107f98a350f0932f5912cce2f30ee471ccc9242801f7fe864ce424e7ab283f6d

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

1.3MB
MD5

2bdfa7e2c3ea2e9a177e68d3fe43d9f2
SHA1

8c3cb540b9f35badaa5bbce9b7880fb4c31d0be1
SHA256

e967f918595fa95f7c64332e126a02bc0cd52bfa95b8b0c23304625923ae6ce7
SHA512

f0f2778739a1443dbd8bc10127b69f48ba89c9316a5eaba1d2ef3f622b56b819712619dff62f37b9593fe4dd9cc6ac51f524bf2982dce0ec48f2c11295937fc5
SSDEEP

24576:mnhoO2MWVANx8eB6GPB9SzKQEu7bdH99n6g1NEvKKtv0:mhHx7SmS7v9nX1NEy08

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2980	appdater-uninstall.exe

Loads dropped DLL 4 IoCs

pid	Process
1260	Uninstall.exe
2980	appdater-uninstall.exe
2980	appdater-uninstall.exe
2980	appdater-uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2980	appdater-uninstall.exe
2980	appdater-uninstall.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1260	Uninstall.exe
Token: SeBackupPrivilege	1260	Uninstall.exe
Token: SeRestorePrivilege	2980	appdater-uninstall.exe
Token: SeBackupPrivilege	2980	appdater-uninstall.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2980	1260	Uninstall.exe	28
PID 1260 wrote to memory of 2980	1260	Uninstall.exe	28
PID 1260 wrote to memory of 2980	1260	Uninstall.exe	28
PID 1260 wrote to memory of 2980	1260	Uninstall.exe	28
PID 1260 wrote to memory of 2980	1260	Uninstall.exe	28
PID 1260 wrote to memory of 2980	1260	Uninstall.exe	28
PID 1260 wrote to memory of 2980	1260	Uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\appdater-uninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\appdater-uninstall.exe" /run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_AB9E6ABDE5D225B32CD1A91CAF7467E4

Filesize
471B

MD5
7edc1050e4e5b2907c33f3b65d63c08b

SHA1
f756ba71dcad04cb539f7265ff38f1d584750f34

SHA256
e59ba2799ada6c91581356ab352fa67180ca4ac4272c2629292516de4e5f37c5

SHA512
56575441b853a6f1347588e45cbf8d8719db43eb7da2f573b5b7a1796a8498d90b090082136e16ba0d8c9475e3d2aa6dadbea50fe0e892a9929d920c6b532a0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
432e6414d6cc9b969966a65eceeefc0d

SHA1
c813d569fee0e76e8fa799c07854d4cd124d5418

SHA256
62db8870150a9c8c024ede523fcc602c90e3b775e6753a79e4234d82577e5285

SHA512
35eff37efcf0887a97f42df2b7ef0bf3b3ed851e94e99bb4fc7acd1d1c56fb65bcb533fafb377d8ebe1c744f9a0394f21edbba16e11b860aa08acc1c5b87c8f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6884e96de42ef489fc983cda80f92064

SHA1
d719ea31721e313ceba04ff73ae3836a2b04583e

SHA256
0c62e440c06b33869560f77d23ac19aa69a905c2f31f039b04ae95b60a689c94

SHA512
0470a7c58a74c2d65478430d55a37c0dfece3494456eceeff9a336652370b58133309f1a34626025fb272175da3721713e178d5a78609a74c5bbd452056f8dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
f031548ee1de0f796f7ed6145733b3f7

SHA1
415abc88de614e0bf1d353048c2c3e493f84e01e

SHA256
2f0f16c9b4db9eb7d55a3d88bf13b1bc5d06405278eb5fe44d1db19bab64f155

SHA512
f1897618a3dfc801d164aad528ba4c2d193264ddb70b1197437e840d39f5efc31252852861b38a1b34d8a3518dcd6fba0171ca9f6197ef1232d5004678747b43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
0e8b61fbb91c547f6e76f8face79a443

SHA1
189be05f38aed4bbb5df1bc4c38ac5e93aa8880e

SHA256
6e27441b522c0881e98c18f40c9b83aaf13359f7297d9b367d626e1928df527e

SHA512
1c7c595ddfe84d9e4a18997123f3c27e44f6936fee5f0ac1807d9d5c32a92e99a81ef479957f8a87464c6251fc56dd789ca8cf7146871892e059287b8ca9b5ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
a28ee19c54cdba886fe79d8a702a3033

