e7490d25eb3e1553ec66c42b1474a2ff025072f3017eb882f7b15da0379ce9e0

Analysis

max time kernel
1792s
max time network
1177s
platform
windows10-2004_x64
resource
win10v2004-20240221-uk
resource tags

arch:x64arch:x86image:win10v2004-20240221-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
25-02-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

37.4MB
MD5

dccbabcfc1b1c68aea08c2d23130c1b1
SHA1

391cf0301a88b81d59d99ced549f5df67ef96f5f
SHA256

4e071d84924a65495bace2990c1d515634e316f39370eb38c7ebf853426c2424
SHA512

b940d3d8defe31068511585d6a170fb27fac6751b0764288a61b39130d994dc78499175a0f533744f2a3946e5a0c50f55ee9dbff03295b26794bcccab5f06943
SSDEEP

786432:H4QkP+a2Bk3hiQkzNWrOpumahGp4t9ENvEMaCn:HdIhe5WrOpP29YcQ

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Un_A.exe

pid process

3700 Un_A.exe

Loads dropped DLL 24 IoCs

Processes:

Un_A.exe

pid	process
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe
3700	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Un_A.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Un_A.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Un_A.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Un_A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	Un_A.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Un_A.exe

pid process

3700 Un_A.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1608	wmic.exe
Token: SeSecurityPrivilege	1608	wmic.exe
Token: SeTakeOwnershipPrivilege	1608	wmic.exe
Token: SeLoadDriverPrivilege	1608	wmic.exe
Token: SeSystemProfilePrivilege	1608	wmic.exe
Token: SeSystemtimePrivilege	1608	wmic.exe
Token: SeProfSingleProcessPrivilege	1608	wmic.exe
Token: SeIncBasePriorityPrivilege	1608	wmic.exe
Token: SeCreatePagefilePrivilege	1608	wmic.exe
Token: SeBackupPrivilege	1608	wmic.exe
Token: SeRestorePrivilege	1608	wmic.exe
Token: SeShutdownPrivilege	1608	wmic.exe
Token: SeDebugPrivilege	1608	wmic.exe
Token: SeSystemEnvironmentPrivilege	1608	wmic.exe
Token: SeRemoteShutdownPrivilege	1608	wmic.exe
Token: SeUndockPrivilege	1608	wmic.exe
Token: SeManageVolumePrivilege	1608	wmic.exe
Token: 33	1608	wmic.exe
Token: 34	1608	wmic.exe
Token: 35	1608	wmic.exe
Token: 36	1608	wmic.exe
Token: SeIncreaseQuotaPrivilege	1608	wmic.exe
Token: SeSecurityPrivilege	1608	wmic.exe
Token: SeTakeOwnershipPrivilege	1608	wmic.exe
Token: SeLoadDriverPrivilege	1608	wmic.exe
Token: SeSystemProfilePrivilege	1608	wmic.exe
Token: SeSystemtimePrivilege	1608	wmic.exe
Token: SeProfSingleProcessPrivilege	1608	wmic.exe
Token: SeIncBasePriorityPrivilege	1608	wmic.exe
Token: SeCreatePagefilePrivilege	1608	wmic.exe
Token: SeBackupPrivilege	1608	wmic.exe
Token: SeRestorePrivilege	1608	wmic.exe
Token: SeShutdownPrivilege	1608	wmic.exe
Token: SeDebugPrivilege	1608	wmic.exe
Token: SeSystemEnvironmentPrivilege	1608	wmic.exe
Token: SeRemoteShutdownPrivilege	1608	wmic.exe
Token: SeUndockPrivilege	1608	wmic.exe
Token: SeManageVolumePrivilege	1608	wmic.exe
Token: 33	1608	wmic.exe
Token: 34	1608	wmic.exe
Token: 35	1608	wmic.exe
Token: 36	1608	wmic.exe
Token: SeIncreaseQuotaPrivilege	4728	wmic.exe
Token: SeSecurityPrivilege	4728	wmic.exe
Token: SeTakeOwnershipPrivilege	4728	wmic.exe
Token: SeLoadDriverPrivilege	4728	wmic.exe
Token: SeSystemProfilePrivilege	4728	wmic.exe
Token: SeSystemtimePrivilege	4728	wmic.exe
Token: SeProfSingleProcessPrivilege	4728	wmic.exe
Token: SeIncBasePriorityPrivilege	4728	wmic.exe
Token: SeCreatePagefilePrivilege	4728	wmic.exe
Token: SeBackupPrivilege	4728	wmic.exe
Token: SeRestorePrivilege	4728	wmic.exe
Token: SeShutdownPrivilege	4728	wmic.exe
Token: SeDebugPrivilege	4728	wmic.exe
Token: SeSystemEnvironmentPrivilege	4728	wmic.exe
Token: SeRemoteShutdownPrivilege	4728	wmic.exe
Token: SeUndockPrivilege	4728	wmic.exe
Token: SeManageVolumePrivilege	4728	wmic.exe
Token: 33	4728	wmic.exe
Token: 34	4728	wmic.exe
Token: 35	4728	wmic.exe
Token: 36	4728	wmic.exe
Token: SeIncreaseQuotaPrivilege	4728	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Un_A.exe

