Analysis
-
max time kernel
90s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-06-2024 01:22
Static task
static1
Behavioral task
behavioral1
Sample
uninstalltool_setup.exe
Resource
win11-20240611-en
General
-
Target
uninstalltool_setup.exe
-
Size
5.7MB
-
MD5
417161bef8a9990d7d99cd660042608d
-
SHA1
8b319c3ec6cff5a598f7ee3be643a1e13ac85a1b
-
SHA256
66b696e76af8e72272883e22e7f5e42e168195c2e42fddf6d9e4e59c8a003ee4
-
SHA512
3603a744fad93c6b0f48a9ab5795193b0c5c5e145fa80d5c5b0214efc62b39e80d3c83fe04b90b48aca2dd504c4b4f6cfa3f896f66cf76dc204e661ba36b0ae6
-
SSDEEP
98304:mkL6cnCk9EjDxlSQSk0StENJ6+t22o0LPfG8I2zCFqCmRY4z6FSQ8l5ocPCfEWa:Rt92xcQF7tETN22o6XGN2lRqcr5bWa
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Drops file in Drivers directory 2 IoCs
Processes:
UninstallTool.exedescription ioc process File created C:\Windows\system32\drivers\CisUtMonitor.sys UninstallTool.exe File opened for modification C:\Windows\system32\drivers\CisUtMonitor.sys UninstallTool.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 56 IoCs
Processes:
uninstalltool_setup.tmpdescription ioc process File created C:\Program Files\Uninstall Tool\languages\is-TBV6O.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-U4ATB.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-KHMKF.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-23UAB.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-GB070.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-AR8CJ.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-IJVM3.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-FG0QQ.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-3CNIQ.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-HGQAT.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-BOEKK.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-TH7CT.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-BLTBM.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-992K5.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-8MOMD.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-6E9TQ.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-9MECH.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-PTRIE.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-E8SED.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-LLSK0.tmp uninstalltool_setup.tmp File opened for modification C:\Program Files\Uninstall Tool\unins000.dat uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-DM58Q.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-BFS55.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-J4I8F.tmp uninstalltool_setup.tmp File opened for modification C:\Program Files\Uninstall Tool\UninstallTool.url uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-9N12V.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-ABMRV.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-JFF8C.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-0PETA.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-2LHS9.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-CF2DH.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-MFJ0C.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-020GI.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-69F9J.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-1HE5D.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-CU4FE.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-1B0FF.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-NA63E.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-V2QH3.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\unins000.dat uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-LUDPG.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-KV0NI.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-4C5PH.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-8ERLU.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-E5DQ0.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-KHMBF.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-528D6.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-AORUU.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-922A1.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-TGVA8.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\unins000.msg uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-5L7OM.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-4FVIK.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-2PJ9V.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\languages\is-FSBMT.tmp uninstalltool_setup.tmp File created C:\Program Files\Uninstall Tool\is-28NIB.tmp uninstalltool_setup.tmp -
