abef6f1ed0b96268121c878a4d49705f80b59c2647f7149957240de13156bfc7

Analysis

max time kernel
21s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28-02-2024 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstalr_Portable.exe
Size

5.5MB
MD5

55cb26504cec040de4d4a6bd430ce2de
SHA1

2948e58ca9f3d31c076b2cc5c16d8dba71fd7bf4
SHA256

abef6f1ed0b96268121c878a4d49705f80b59c2647f7149957240de13156bfc7
SHA512

e57b865cf987b493cd3e8c1bd1a0b5e2ddcde18ca06fc625eedd98a592056a05fd5224876bb23704eff15bb4ff5af229b4bab15d46b63cdec9f4e6e09c725f54
SSDEEP

98304:q2XAsLlOuP1JQSBeESX+Ho8FrT/28ylm0AmshxOwxSDCGOp7rgHXo3K:ZXLku0dESdsT/iRArWwnbp7x3K

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/3512-0-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral3/memory/3512-40-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral3/memory/3512-46-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral3/memory/3512-47-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral3/memory/3512-49-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral3/memory/3512-50-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral3/memory/3512-53-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral3/memory/3512-56-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral3/memory/3512-57-0x0000000000400000-0x0000000002670000-memory.dmp	upx
behavioral3/memory/3512-58-0x0000000000400000-0x0000000002670000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3512	Uninstalr_Portable.exe
3512	Uninstalr_Portable.exe
1220	powershell.exe
1220	powershell.exe
3512	Uninstalr_Portable.exe
3512	Uninstalr_Portable.exe
3512	Uninstalr_Portable.exe
3512	Uninstalr_Portable.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	908	WMIC.exe
Token: SeSecurityPrivilege	908	WMIC.exe
Token: SeTakeOwnershipPrivilege	908	WMIC.exe
Token: SeLoadDriverPrivilege	908	WMIC.exe
Token: SeSystemProfilePrivilege	908	WMIC.exe
Token: SeSystemtimePrivilege	908	WMIC.exe
Token: SeProfSingleProcessPrivilege	908	WMIC.exe
Token: SeIncBasePriorityPrivilege	908	WMIC.exe
Token: SeCreatePagefilePrivilege	908	WMIC.exe
Token: SeBackupPrivilege	908	WMIC.exe
Token: SeRestorePrivilege	908	WMIC.exe
Token: SeShutdownPrivilege	908	WMIC.exe
Token: SeDebugPrivilege	908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	908	WMIC.exe
Token: SeRemoteShutdownPrivilege	908	WMIC.exe
Token: SeUndockPrivilege	908	WMIC.exe
Token: SeManageVolumePrivilege	908	WMIC.exe
Token: 33	908	WMIC.exe
Token: 34	908	WMIC.exe
Token: 35	908	WMIC.exe
Token: 36	908	WMIC.exe
Token: SeIncreaseQuotaPrivilege	908	WMIC.exe
Token: SeSecurityPrivilege	908	WMIC.exe
Token: SeTakeOwnershipPrivilege	908	WMIC.exe
Token: SeLoadDriverPrivilege	908	WMIC.exe
Token: SeSystemProfilePrivilege	908	WMIC.exe
Token: SeSystemtimePrivilege	908	WMIC.exe
Token: SeProfSingleProcessPrivilege	908	WMIC.exe
Token: SeIncBasePriorityPrivilege	908	WMIC.exe
Token: SeCreatePagefilePrivilege	908	WMIC.exe
Token: SeBackupPrivilege	908	WMIC.exe
Token: SeRestorePrivilege	908	WMIC.exe
Token: SeShutdownPrivilege	908	WMIC.exe
Token: SeDebugPrivilege	908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	908	WMIC.exe
Token: SeRemoteShutdownPrivilege	908	WMIC.exe
Token: SeUndockPrivilege	908	WMIC.exe
Token: SeManageVolumePrivilege	908	WMIC.exe
Token: 33	908	WMIC.exe
Token: 34	908	WMIC.exe
Token: 35	908	WMIC.exe
Token: 36	908	WMIC.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeSecurityPrivilege	232	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3512	Uninstalr_Portable.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3512	Uninstalr_Portable.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 1220	3512	Uninstalr_Portable.exe	81
PID 3512 wrote to memory of 1220	3512	Uninstalr_Portable.exe	81
PID 3512 wrote to memory of 1220	3512	Uninstalr_Portable.exe	81
PID 3512 wrote to memory of 3268	3512	Uninstalr_Portable.exe	83
PID 3512 wrote to memory of 3268	3512	Uninstalr_Portable.exe	83
PID 3512 wrote to memory of 3268	3512	Uninstalr_Portable.exe	83
PID 3268 wrote to memory of 908	3268	cmd.exe	85
PID 3268 wrote to memory of 908	3268	cmd.exe	85
PID 3268 wrote to memory of 908	3268	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Uninstalr_Portable.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstalr_Portable.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -AllUsers | Out-File "C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x1_240625015.tmp"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic product get InstallDate, InstallLocation, Name, Vendor, Version > "C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x2_240625687.tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic product get InstallDate, InstallLocation, Name, Vendor, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x1_240625015.tmp

