58d80782c3fb365c3dc4cd812bae64b0a0d3e1d981e11ccb32c7e6219395b90e

Analysis

max time kernel
146s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19/04/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iBackupBot for iPad iPhone/uninst.exe
Size

64KB
MD5

7838ecb4ca21ef1518939d3bc5cb8793
SHA1

d67921104b7a27bb4025c1f41b459b33d222c55c
SHA256

fe8cc751a470879f7ff09ec9b9e1ffe8374a23fe1a202e7ba86590fbda53f0f2
SHA512

2896e155d9c8af6dc722af7129dcd532ea20782520eb39c87b44cc3bc589fba520f325227e4b86cbc0ac97ce8776ae55e11cf718e9ca22860eaafb1ed6ed8fb3
SSDEEP

1536:JU+dcy3fxBk9UmZHs/hcaFgdLeAyN/WmaE5rWEbgfjmK:JNzPHk9MpcaFceAWSH7mK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
856	Un_A.exe

Executes dropped EXE 1 IoCs

pid	Process
856	Un_A.exe

Loads dropped DLL 1 IoCs

pid	Process
856	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral16/files/0x000100000002aa21-3.dat	nsis_installer_1
behavioral16/files/0x000100000002aa21-3.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 856	5020	uninst.exe	78
PID 5020 wrote to memory of 856	5020	uninst.exe	78
PID 5020 wrote to memory of 856	5020	uninst.exe	78

C:\Users\Admin\AppData\Local\Temp\iBackupBot for iPad iPhone\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\iBackupBot for iPad iPhone\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\iBackupBot for iPad iPhone\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd5C89.tmp\LangDLL.dll

Filesize
5KB

MD5
ea60c7bd5edd6048601729bd31362c16

SHA1
6e6919d969eb61a141595014395b6c3f44139073

SHA256
4e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39

SHA512
f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
64KB

MD5
7838ecb4ca21ef1518939d3bc5cb8793

SHA1
d67921104b7a27bb4025c1f41b459b33d222c55c

SHA256
fe8cc751a470879f7ff09ec9b9e1ffe8374a23fe1a202e7ba86590fbda53f0f2

SHA512
2896e155d9c8af6dc722af7129dcd532ea20782520eb39c87b44cc3bc589fba520f325227e4b86cbc0ac97ce8776ae55e11cf718e9ca22860eaafb1ed6ed8fb3

Download Submit