Overview

overview

7

Static

static

7

anyfix-ios...2).exe

windows7-x64

6

anyfix-ios...2).exe

windows10-2004-x64

5

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...Vs.dll

windows7-x64

3

$PLUGINSDI...Vs.dll

windows10-2004-x64

$PLUGINSDI...os.dll

windows7-x64

3

$PLUGINSDI...os.dll

windows10-2004-x64

3

$PLUGINSDI...ib.dll

windows7-x64

1

$PLUGINSDI...ib.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...up.exe

windows7-x64

7

$PLUGINSDI...up.exe

windows10-2004-x64

7

$PLUGINSDI...00.dll

windows7-x64

1

$PLUGINSDI...00.dll

windows10-2004-x64

1

$PLUGINSDI...00.dll

windows7-x64

1

$PLUGINSDI...00.dll

windows10-2004-x64

1

$PLUGINSDIR/nsDui.dll

windows7-x64

3

$PLUGINSDIR/nsDui.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

$PLUGINSDI...ll.exe

windows7-x64

4

$PLUGINSDI...ll.exe

windows10-2004-x64

5

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    139s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2024 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/uninstall.exe

  • Size

    304KB

  • MD5

    dac3b528233d00e3c2ee268b608fa4c0

  • SHA1

    6c632ad2888cd93f2aa2aef0fde309e043c90f31

  • SHA256

    0491c06f3771d5cdbe47042e8d40a17914e27a7b668b1d08e28f264b122a4dee

  • SHA512

    f1109877a1ddd5e28ebbde7814f97aea530bb6581da4670e91f9593069f182561085cf1432c505261faef9a51564f0058db436998376e056d22b0260163ae0b3

  • SSDEEP

    3072:j5szWOITsEL50jl7yI57isGg4oUeO0l2uuuuuuuuuuuuuuuuuuuDXVoE1wA3/FnZ:CzZZDFGg+mtgc/V2fo0xR6X7gpC

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"af-Windows\",\"user_id\":\"\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"af-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.0.2\",\"soft_os_version\":\"\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-FD4C8EQ6QT&api_secret=MfzS8fntS--YlPo0qsl0GQ""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Windows\SysWOW64\curl.exe
        curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"af-Windows\",\"user_id\":\"\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"pv\":\"af-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.0.2\",\"soft_os_version\":\"\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-FD4C8EQ6QT&api_secret=MfzS8fntS--YlPo0qsl0GQ"
        3⤵
          PID:2000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsq2FCB.tmp\CheckProVs.dll
      Filesize

      7KB

      MD5

      62e85098ce43cb3d5c422e49390b7071

      SHA1

      df6722f155ce2a1379eff53a9ad1611ddecbb3bf

      SHA256

      ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

      SHA512

      dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsq2FCB.tmp\GoogleTracingLib.dll
      Filesize

      36KB

      MD5

      d8fca35ff95fe00a7174177181f8bd13

      SHA1

      fbafea4d2790dd2c0d022dfb08ded91de7f5265e

      SHA256

      ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

      SHA512

      eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsq2FCB.tmp\SkinBtn.dll
      Filesize

      4KB

      MD5

      29818862640ac659ce520c9c64e63e9e

      SHA1

      485e1e6cc552fa4f05fb767043b1e7c9eb80be64

      SHA256

      e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb

      SHA512

      ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsq2FCB.tmp\System.dll
      Filesize

      11KB

      MD5

      ca332bb753b0775d5e806e236ddcec55

      SHA1

      f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

      SHA256

      df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

      SHA512

      2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsq2FCB.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      904d8313031ac05e2bac3dd329828833

      SHA1

      6c8322f76e5c38bc24b0bcc057a510c92ec40b43

      SHA256

      a7c5516478ab02b5d6c1684b3c2b31ee03331712bcd9f9a8ef8309d2b72c8ec4

      SHA512

      9d524ebc965f224e1a16f537f71df0963c586fd548cb9a901f8afb1951416dd656d5493cc5e304157dfa6d70d69bcd4c5a5b140fceb3736548e71fe7086b6de8

      Download Submit