Executes dropped EXE 9 IoCs
Processes:
uninstalltool_setup.tmpPinToTaskbar.exeUninstallTool.exeUninstallTool.exeUninstallTool.exeUninstallTool.exeUninstallTool.exeUninstallTool.exeUninstallToolHelper.exepid process 3636 uninstalltool_setup.tmp 1088 PinToTaskbar.exe 1480 UninstallTool.exe 4240 UninstallTool.exe 4452 UninstallTool.exe 3648 UninstallTool.exe 752 UninstallTool.exe 724 UninstallTool.exe 4608 UninstallToolHelper.exe -
Loads dropped DLL 4 IoCs
Processes:
regsvr32.exeregsvr32.exeExplorer.EXEpid process 1612 regsvr32.exe 4936 regsvr32.exe 3332 Explorer.EXE 3332 Explorer.EXE -
Modifies system executable filetype association 2 TTPs 4 IoCs
Processes:
regsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" regsvr32.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 33 IoCs
Processes:
UninstallTool.exeregsvr32.exeregsvr32.exeExplorer.EXEUninstallTool.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\System.ControlPanel.Category = "5,8" UninstallTool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open\Command UninstallTool.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\DefaultIcon UninstallTool.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID UninstallTool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open\Command\ = "C:\\Program Files\\Uninstall Tool\\UninstallTool.exe" UninstallTool.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell\Open UninstallTool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\ = "Uninstall Tool" UninstallTool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\DefaultIcon\ = "C:\\Program Files\\Uninstall Tool\\UninstallTool.exe" UninstallTool.exe Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657} UninstallTool.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\ = "UTShellExt" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\InfoTip = "Uninstall Programs Completely. Install and Trace Software. Manage Startup Programs" UninstallTool.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\InfoTip = "Uninstall Programs Completely. Install and Trace Software. Manage Startup Programs" UninstallTool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ = "C:\\Program Files\\Uninstall Tool\\UTShellExt_x86.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9ce424a8-8388-495f-a400-2bd50eb35657}\Shell UninstallTool.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE8E6AD6-DABE-45E1-88C2-48DC4578924C}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PinToTaskbar.exepowershell.exepid process 1088 PinToTaskbar.exe 1088 PinToTaskbar.exe 1568 powershell.exe 1568 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Explorer.EXEUninstallTool.exepid process 3332 Explorer.EXE 724 UninstallTool.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
PinToTaskbar.exeExplorer.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 1088 PinToTaskbar.exe Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeDebugPrivilege 1568 powershell.exe Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE Token: SeShutdownPrivilege 3332 Explorer.EXE Token: SeCreatePagefilePrivilege 3332 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
uninstalltool_setup.tmpExplorer.EXEpid process 3636 uninstalltool_setup.tmp 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE -
Suspicious use of SendNotifyMessage 30 IoCs
Processes:
Explorer.EXEpid process 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE 3332 Explorer.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
UninstallTool.exeUninstallTool.exeUninstallTool.exeUninstallTool.exeUninstallTool.exeUninstallTool.exeExplorer.EXEpid process 1480 UninstallTool.exe 4240 UninstallTool.exe 4452 UninstallTool.exe 3648 UninstallTool.exe 752 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 724 UninstallTool.exe 3332 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3332 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