pid process

3700 Un_A.exe
3700 Un_A.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

uninst.exeUn_A.exe

description	pid	process	target process
PID 660 wrote to memory of 3700	660	uninst.exe	Un_A.exe
PID 660 wrote to memory of 3700	660	uninst.exe	Un_A.exe
PID 660 wrote to memory of 3700	660	uninst.exe	Un_A.exe
PID 3700 wrote to memory of 1608	3700	Un_A.exe	wmic.exe
PID 3700 wrote to memory of 1608	3700	Un_A.exe	wmic.exe
PID 3700 wrote to memory of 1608	3700	Un_A.exe	wmic.exe
PID 3700 wrote to memory of 4728	3700	Un_A.exe	wmic.exe
PID 3700 wrote to memory of 4728	3700	Un_A.exe	wmic.exe
PID 3700 wrote to memory of 4728	3700	Un_A.exe	wmic.exe
PID 3700 wrote to memory of 2664	3700	Un_A.exe	wmic.exe
PID 3700 wrote to memory of 2664	3700	Un_A.exe	wmic.exe
PID 3700 wrote to memory of 2664	3700	Un_A.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic diskdrive where index=0 get SerialNumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic cpu get Name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic cpu get NumberOfCores
3⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\KRPlugin_aki.dll

Filesize
2.4MB

MD5
ca6cfce4f5e4309eaffd030e77ed00f3

SHA1
e28a1ebb1ec2854805b0f72b5e04d0b736666463

SHA256
4cecdf19c5cf358154cec0870753da12f3544847efa47c310b456a72b30459f2

SHA512
9f71117a0cdba6784654ecbf2701227aab41be2962317d2fb2966953476120647c4f8fcdab6bb38b2a6dd5b050bdc6c01431944b0b860fcb3d719341cae3f25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\Qt5Core.dll

Filesize
4.0MB

MD5
f0da0c1d15765ff688af119ff7d0c898

SHA1
4354425dc85b244919f0b40bcd33aa21b68e68c0

SHA256
6a13fdb643f1b7b077001b9b308c1bd2e000a65b49641fb3e9aaab8d8504e48f

SHA512
c978e7c727d539b436e46bd2d67aa7fdcb46d8f75bd983ffd186522c788f637c5c0f48a0d5414c4338d4a0551dec1f9fcc8e2cfe00589ff78a8515bb806dba4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\Qt5Gui.dll

Filesize
2.8MB

MD5
45e43e4deb280f343380b1aa6ffce06f

SHA1
0471c1c0d2fc233441f15419c21d8302c09f7aa2

SHA256
a4814dbc69a0223f7323d35f1bb4691d0ec327fa92e9295068f73201a0028a5e

SHA512
1663b15fcabd626c4b1cf068db4be7cb32ac1734565bf59216d5afcba6da3867172fdf455e8a7ca4681477086ca527cca60803c1f9b6d05787726b7ae4fcfe59

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\Qt5Network.dll

Filesize
1.0MB

MD5
11c016d03aefc9e124828cb7cd775cf3

SHA1
cfdcf0bf5834e507cf87c7e283d14a7c89aa2628

SHA256
10fabe35ca0b0b9c35c2f618c801fb999bde09572a7fa10415b2b3f6b6470a7d

SHA512
87cc26fee8033ce638828fb773f62704f48a20c042faf70c9f97e9f1d76a09e6060c818ad2d4cd6cccaf4464fb23e9bcfc77d53a6f24415aa0d83455260ce36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\Qt5Widgets.dll

