abef6f1ed0b96268121c878a4d49705f80b59c2647f7149957240de13156bfc7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstalr_Portable.exe
Size

5.5MB
MD5

55cb26504cec040de4d4a6bd430ce2de
SHA1

2948e58ca9f3d31c076b2cc5c16d8dba71fd7bf4
SHA256

abef6f1ed0b96268121c878a4d49705f80b59c2647f7149957240de13156bfc7
SHA512

e57b865cf987b493cd3e8c1bd1a0b5e2ddcde18ca06fc625eedd98a592056a05fd5224876bb23704eff15bb4ff5af229b4bab15d46b63cdec9f4e6e09c725f54
SSDEEP

98304:q2XAsLlOuP1JQSBeESX+Ho8FrT/28ylm0AmshxOwxSDCGOp7rgHXo3K:ZXLku0dESdsT/iRArWwnbp7x3K

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Uninstalr_Portable.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4588-0-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral2/memory/4588-46-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral2/memory/4588-49-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral2/memory/4588-52-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral2/memory/4588-54-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral2/memory/4588-55-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral2/memory/4588-56-0x0000000000400000-0x0000000002670000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4588	Uninstalr_Portable.exe
4588	Uninstalr_Portable.exe
3568	powershell.exe
3568	powershell.exe
4588	Uninstalr_Portable.exe
4588	Uninstalr_Portable.exe
4588	Uninstalr_Portable.exe
4588	Uninstalr_Portable.exe
4588	Uninstalr_Portable.exe
4588	Uninstalr_Portable.exe
4588	Uninstalr_Portable.exe
4588	Uninstalr_Portable.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4020	WMIC.exe
Token: SeSecurityPrivilege	4020	WMIC.exe
Token: SeTakeOwnershipPrivilege	4020	WMIC.exe
Token: SeLoadDriverPrivilege	4020	WMIC.exe
Token: SeSystemProfilePrivilege	4020	WMIC.exe
Token: SeSystemtimePrivilege	4020	WMIC.exe
Token: SeProfSingleProcessPrivilege	4020	WMIC.exe
Token: SeIncBasePriorityPrivilege	4020	WMIC.exe
Token: SeCreatePagefilePrivilege	4020	WMIC.exe
Token: SeBackupPrivilege	4020	WMIC.exe
Token: SeRestorePrivilege	4020	WMIC.exe
Token: SeShutdownPrivilege	4020	WMIC.exe
Token: SeDebugPrivilege	4020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4020	WMIC.exe
Token: SeRemoteShutdownPrivilege	4020	WMIC.exe
Token: SeUndockPrivilege	4020	WMIC.exe
Token: SeManageVolumePrivilege	4020	WMIC.exe
Token: 33	4020	WMIC.exe
Token: 34	4020	WMIC.exe
Token: 35	4020	WMIC.exe
Token: 36	4020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4020	WMIC.exe
Token: SeSecurityPrivilege	4020	WMIC.exe
Token: SeTakeOwnershipPrivilege	4020	WMIC.exe
Token: SeLoadDriverPrivilege	4020	WMIC.exe
Token: SeSystemProfilePrivilege	4020	WMIC.exe
Token: SeSystemtimePrivilege	4020	WMIC.exe
Token: SeProfSingleProcessPrivilege	4020	WMIC.exe
Token: SeIncBasePriorityPrivilege	4020	WMIC.exe
Token: SeCreatePagefilePrivilege	4020	WMIC.exe
Token: SeBackupPrivilege	4020	WMIC.exe
Token: SeRestorePrivilege	4020	WMIC.exe
Token: SeShutdownPrivilege	4020	WMIC.exe
Token: SeDebugPrivilege	4020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4020	WMIC.exe
Token: SeRemoteShutdownPrivilege	4020	WMIC.exe
Token: SeUndockPrivilege	4020	WMIC.exe
Token: SeManageVolumePrivilege	4020	WMIC.exe
Token: 33	4020	WMIC.exe
Token: 34	4020	WMIC.exe
Token: 35	4020	WMIC.exe
Token: 36	4020	WMIC.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeSecurityPrivilege	4160	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4588	Uninstalr_Portable.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4588	Uninstalr_Portable.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 3568	4588	Uninstalr_Portable.exe	90
PID 4588 wrote to memory of 3568	4588	Uninstalr_Portable.exe	90
PID 4588 wrote to memory of 3568	4588	Uninstalr_Portable.exe	90
PID 4588 wrote to memory of 5096	4588	Uninstalr_Portable.exe	92
PID 4588 wrote to memory of 5096	4588	Uninstalr_Portable.exe	92
PID 4588 wrote to memory of 5096	4588	Uninstalr_Portable.exe	92
PID 5096 wrote to memory of 4020	5096	cmd.exe	94
PID 5096 wrote to memory of 4020	5096	cmd.exe	94
PID 5096 wrote to memory of 4020	5096	cmd.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Uninstalr_Portable.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstalr_Portable.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -AllUsers | Out-File "C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x1_240601390.tmp"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic product get InstallDate, InstallLocation, Name, Vendor, Version > "C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x2_240601562.tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic product get InstallDate, InstallLocation, Name, Vendor, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x1_240601390.tmp