uninstalltool_setup.exeuninstalltool_setup.tmpregsvr32.exePinToTaskbar.exeUninstallTool.exeUninstallTool.exedescription pid process target process PID 4896 wrote to memory of 3636 4896 uninstalltool_setup.exe uninstalltool_setup.tmp PID 4896 wrote to memory of 3636 4896 uninstalltool_setup.exe uninstalltool_setup.tmp PID 4896 wrote to memory of 3636 4896 uninstalltool_setup.exe uninstalltool_setup.tmp PID 3636 wrote to memory of 1612 3636 uninstalltool_setup.tmp regsvr32.exe PID 3636 wrote to memory of 1612 3636 uninstalltool_setup.tmp regsvr32.exe PID 3636 wrote to memory of 3728 3636 uninstalltool_setup.tmp regsvr32.exe PID 3636 wrote to memory of 3728 3636 uninstalltool_setup.tmp regsvr32.exe PID 3728 wrote to memory of 4936 3728 regsvr32.exe regsvr32.exe PID 3728 wrote to memory of 4936 3728 regsvr32.exe regsvr32.exe PID 3728 wrote to memory of 4936 3728 regsvr32.exe regsvr32.exe PID 3636 wrote to memory of 1088 3636 uninstalltool_setup.tmp PinToTaskbar.exe PID 3636 wrote to memory of 1088 3636 uninstalltool_setup.tmp PinToTaskbar.exe PID 1088 wrote to memory of 3332 1088 PinToTaskbar.exe Explorer.EXE PID 3636 wrote to memory of 1480 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 1480 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 4240 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 4240 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 4452 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 4452 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 3648 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 3648 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 752 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 752 3636 uninstalltool_setup.tmp UninstallTool.exe PID 752 wrote to memory of 1568 752 UninstallTool.exe powershell.exe PID 752 wrote to memory of 1568 752 UninstallTool.exe powershell.exe PID 3636 wrote to memory of 724 3636 uninstalltool_setup.tmp UninstallTool.exe PID 3636 wrote to memory of 724 3636 uninstalltool_setup.tmp UninstallTool.exe PID 724 wrote to memory of 4608 724 UninstallTool.exe UninstallToolHelper.exe PID 724 wrote to memory of 4608 724 UninstallTool.exe UninstallToolHelper.exe PID 724 wrote to memory of 4608 724 UninstallTool.exe UninstallToolHelper.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp" /SL5="$4021A,4977297,845824,C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt.dll"4⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:1612
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"4⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"5⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:4936
-
-
-
C:\Program Files\Uninstall Tool\PinToTaskbar.exe"C:\Program Files\Uninstall Tool\PinToTaskbar.exe" /pin UninstallTool.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /install_service_silent4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1480
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /init4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /add_control_panel_icon4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4452
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /skip_uac4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3648
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe" /msix_register4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -c "Add-AppxPackage 'C:\Program Files\Uninstall Tool\UTShellExt2.msix' -ExternalLocation 'C:\Program Files\Uninstall Tool\'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
-
C:\Program Files\Uninstall Tool\UninstallTool.exe"C:\Program Files\Uninstall Tool\UninstallTool.exe"4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Program Files\Uninstall Tool\UninstallToolHelper.exe"C:\Program Files\Uninstall Tool\UninstallToolHelper.exe" /pid:7245⤵
- Executes dropped EXE
PID:4608
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
386KB
MD54de7220115fe537eaf6c5776e83f0064
SHA1e81a7feab77203266a8afb379ff93025c923f28b
SHA256e87288744cc29c5ab81d9c3fa78653cacd87bc74bf5a3abc4f38afcd6a1a5c16
SHA512b33113314636a491c35dea215c3cd75f74797223d5b6b7ca88b790b9ddc9969c8759b61e354e753db2476dd65953664cf321940be811c6c9fc01391f0490c02f
-
Filesize
366KB
MD54c415adb0750fe1e1d2f52c3902274c0
SHA1001fc6dc3706f1596295e4e7a4eabb5a407dab52
SHA2567d0a990c0b976ff4d99abfa935eadebcece34e7d4e711ed86066ab7845d6a417
SHA512aaecb72a0ec6e28336bcf5cf83d8ff0e220302c76df2715186b7fd25891662588f27215b7043613472ed747908eec9169b51c035b1e069b2c2a95c999cbf8dab
-
Filesize
516KB
MD5c836d4008d50fdbb49101eea1d49a57f
SHA1ebfc097ecde12532d0ac8d76dd67df79c8007e77
SHA256157b1afebd03b3325bb13bb229caebe2e3c73360250fe689af1635a670487e17
SHA512eab2b799a2ac670dcce82429139ec7482c1ac9d9c2ed028f926add1c462d8347bd293f284fba3fb91a61d0c48b9a63829c895ba300d3f6ff07cfa1977ba138f3
-
Filesize
422KB
MD57460a0e0c7cd0d14649eec1688322505
SHA1e7b1fc34362123f8bd95eac5996d7788e618c0da
SHA2566a9e6a25e9fe6c5503dfcc606e0392f6dcbe71a1e9dec010cde7ff82b7cd52f7
SHA51244e1bcac6f4cac6ca39aea60da403bd09e8eaf82e40984bb1c676828373e5af160b99aea186b71e9be69f4ecf2090de9fa5d79cf50c3c348545f25454d361e40
