7d5b1d29a694e8fc136a5a13fd17b8c30d08c8d4f4d5d8006a5361d53acdf9de

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-es
resource tags

arch:x64arch:x86image:win7-20240221-eslocale:es-esos:windows7-x64systemwindows
submitted
01-05-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/uninstall.exe
Size

11.2MB
MD5

48d796c60981cce5be144c8ff52466f1
SHA1

83a4e3ecb47c14ba8eac80d4fa69ba53c07d4153
SHA256

ea88d6f7e328e86762b4d586390bdc6eccca1501a3a03150968884e8cc3ad5dc
SHA512

9476e27126fc3f7b0001c21d7b30035ee37a7d0576ea647f77bd5f9cff61d7c809cf67a8808bccab2b5ed3cdc8cfdabc906ee1c18b22c0b5dc79dd506243cc17
SSDEEP

196608:HhKgznK4UZ9oHpWSQQ+87W4DFPwV422RBhox+Ht+FPYLrvaDbP8+uDgCAoy:HhK4K4UZyHdN+8b/hGG+ByvaDzfxoy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	un.exe

Loads dropped DLL 7 IoCs

pid	Process
2260	uninstall.exe
2260	uninstall.exe
2260	uninstall.exe
2260	uninstall.exe
2260	uninstall.exe
2260	uninstall.exe
2260	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	uninstall.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	uninstall.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2260	uninstall.exe
2260	uninstall.exe
2260	uninstall.exe
2260	uninstall.exe
2260	uninstall.exe
2260	uninstall.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	un.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2260	uninstall.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2496	2260	uninstall.exe	28
PID 2260 wrote to memory of 2496	2260	uninstall.exe	28
PID 2260 wrote to memory of 2496	2260	uninstall.exe	28
PID 2260 wrote to memory of 2496	2260	uninstall.exe	28
PID 2260 wrote to memory of 2860	2260	uninstall.exe	30
PID 2260 wrote to memory of 2860	2260	uninstall.exe	30
PID 2260 wrote to memory of 2860	2260	uninstall.exe	30
PID 2260 wrote to memory of 2860	2260	uninstall.exe	30
PID 2260 wrote to memory of 2860	2260	uninstall.exe	30
PID 2260 wrote to memory of 2860	2260	uninstall.exe	30
PID 2260 wrote to memory of 2860	2260	uninstall.exe	30

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"au-Windows\",\"user_id\":\"ECB85A12\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com-pp\",\"install_trackversion\":\"2.1.0.0\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-G1ZWRJY8K8&api_secret=vT2-CR2mSpKugIO5e8H3pQ""
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\un.exe
  "C:\Users\Admin\AppData\Local\Temp\un.exe" """av:2.1.0" "gv:2.1.0.0" "gs:Official-com-pp" "gi:UA-85655135-16" "an:AnyUnlock - iPhone Password Unlocker" "c:iMobie"""
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\CheckProVs.dll

Filesize
7KB

MD5
62e85098ce43cb3d5c422e49390b7071

SHA1
df6722f155ce2a1379eff53a9ad1611ddecbb3bf

SHA256
ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

SHA512
dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\un.exe

Filesize
11.7MB

MD5
cbea93b5c3fc5080bb200c58edc14dd6

SHA1
4204117c82823c54dc5e3f05a4c1ff667fefb331

SHA256
ee8c4d17e67236e84faa12696aed1b4a8d5b529b73adc2a6b2787e26e96d191c

SHA512
2977e50a98ef9bb76f3f63a0909c6fbca0f08ceeb8d796c3c57364474736cb5d3a8803c32f6a6f7cc66c89129aead2e37c87369b96160bef6df6aff7a4171e8a

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\GoogleTracingLib.dll

Filesize
36KB

MD5
d8fca35ff95fe00a7174177181f8bd13

SHA1
fbafea4d2790dd2c0d022dfb08ded91de7f5265e

SHA256
ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

SHA512
eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\SkinBtn.dll

Filesize
4KB

MD5
29818862640ac659ce520c9c64e63e9e

SHA1
485e1e6cc552fa4f05fb767043b1e7c9eb80be64

SHA256
e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb

SHA512
ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1CC5.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
memory/2260-29-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/2260-27-0x00000000033F0000-0x0000000003449000-memory.dmp

Filesize
356KB

Download
memory/2860-47-0x0000000001320000-0x0000000001EE0000-memory.dmp

Filesize
11.8MB

Download
memory/2860-49-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2860-48-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2860-50-0x0000000000E70000-0x0000000000ECA000-memory.dmp

Filesize
360KB

Download
memory/2860-51-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download