Filesize
1.9MB

MD5
395a7d4706d231d7285537f3eb445146

SHA1
ae4f977064a0b1af4c8d22fa415e204131367b90

SHA256
3e9f8592115d2c880a4828f8f3e15910ee36ba1afb2888ee9ebb922660140522

SHA512
d609c1fdfe85313cddf006d099bf60fc3d6ac64936d7cecbaa1cfdb6bbe22e36fba1ebf25f3885c64d0e84bc5964f68b03fc0ff4c5e9cddf1d3cf6a8c212a70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\imageformats\qgif.dll

Filesize
35KB

MD5
e070dbf1a9253bde7910e040dfd5d4bc

SHA1
43f396528d643bd2c9fd8e1b63c4151bbb23c980

SHA256
7ac66b0c813585b7cd3645ad3bcab0b225006cee9076b05a21cb6b8db176462d

SHA512
317af40137f8f1d475349a926067bfb6b776c0e26352e164d6cf1fa95293b865ca6e07cf3cb305eff122c1033cd3cd7e2931b8c0083424ebc91be111d6b89a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\imageformats\qicns.dll

Filesize
43KB

MD5
d617d449bff841e9e56ae5d66733c1f0

SHA1
57f9104c906d88b5193475286b9a1e9d55cd3fe1

SHA256
3587d149b774835aaebf9122945d432cb97a01f923c2bdf45c8ddf7db46fde6f

SHA512
1b4f7be9b650aa5658dde24da392262055b867525f8a2e61a2656c2617651f29dc5b61dd41f57ba84be030616d2060185f4790c7dd4a29d07b1e62af16b7f565

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\imageformats\qico.dll

Filesize
35KB

MD5
77b5eee567d88078024e3b535d6196f1

SHA1
db155287e3a3fcff2d280b5a4aa555784c2bea91

SHA256
ae2d373da197c94fd6aff5b56baf3df754722926af4f71279688ce563fe6ef31

SHA512
811b1654a0b17eada09e37d4d29a3297d5aaf9f2eae1f3cf48cb6b7c5d36f28450ca80084aec94765bee0b02c03854c3e489327911de9d96f8189a6e92c6648c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\imageformats\qjpeg.dll

Filesize
383KB

MD5
1f8c4a04573e26286ee2fafdf03f8f85

SHA1
b3d3ed2615d63ea26ed035ad191164e0297f088f

SHA256
18706a0bff940116731de4a55d8312c054771271c49fe47f77e07b0d73529053

SHA512
699c66b862675ef4e519e962bc8ffb87536fe81f5870f91f4179d9dd34c222e9107f92fc3e6138a8ed005293f90fb993144f4eaf9ab1518072718b730d1dd91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\imageformats\qsvg.dll

Filesize
30KB

MD5
7ba0979da56479bd964810e8ce794e9e

SHA1
68465868b7f9e944c6d5c57e4bc1d9383e234a74

SHA256
099eef1d161e9c4bb957d73678d471cc276337233a8e715e181a352760346701

SHA512
31edacc55c659571b473ac41041bd2779fcb36576882f9250790a7a5419cd64271560f5bf9039cb49ef621e970b2db028cca653ac8e83696e5b7822f6d287400

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\libcrypto-1_1.dll

Filesize
2.4MB

MD5
e879fa16f3746a14cd46dbc514452eea

SHA1
ba9559dca54da672a81cfe711004b25259fe8cf4

SHA256
e8a549275b205df98c33d76c47d2476ea57d14ed476d759fc921357a05ab740c

SHA512
274605fc33e77d6e891f070e09a00d65bea4aebd28506d3d4b036cf4436ab29a29fce887f0091080027529f7848b84625fffeb13b7e32d3c5472995da16a6a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\libcrypto-3.dll

Filesize
2.1MB

MD5
e6129fd8b874a6a9eaded365b9b8601c

SHA1
1361f6f6ee9fa958a585f199522662a2b7c04d4c

SHA256
7b7d08243a4b6d6be6f0dfda76a9ae67db98635f2640841411e9b4dc0becbba1

SHA512
c6e437c6cc536be7966b9535ffbaf34c1f2689b82df92c633cb73848b99c263fd682f032a4dff3d2769097ee156f0159c4dae65a1ecb2e0e60202a98dcff34b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\libcurl.dll

