b320de1ddb0c255b9374c5a0496ebdfb2ea9f7789b26278bb5bf6b52ce3df8e0

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/uninstall.exe
Size

8.1MB
MD5

8cf66dc36cb0bc65799819060cd4fe5e
SHA1

834e9d6c79d99baa1592705c01dd2dd2a91f93f4
SHA256

d01e365210b9d7040322e568fc1fb036487da4848f293e83cedc962a3eed2c70
SHA512

f45eb7b920578fb3fffd2021231b3063aa47928855530f9019aeb9b4cfceabe6fb176d642fbfb9b64bda83f926b4d771616189e45ba688eb6f1264f4495f3a96
SSDEEP

196608:RD18/QDobE0TSkJzTtpQF6ZBPTS8y5BFwGIR6ip2eyWzi+8LX+1ZxWP:Rh8/1EglTvS+S897pgGiNLeZxM

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2536	uninstall.exe

Loads dropped DLL 5 IoCs

pid	Process
1252	uninstall.exe
1252	uninstall.exe
1252	uninstall.exe
1252	uninstall.exe
1252	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1252	uninstall.exe
1252	uninstall.exe
1252	uninstall.exe
1252	uninstall.exe
1252	uninstall.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	uninstall.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1252	uninstall.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2536	1252	uninstall.exe	28
PID 1252 wrote to memory of 2536	1252	uninstall.exe	28
PID 1252 wrote to memory of 2536	1252	uninstall.exe	28
PID 1252 wrote to memory of 2536	1252	uninstall.exe	28
PID 1252 wrote to memory of 2536	1252	uninstall.exe	28
PID 1252 wrote to memory of 2536	1252	uninstall.exe	28
PID 1252 wrote to memory of 2536	1252	uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\uninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\uninstall.exe" "av:1.0.1" "gv:1.0.1.1" "gs:Official-es" "gi:UA-85655135-28" "an:DroidKit" "c:iMobie"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj7D4C.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7D4C.tmp\un.exe

Filesize
3.7MB

MD5
b672e729c4bde333bed11f7c35e13b45

SHA1
98391c3c491bca39c234408e5d53a4be5f421792

SHA256
8c0d87932ab8c1e98f6c101cd66b2028c710f8ddacfe34d0c4d0e887469626af

SHA512
4a7133a85e4600ea8ec987dc6386efe94a862ff36671099b5866a32cd50eb2a620e5914dd48d4edf7ccfa8feec80adf5806c94a82809882b69331d8b418578d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninstall.exe

Filesize
1.8MB

MD5
e4a43d4734c5a82eefc7572514e80b3d

SHA1
96cab2ca2e952c27b18a326b3d910fb26a74d8bb

SHA256
cc7ca271c30c75d297f031f19205f99ff61228ffdeac88da5cc77334bc1c4967

SHA512
3153ebeb14cb6004d59663fabae053591d2050b6706f758627d4d36caa3536d4c78f159f13984ae239b0b9b855d466bd2dfa8145cecc4cec139cea2226163ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninstall.exe

Filesize
640KB

MD5
95f7f439b5e1b29e8116e5e5c967dfe0

SHA1
7cdb5990a3e5414313a8e9289bc98e8c67636b11

SHA256
c2961c938ec4b8a542b7d7a98499344df21e305d293d05e8a954f622c5b2a2e4

SHA512
f8e27720a82ab07d8a4d842ea0426a102ae14a19ea91964285d92d3eebbb9ea44ca4dac3fd7d4a97d96520a7ebafee2348a3be061bcaf50eae4c93ca6269e51f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7D4C.tmp\GoogleTracingLib.dll

Filesize
36KB

MD5
d8fca35ff95fe00a7174177181f8bd13

SHA1
fbafea4d2790dd2c0d022dfb08ded91de7f5265e

SHA256
ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

SHA512
eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7D4C.tmp\SkinBtn.dll

Filesize
4KB

MD5
29818862640ac659ce520c9c64e63e9e

SHA1
485e1e6cc552fa4f05fb767043b1e7c9eb80be64

SHA256
e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb

SHA512
ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7D4C.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
\Users\Admin\AppData\Local\Temp\uninstall.exe

Filesize
1.8MB

MD5
25fd6ae83bb570d4ee436b2ce90f2fac

SHA1
0695516fc37607216e87096cd4daeb4b46ec708e

SHA256
168dba26e9c587c5fdc0a2b49d0fe2e7992d8c08e5f2dbaa39cefde5d62539e5

SHA512
cd59e4b36a8dc05dd071d88fbdfd51153ae929e5a9204ecb51a572a635275ea9637ca71ec44388a013c988387f73ce6424aa94130e4c71b908d78d4e75d5e22b

Download Submit
memory/1252-44-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2536-68-0x0000000000A90000-0x0000000001204000-memory.dmp

Filesize
7.5MB

Download
memory/2536-69-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-70-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2536-71-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2536-72-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/2536-73-0x00000000029F0000-0x0000000002A4A000-memory.dmp

Filesize
360KB

Download
memory/2536-74-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-75-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2536-76-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download