Filesize
154KB

MD5
fa42c6e7e9e5b5e004effe169f15bd8d

SHA1
c4290e37c0f58147967bf1ebdd914d2002ab629e

SHA256
4b8816f02ec1d92ff4e06322ed59a26560d4d5320ff8cdedeb0313d2f01468cf

SHA512
149886c28b54ec26e02faffb7af9847579bb049269ce42370c9b30b2f7037d84326589702bad7ee11639ccd1d6518dbfbd45534a88ae3e8eb591de528d65de54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x2_240601562.tmp

Filesize
11KB

MD5
f31ace9be5538b62eac733b106732e51

SHA1
49af6a8a7cd86b2a690f046ee3027008b86689d8

SHA256
fe0307f9f9a93d983f0b26a7d2839910fe8c5c0ef0c918b9e38ed17f93fa8aea

SHA512
2726402812b36ef3c0364fa70f10b647b56f9984ffa6c2aad79cb20f7b8180c0713fa2adae27415b410daea798326b8fb4a9ece7334fdcdd1442b9617895c47e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nyjrvzyc.npd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3568-33-0x0000000006F30000-0x0000000006F4E000-memory.dmp

Filesize
120KB

Download
memory/3568-36-0x0000000008300000-0x000000000897A000-memory.dmp

Filesize
6.5MB

Download
memory/3568-5-0x0000000005BB0000-0x00000000061D8000-memory.dmp

Filesize
6.2MB

Download
memory/3568-6-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/3568-3-0x00000000729F0000-0x00000000731A0000-memory.dmp

Filesize
7.7MB

Download
memory/3568-7-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/3568-13-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/3568-14-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/3568-19-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/3568-20-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/3568-22-0x0000000007B00000-0x0000000007B32000-memory.dmp

Filesize
200KB

Download
memory/3568-21-0x000000007F350000-0x000000007F360000-memory.dmp

Filesize
64KB

Download
memory/3568-34-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3568-2-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/3568-4-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/3568-23-0x000000006EE60000-0x000000006EEAC000-memory.dmp

Filesize
304KB

Download
memory/3568-38-0x0000000007D30000-0x0000000007D46000-memory.dmp

Filesize
88KB

Download
memory/3568-37-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

Filesize
104KB

Download
memory/3568-35-0x0000000007B50000-0x0000000007BF3000-memory.dmp

Filesize
652KB

Download
memory/3568-39-0x0000000006F40000-0x0000000006F4A000-memory.dmp

Filesize
40KB

Download
memory/3568-40-0x0000000007F10000-0x0000000007F36000-memory.dmp

Filesize
152KB

Download
memory/3568-45-0x00000000729F0000-0x00000000731A0000-memory.dmp

Filesize
7.7MB

Download
memory/4588-46-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/4588-0-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/4588-49-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/4588-1-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4588-52-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/4588-53-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4588-54-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/4588-55-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/4588-56-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download