-
Filesize
5.6MB
MD53314588abbe3e7e976ca664886e691b8
SHA191ab07ccf95e087c3878c3e2d93941e561ed979a
SHA2566095e41aed91326a12acd02ae988711befd3e3ad2d280ca5d0c2647cb0f781f1
SHA51277fbc216f0c6633f39ba6e0490358276e977e7dc981e7f164328a92f5a014d90b1aaf41819519bd3313b8ddfded4b98c069eaae15f2057e5f42d8177facc700f
-
Filesize
463KB
MD5d82e0a3786dba17f88929d11d6b00b96
SHA1098f9b676677dc3a30530ad5254b7fb41e1391d9
SHA256ba8d7b5662f85aa901fd6bcf86fc5989013577b18c81a91bffc1211fec31d6c8
SHA5124df64c5f421103fabf156342d41ff2cece82ce6b7015c454ac78680611d4ab64788c7ed50b0505edcd4cc704fdbe3c118370464c476f8047bd0e022ddbc3424d
-
Filesize
40KB
MD5955f262f1ab8f37793ad91945a01d01d
SHA1859828af13645c29878b67f300820b4d31fac352
SHA256bbd3c410b5519170b3c002e9c8c4eb3a5599439f00f5e1d3c3037a484c35c907
SHA512c8e120533e41f7e02ac0368c0a06b6bfc4da2192bb2282daaba1d27a81780ae6001834fbe1333fca89da1db137941fcf6be80924359031b0ba6289b3c8cfceb1
-
Filesize
651B
MD5342c1625bb428a11c97ae14501f5ee7b
SHA15a3642de1164bdc141c66ba9d56ac594d267f62f
SHA256becb9a8d5a5d5150550cb2461bb0429838406576e710b21dc94388c9239e7161
SHA5127cd9f7069afe26b3ad864ac48c52a9547ecacf301d51961f6b2a63177dafb849c097f1600f7942499f150e91ede9c2715a77c76d4408e63587cd2eca4f770820
-
Filesize
945B
MD5398056af197de168302f8041ac148761
SHA18ca2d0e2c0c0e6cc1cae3de1802f354343647a2d
SHA25689321a2f1068cfc3dc7f9e3d8ce3fc552ecd02cd976f04026c1801672b5ce882
SHA5124256ef61b317916fcc5351e9a6612d935fe3835f35bf6c218298f0764def20daeee7b0b07277d7f33feb33f6542ecb7ca05bb1e6469787d51da7d24d971224a4
-
Filesize
56KB
MD51b16fa25136adb7b3c41a3f1d474c901
SHA1d6d0fc8367c3939fedc45474c37ed16b83b53f15
SHA256917572f2a45f7b8312ed09d783418534e95888c10f3e0b6cf40c5df58a7c390d
SHA512e67e214b87b7b5ff9a678d4ccf4c65f8f828e46969498e8163b565658baccb3d72c60c43e8b5a459ec0215e079949182c92c750484f1b3dfd0e5af21634cf236
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD58c1451188764f81954e6d4672100433a
SHA1c01d90c825b3ed029eeb45017fa37d40bd1fd32b
SHA2565fe7888a8a41638e457a1d52369701f33b2084aeeb32a3c4fc996b1487a8fadd
SHA512a2a4d1b8801893cb1a6820233c8b78f272869224471f72aee82b18aa1001cd3b68955121c6f38b9318c6093f0089bf6afac89979668381eaa587241af8824164
-
Filesize
2KB
MD5aadc51577335d88ce808a6eda9698834
SHA107ecb289a6a3fdb267ff98647e4868ca8ab62900
SHA256bcfd650a8ec7c6da4492be7993c815675c407ec9f59a1991609713c45de88524
SHA5120b54fbc26c44113e4229b1d84a3b37915c91123ad5c879b566edea3f6eee43330e901889febcd0552bccc0003a64917a03b6d6bf6c6f2bf5aa860786de6608e0
-
Filesize
1KB
MD523618daa6d7d186c500d713997df0031
SHA1aec490f22c95101f8dc2f6c7d6c6d04bb32b966f
SHA2560237bf82b7610c21bf77e99037ba18d73c9fccec531b49f08e9b821825cbfa00
SHA512fc2045ae65cb289ea1a89a908f0598ba6c78279ae092e41e4966504a5aef6927ad4825d142f4a88c1c54da6f531e6ace0a9588930f037416fe154256dffedf73
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD5f3154c236c6d83b608538be27acf0063
SHA10330d902d0c2c484e8ea12389727cf8f88e8428b
SHA25633d1a491ecde710b768fc366670df967f35eeab79aded68b3313e6837e49eddd
SHA5125c0605e81e73006122f4001c54d72b31c3c025ef31c1d153965e78d7f874abdd669b51f1cb8f77bbf2fb565fbd9a8210293c462dd37ac2b5bf832a106e21f91a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Uninstall Tool.lnk
Filesize1KB
MD520143876b0f0048e8c104ea396980f92
SHA10cd8811215a4d6d3b860bf47b69924d0582a8b0f
SHA25606c9e1fd83aa15a5df6bd0dea28d406e288038cedcd56a1444360850d144a068
SHA512714b719fa5d820fb472133dc0cfb85f6b0c5fbeb0d380b38ef287b5e78dda0dbd76398aed416a48e571447245f4cb617a0f8c1c0493f84c3cf353d606f8613ac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-ms
Filesize5KB
MD5bb844b7e95e9c2abe561213b0da05a1e
SHA1854b56bbbe10387a6183430084e80934f6b2a73c
SHA2568d753b234b883adeb7678d8bb637f886ba0a7c2b393b06988efd520391423e0c
SHA512cb6c6b6cf71268bd4df2ab490c9177e34238d98b474fd9c90c58c2ff528558c0a0fd2eb869073af53aff2c18cb9eccd725d07d8ca72da03ca4635347c4a5cebe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-ms
Filesize5KB
MD5e09d7e340448e0ff92e857dbbde2e2c4
SHA13920f5e6f8bbe7d0f4927aaccaf26b35e077f989
SHA256890cda88968e3d9f7740c4dd7054930718e16b31d21922ed450f9bb8fe034af5
SHA512df8b2ce55cbc7b046bc5e916fcb4a43f54b53ae6a74f0a4d7fea10674a7fbde991356de6b96a52e44dc9b5ca924e4af4749c69490377b5d000ffdb3b9d4f8d1b
-
Filesize
927B
MD57e162008b9fe2d5de997c2571ffbcd21
SHA18bb5126a2377c3d713ca566337f65ca6eed9a08a
SHA25648130b48ad2391d563e40ff31008a5a07c7ae5c7d0547655b0101608c1ca9216
SHA5127f7016856171692a2b0d99fc69a8ab6329f31f7cbc19cb6506c93c7bc0ec37c2dbbb2008485aecd3651214b24908e255062b10ab5df7a86e76cbb2cbb6247522