Filesize
460KB

MD5
fe5e6aecb98bbcb2cb0e826526dea007

SHA1
936f0e2ade5a909e714c307c1e2aa2702f1e464c

SHA256
ec5f18199dc57130082315bfb6baedb8614da92ae256019a30b5880dded9ae47

SHA512
7ae9fa473e612791a606f6fd7043a5385b3b4eb3bc612652c05d8520d2b2f766232c03de436636362c60b08cbdfec919a35dc07075b2877753ca4779c9cdf0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\platforms\qwindows.dll

Filesize
1.2MB

MD5
f52d1908e2d1f5b03b72cc87df48c8ad

SHA1
aa50aa22dbe42f20e0f67f2102cb37eb39d86dc6

SHA256
60085c5b61554a1e9d96350f039597a1b77a7576a81a12a24ace9de4c323bb8d

SHA512
70a67a052c4daa445ca200768f9675ebbc987d86efcdef8bc6b35fbf8b907c4dd48bcde890476001bdeb655606fe00a804de7f5d1b08505bcf7883a5326aa0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\sqlite3.dll

Filesize
1.1MB

MD5
b8074421d9f92adb9d112b90a54d47d1

SHA1
97eecbb5adb3d75d7ba791fc8625611e8854ee6e

SHA256
8ce20d2f27c6574dcaed648971778bb11d1ec18b9a44e879c0e53c1a29273dd8

SHA512
bef2881cd618c7a8a5871e6f58032ae81225f02bd005355d00ef6b05c30e2a8112763ec1cb0474f1f3fb93d43b8609070d0daf33f0b9fdb92196e1c5fae4213b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\styles\qwindowsvistastyle.dll

Filesize
129KB

MD5
cea2589b96f6a9f02fccc0bc0786965f

SHA1
dc115c308579d59f31346b3535fbc3e0338e0dd8

SHA256
a0b0177a40b1c74ac79bf31c9f26ab0770d54c2297d68a53d289c48ff5b23edb

SHA512
7865d1ee088cc880670bebb90ed13f5bb55b14affc98dac1ff9bdfcc94aacc84b1379dedcd1ffc992b8f45df40434bdb1c3a3e396410f2f292fd9c83d7d2c338

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\thinkingdata.dll

Filesize
294KB

MD5
e295bbb7c68f5cb535d72983227b12cd

SHA1
d42a6214e46e95f082426f52af52ddbe46725a12

SHA256
e988ebfb5798d712ca21fb8986c06a364b1d1f3b9397277898bf2e80b5818e2b

SHA512
a84ed487c75b012cd863f044865c4fb9e7cffe354737176f9626ac027d843c763be5668391219c7019fcb419267393f4dc5244020c953cf9ecdf4a68fb67b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\zlibwapi.dll

Filesize
469KB

MD5
5b56b325dbd6a7284d2ecf09d4cc0623

SHA1
38c86384096b428f127117fe58284a03f5f09fc1

SHA256
14aca2bf23b47996f630a1c5175fa6003e5898612411eeb6cad5abf96bc27b8c

SHA512
3d5d7bf4196ffd20b1a6e747ebd0dd7f2ab83458b4360d2c003e306fe1bbf5de48ddae2404fcf297deef06ae9acd0067314e1abef8433735776805e9b1093d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
15.7MB

MD5
81b6f1567df803753097769653d7be81

SHA1
ba5916e3ed72a0d0716a53d658b1323d84aa041a

SHA256
50d745c6e3ae2fb8447bc0c8ba8d2aaa0caa95fb4c023d909cb99a2878fbec2b

SHA512
66dfb70576502ba65537b9d1f6ebc1f5b891e5074a9458e1b41f25b4dc54e9a3098c80d60e7b1c2576f47a8a9e975dabdd9e3ddf865489b461e01a808d5b6a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
14.6MB

MD5
e3fd7e77c611237976b24614d867607d

SHA1
274f25a346d23c7a7aa9e668abf7bb666e0d424f

SHA256
5aaae939e731f568643e4d4b794bb453f388afb9403c8931a1b78ecdc5f1b7c4

SHA512
bbb2ba836f7f683816d654a304c10806a20ab457d4b48c2f4853146dcb9f76020cc36334dcdbbff2b95680226b99829fca7e824ed796d44dd276decbf930625b

Download Submit
memory/3700-111-0x0000000061E00000-0x0000000061EF8000-memory.dmp

Filesize
992KB

Download