Overview

overview

10

Static

static

10

WeChatSetup.exe

windows7-x64

4

WeChatSetup.exe

windows10-2004-x64

4

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

1

$PLUGINSDI...ll.dll

windows10-2004-x64

1

$PLUGINSDI...st.dll

windows7-x64

3

$PLUGINSDI...st.dll

windows10-2004-x64

3

Uninstall.exe

windows7-x64

4

Uninstall.exe

windows10-2004-x64

4

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

1

$PLUGINSDI...ll.dll

windows10-2004-x64

1

WeChat.exe

windows7-x64

10

WeChat.exe

windows10-2004-x64

10

WechatAppLauncher.exe

windows7-x64

1

WechatAppLauncher.exe

windows10-2004-x64

1

[3.9.9.43]...dk.dll

windows7-x64

1

[3.9.9.43]...dk.dll

windows10-2004-x64

1

host/wmpf_...rt.dll

windows7-x64

1

host/wmpf_...rt.dll

windows10-2004-x64

1

host/wmpf_...64.dll

windows7-x64

1

host/wmpf_...64.dll

windows10-2004-x64

1

runtime/Co...on.dll

windows7-x64

1

runtime/Co...on.dll

windows10-2004-x64

1

runtime/ConfSdk.dll

windows7-x64

1

runtime/ConfSdk.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uninstall.exe

  • Size

    1.7MB

  • MD5

    65a8d4d556099f4a62b3ab141034f38e

  • SHA1

    38d2ee2b7a2c363cd99ab46d03fab2b87ff00d9e

  • SHA256

    caff82547f14b0afff408cd83625321ad00c5145d9086e7f5c74c6ca10899f54

  • SHA512

    f3ad2c0fb2d78551f6a65cbd4aae6a3ea5f3653e4456ec9fb4aa36ab299fffe9712acb3da91b272f9cef7f2d7216e38a9685d9179bf72f6f9cae6cebc5d8f8f5

  • SSDEEP

    24576:0GTJPUbMP326XBoBBYHsIfDczcu5IOQ6LbitlK3cBD5Mm1cBJkkMG5pOVUWjPSdD:FI2G0oWMIoVljGG3aqmQkk9OOpt

Score
4/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsoF48E.tmp\WeChatInstallDll.dll
    Filesize

    3.6MB

    MD5

    91153d3fc0b835b072aeebc4d8837faf

    SHA1

    1e1e524be7c69077229973e385c447d9692ad937

    SHA256

    a7971bce47584535e9033f9d72d8f6f386c7d8deef3b93e11de50cf9574f7413

    SHA512

    2b49c6d701cc6f0d25a81258dcec2159ab3ea30389d18aadcc486c540f5daf6adedf998def1bf5c5fb4a5712755dbca710387c862a89138b23ec081682e835ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    377KB

    MD5

    e85fe52b8ee9dd4970c33aa0c64fdd36

    SHA1

    a979a5ee385b014c6bdebeae2ebfda4d540ba930

    SHA256

    2dd1fa4e07be2551422fd2e1f13d1ba845e54a7c78553ed6d1ad97a62f9c5aea

    SHA512

    9c42e05498dba6e6a478cb4af4816a17e02935574bd9b0dc7a6231bf37b3d81fa4babdbc48a2c094c6008151f9da69bb0d32de00bbad300c4d3e614ba44bfbd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    1.7MB

    MD5

    65a8d4d556099f4a62b3ab141034f38e

    SHA1

    38d2ee2b7a2c363cd99ab46d03fab2b87ff00d9e

    SHA256

    caff82547f14b0afff408cd83625321ad00c5145d9086e7f5c74c6ca10899f54

    SHA512

    f3ad2c0fb2d78551f6a65cbd4aae6a3ea5f3653e4456ec9fb4aa36ab299fffe9712acb3da91b272f9cef7f2d7216e38a9685d9179bf72f6f9cae6cebc5d8f8f5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsoF48E.tmp\FindProcDLL.dll
    Filesize

    492KB

    MD5

    633625aa3be670a515fa87ff3a566d90

    SHA1

    de035c083125aef5df0a55c153ef6cc4dd4c15b4

    SHA256

    bda8e0ddb672ea3558ad68634c49da06cd72f93d7fca642ca41df00e26512df1

    SHA512

    3c687ddf0e4e93a6787a23a93e2011df42898f6d21101c848a1b7c7bd2eddd5d49fdd0748e47e6235e7808596d00a1ecf79b5c975d050dd8d00a95f515a444a9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsoF48E.tmp\System.dll
    Filesize

    11KB

    MD5

    ca332bb753b0775d5e806e236ddcec55

    SHA1

    f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

    SHA256

    df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

    SHA512

    2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    832KB

    MD5

    91fc9ddbcc97f951cdabc8b9061188b2

    SHA1

    d39fd69e26ecf5dfb272de13a299ec5ff16a3a1e

    SHA256

    1480e5eaf53fbe0b492cf4d9fd33b6acf3a4ab9b0d2ea1e6e5373bc5857abec7

    SHA512

    7a8fe970dd56cac4a7953c7b958a9138bc11bf98f246cd842820587c49a4d78feeb97043377dd7a32cedb0a2338aec88fdac952667f726282ec7f0baa506fedb

    Download Submit

  • memory/2644-24-0x0000000007320000-0x00000000073CB000-memory.dmp

    Filesize

    684KB

    Download