHA1

      c747c32daf2a7fd35e934a51c4b19a292ae2ca63

      SHA256

      08d6a4106d5a49658d776b50c5f99dcc244bebd8577eee6f445df0b70f4d758e

      SHA512

      a8f3b074d3e298f2783ea5aa3535d3ac452ac8c8c85fbd9c9b800294f91d3fc1315766cd8cd5a788b96753bc4177cf724c9c5b51067d71aef8f567d5da244d0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsz6A54.tmp\nsDui.dll
      Filesize

      4.0MB

      MD5

      f424f7752b48eaceb68734371931d33b

      SHA1

      f791df703ea4371cab5eeaf43cbda469c4f59732

      SHA256

      032b7876c96a9f7aed79a64291d50a5f50e8bc5d0c3e67de6b3dcb9d5173ae9c

      SHA512

      827f06a05be24c51e068f2fc7dd47cc90dab9d1fa456526c50174369f605897c7f31e3067c366658cda02baa674781689a431eaefeaf2a54ae10a6df9599d5e1

      Download Submit