SHA1
f3df33860d62a22fda0e6c9551b223a1a5e35d63

SHA256
9468a03070009437c7520fac393f0a978f6e28f0ed3f68f9f1164e29aeabcf2c

SHA512
486ffe19d17ad4ed7f4e4ab085443b2feadc0cff88f7f91bcfabfb0acaa9a96ce08b8a9d3879af3d264ef926dc31e30e9f2837e3d79bc1a663ee45fc53feffa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_AB9E6ABDE5D225B32CD1A91CAF7467E4

Filesize
410B

MD5
bfe5e317bf1b83adfbc1213630a5b782

SHA1
8c2ea192647b17ad8016df6693fdd4a83f920f0a

SHA256
bd43770c47adbc7dbabf7d9f2fdd25c3ef375d7e9a6bfe7cf5dcd4931432cba8

SHA512
737b7e8ba0ce3934e47687a0c19a0e8da30bf3db9972a008697aafa212014a7eb29346a110136932e92649d69da5ec71236c9c2ee22376c7f944f822c56a610b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab83A2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\appdater-uninstall.log

Filesize
60B

MD5
a52e24da6fdb4fe2aca5a7d2a3abe7b7

SHA1
0f7abba6d3f19e79ae25ee5c68c54b0646ef7b44

SHA256
dba39894797013abba39f14f379965ccb2f1ca64504265d32daac07737323ab7

SHA512
5a5ef98b7cd08fdd62758974e13e6f70703db1269aa887ce65bfa8ef0880f386d1b49440f9330534e7dc4394a079f4918254b80444b1ecce49ef43f5e184e660

Download Submit
C:\Users\Admin\AppData\Local\Temp\appdater-uninstall.log

Filesize
1KB

MD5
a8f2e9bc77245159de367018f5a18de1

SHA1
e2b566a4effb846de2469ead956502a7fed3c035

SHA256
af4f9f2671b36cab314e039a45f9534b313df8c005588a8568c134fab52c0308

SHA512
cb9c7854296bb8bbe0bb9f970f00f223319bc6b16b426d6fbb3339e656f6e0389a2b9f544394901a61b7c1f5e4906697a183c1dc874ce47d66008c8413fd26a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\appdater-uninstall.log

Filesize
1KB

MD5
e06e991afe005c25a4148434bb80813e

SHA1
43bdc1385182b2f26c20deecf10b0fed610c50e5

SHA256
383a508cd64708d62364d4a17d493c7212b73380f3a28ca0d54680caf1414865

SHA512
6d99bb173396b5b502606b34427fa7af6c9d5e35d1d7142292cf24be2b5f776db67cf3d3a8d502c22709a1a18babcd5ed21390fd5d5821a3d5c52e68f3e856f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\appdater-uninstall.log

Filesize
1KB

MD5
29aba6c30da96634dd3ba12c723c1b7a

SHA1
b1ddc260fcef50cb56f53dcafb4c0adb824590f5

SHA256
5f300b4d16dd461ce784c4b2c98d3ae6a56919bb25e75bbbe60d0dd73582f97c

SHA512
c293a51e75909818155ea7f57f7e2f80ab98a6fe1852f560d6286209ced33cdb87d4820d4e8c43df12e1eccac3b7dfe1763653fb57c01c4eef452bd65ba99519

Download Submit
C:\Users\Admin\AppData\Local\Temp\appdater-uninstall.log

Filesize
1KB

MD5
ee0a6c8dd23eb6574a2dbd3fea80a100

SHA1
fb0182921ca5367cfbaeb5b078bea424d7a99782

SHA256
88fb100a54259bdff7ed79579ef1d19c41d56e24932c466812f038570fd7b5e7

SHA512
6f03aa54d29cdd2f0e1dfd94a0c7254b4d3c3e1d08fe471958edf2e351e2cc71a9a6f0ade14deebf98689d269cad66adb2edfb65bb5f8a35b1a0586a025a8c8f

Download Submit
\Users\Admin\AppData\Local\Temp\appdater-uninstall.exe

Filesize
1.3MB

MD5
2bdfa7e2c3ea2e9a177e68d3fe43d9f2

SHA1
8c3cb540b9f35badaa5bbce9b7880fb4c31d0be1

SHA256
e967f918595fa95f7c64332e126a02bc0cd52bfa95b8b0c23304625923ae6ce7

SHA512
f0f2778739a1443dbd8bc10127b69f48ba89c9316a5eaba1d2ef3f622b56b819712619dff62f37b9593fe4dd9cc6ac51f524bf2982dce0ec48f2c11295937fc5

Download Submit
memory/1260-76-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2980-97-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download