ae2001d5b60a2f0bd8e72c0106363950cd9f68e9ce42b9a40b0af26814908809

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/uninstall.exe
Size

8.1MB
MD5

b73940b9b108c8196600617a7f734d64
SHA1

f70aee50bcd93db0180ac0969126562882934bd4
SHA256

5bd33a6ba5e012c3e6f8ccc5ab322728d5df31e9e7b74daaf327aa54fc95028f
SHA512

ebd98143c766b12e12198ce8b310423cd6e4e638fca809afb006ff5953f65ee820b7140264bc93cbfe2f6015d4e00f26b696e7773ee55ad6da67baf5d973cc02
SSDEEP

196608:+l18/QDobE0TSkJzTtpQF6ZBPTS8y5BFwGIR6ip2eyWzi+8LX+1ZxWj:+H8/1EglTvS+S897pgGiNLeZxG

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

uninstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	uninstall.exe

Executes dropped EXE 1 IoCs

Processes:

uninstall.exe

pid process

4736 uninstall.exe
Loads dropped DLL 6 IoCs

Processes:

uninstall.exe

pid process

4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

uninstall.exe

pid process

4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
4852 uninstall.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uninstall.exe

description pid process

Token: SeDebugPrivilege 4736 uninstall.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

uninstall.exe

pid process

4852 uninstall.exe

pid	process
4736	uninstall.exe

pid	process
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe

pid	process
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe
4852	uninstall.exe

description	pid	process
Token: SeDebugPrivilege	4736	uninstall.exe

pid	process
4852	uninstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

uninstall.exe

description	pid	process	target process
PID 4852 wrote to memory of 4736	4852	uninstall.exe	uninstall.exe
PID 4852 wrote to memory of 4736	4852	uninstall.exe	uninstall.exe
PID 4852 wrote to memory of 4736	4852	uninstall.exe	uninstall.exe

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe" "av:1.0.1" "gv:1.0.1.1" "gs:Official-com" "gi:UA-85655135-28" "an:DroidKit" "c:iMobie"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nss66D9.tmp\GoogleTracingLib.dll
Filesize
36KB

MD5
d8fca35ff95fe00a7174177181f8bd13

SHA1
fbafea4d2790dd2c0d022dfb08ded91de7f5265e

SHA256
ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

SHA512
eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss66D9.tmp\SkinBtn.dll
Filesize
4KB

MD5
29818862640ac659ce520c9c64e63e9e

SHA1
485e1e6cc552fa4f05fb767043b1e7c9eb80be64

SHA256
e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb

SHA512
ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss66D9.tmp\System.dll
Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss66D9.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss66D9.tmp\un.exe
Filesize
5.0MB

MD5
2a00f9cf62e6d1ed89da8cc62758b496

SHA1
24688ed8c055fb490d8bfaab4fea0aaef6e75739

SHA256
530add38655df4d982c4e52318e86dd8ca7e97a292c7f10966399fb1e325392e

SHA512
2c4ca0aed245d792b7a91e6081567ef89abb505af53ad634801c05eb20f544905d75aa1b782318fd5886cdfcc1a33d76d321f1efbe6bb7efd77e1be11bdfd1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
Filesize
866KB

MD5
790d0f8915a0f545df19e1c057dc9c8e

SHA1
838985922bdd1a9986140bfe9950d2d5f4663657

SHA256
6cfeb83384f5a321d3e5bed8cb6457ed790215fede7a248bd7cf79cef1db02dd

SHA512
655b87fb493120e599296acda71ea985f53bd37c84f3ccb0683adbc0f9c0ee0db0643cf4d1232a5a8b44a985648eabfe98c08b267a2c4abbd1e5441857e8f4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninstall.exe
Filesize
960KB

MD5
076d97a224762a4f416b45e8b2293cca

SHA1
80adbd540ab546b4cd8627facae63c5723101d9d

SHA256
45a58db29cfd5befcca7a803a71a0528a61cb1b9068f86893b5777caacc41bf1

SHA512
ac76c817464b0491157483a649a27f7709434388d3f2fa64dbba8640303617990b3c1c282633daf02505cc8a5404b42c36daba4c72ba9d6ca1a29b8e2867d8a2

Download Submit
memory/4736-88-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4736-92-0x0000000007280000-0x00000000075D4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-87-0x0000000005FC0000-0x0000000005FD0000-memory.dmp

Filesize
64KB

Download
memory/4736-85-0x0000000074330000-0x0000000074AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-89-0x0000000005FC0000-0x0000000005FD0000-memory.dmp

Filesize
64KB

Download
memory/4736-90-0x0000000006EA0000-0x0000000006EFA000-memory.dmp

Filesize
360KB

Download
memory/4736-91-0x0000000006F40000-0x0000000006F60000-memory.dmp

Filesize
128KB

Download
memory/4736-86-0x0000000000D30000-0x00000000014A4000-memory.dmp

Filesize
7.5MB

Download
memory/4736-93-0x0000000007C50000-0x0000000007C58000-memory.dmp

Filesize
32KB

Download
memory/4736-94-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/4736-95-0x000000000A3C0000-0x000000000A3F8000-memory.dmp

Filesize
224KB

Download
memory/4736-96-0x00000000070F0000-0x00000000070FE000-memory.dmp

Filesize
56KB

Download
memory/4736-97-0x0000000074330000-0x0000000074AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-98-0x0000000005FC0000-0x0000000005FD0000-memory.dmp

Filesize
64KB

Download
memory/4736-99-0x0000000005FC0000-0x0000000005FD0000-memory.dmp

Filesize
64KB

Download