Filesize
151KB

MD5
1fd0ae41d43e4e6b0c90f417c9cc05cd

SHA1
40dfa0bc3f5c3e9fd41697313ecd5526d020a78c

SHA256
2f21f1ff3306bd26adf78258e39d66143fda7f2186c54ab13663e9567af81154

SHA512
67a4e3d07c0bdfd5f15d3ef3aa416830019e28b9675dcbc62a462c1018d8e6e2c893b48ebc9e1debaedde33a50f9e4673d0ddb1536e05e6d4fbbd1c7f0d86dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uninstalr_can_delete_x2_240625687.tmp

Filesize
11KB

MD5
49c0c92b47180a5f02b2abbda28c26f3

SHA1
4c40c5318cd2e2e9b0d3c7050a8083a09dec508d

SHA256
f965c72278551485f144d31dd29808524521eda80b4c91730e8eefa057165a4b

SHA512
8ae5ff2bde7e59e609f5d88157b18c80e72c9ec9f454c75cf14b14e78be56432be0293d7b2a73e5beb238c9486aaf25ae8e8bce5ff4aabc6ff720c27ec8057c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsldzrtz.zdb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1220-33-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/1220-5-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/1220-6-0x0000000004F10000-0x000000000553A000-memory.dmp

Filesize
6.2MB

Download
memory/1220-35-0x00000000075E0000-0x0000000007C5A000-memory.dmp

Filesize
6.5MB

Download
memory/1220-7-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/1220-36-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

Filesize
104KB

Download
memory/1220-9-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/1220-3-0x0000000072780000-0x0000000072F31000-memory.dmp

Filesize
7.7MB

Download
memory/1220-18-0x0000000005720000-0x0000000005A77000-memory.dmp

Filesize
3.3MB

Download
memory/1220-19-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Filesize
120KB

Download
memory/1220-20-0x0000000005C70000-0x0000000005CBC000-memory.dmp

Filesize
304KB

Download
memory/1220-21-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/1220-22-0x000000007F210000-0x000000007F220000-memory.dmp

Filesize
64KB

Download
memory/1220-23-0x0000000006C00000-0x0000000006C34000-memory.dmp

Filesize
208KB

Download
memory/1220-24-0x000000006EA50000-0x000000006EA9C000-memory.dmp

Filesize
304KB

Download
memory/1220-34-0x0000000006C40000-0x0000000006CE4000-memory.dmp

Filesize
656KB

Download
memory/1220-2-0x0000000002430000-0x0000000002466000-memory.dmp

Filesize
216KB

Download
memory/1220-4-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/1220-8-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/1220-37-0x0000000007020000-0x000000000703C000-memory.dmp

Filesize
112KB

Download
memory/1220-38-0x0000000006220000-0x000000000622A000-memory.dmp

Filesize
40KB

Download
memory/1220-39-0x0000000007210000-0x0000000007236000-memory.dmp

Filesize
152KB

Download
memory/1220-45-0x0000000072780000-0x0000000072F31000-memory.dmp

Filesize
7.7MB

Download
memory/3512-40-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/3512-46-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/3512-47-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/3512-48-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/3512-49-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/3512-50-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/3512-57-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/3512-53-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/3512-1-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/3512-56-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/3512-0-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download
memory/3512-58-0x0000000000400000-0x0000000002670000-memory.dmp

Filesize
34.4MB

Download