Overview

overview

8

Static

static

3

Voicechang...er.exe

windows11-21h2-x64

8

$PLUGINSDI...Vs.dll

windows11-21h2-x64

3

$PLUGINSDI...ls.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...up.exe

windows11-21h2-x64

7

$PLUGINSDI...ec.dll

windows11-21h2-x64

3

$PLUGINSDI...ss.dll

windows11-21h2-x64

3

$PLUGINSDIR/setup.exe

windows11-21h2-x64

1

$PLUGINSDI...ll.exe

windows11-21h2-x64

7

$PLUGINSDI...Vs.dll

windows11-21h2-x64

3

$PLUGINSDI...ib.dll

windows11-21h2-x64

3

$PLUGINSDI...ls.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...ss.dll

windows11-21h2-x64

3

$PLUGINSDI...ry.dll

windows11-21h2-x64

3

$PLUGINSDI...ll.exe

windows11-21h2-x64

1

Analysis

  • max time kernel
    1729s
  • max time network
    1740s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-06-2024 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/uninstall.exe

  • Size

    2.2MB

  • MD5

    698bb95733b4af192c22b7889c17e32e

  • SHA1

    0139cfdb5b948b47f2a6a6d3ae1c9c081b38ee29

  • SHA256

    f8d91a91e99b225e47485e88860f94785cfed85b779ed0df9396ddecb0308990

  • SHA512

    447bfe51725c8ec4417f25b264e7e3eca19b870cbfeb9628beb92bd5f353009a7a47724c4b8fdd3f650c983f6a34d5dbb2531b46fd1e41fd6b1d870c6f332dbf

  • SSDEEP

    49152:78xUcg/azwhoKTqGVxTfy3SYouB4tADBDwSzujFNr:78xUL/AwhoKTqGnTfy3Sbt2N6jfr

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"vz-Windows\",\"user_id\":\"F11F18F8\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch NSIS App\",\"el\":\"nsis\",\"pv\":\"vz-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.0.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-EBZY9GBEKR&api_secret=2rMSZ-zBQUyg-p6hRtY1Sw""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\SysWOW64\curl.exe
        curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"vz-Windows\",\"user_id\":\"F11F18F8\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch NSIS App\",\"el\":\"nsis\",\"pv\":\"vz-win\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.0.0.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-EBZY9GBEKR&api_secret=2rMSZ-zBQUyg-p6hRtY1Sw"
        3⤵
          PID:1832
      • C:\Users\Admin\AppData\Local\Temp\nsn9982.tmp\uninstall.exe
        "C:\Users\Admin\AppData\Local\Temp\nsn9982.tmp\uninstall.exe" ver:1.0.0 gv:1.0.0.2 gs:Official-com lan:en-US
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1264

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsn9982.tmp\CheckProVs.dll
      Filesize

      7KB

      MD5

      62e85098ce43cb3d5c422e49390b7071

      SHA1

      df6722f155ce2a1379eff53a9ad1611ddecbb3bf

      SHA256

      ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

      SHA512

      dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsn9982.tmp\GoogleTracingLib.dll
      Filesize

      44KB

      MD5

      624a9f37da45b426653a6ae687220138

      SHA1

      1579138df2bca9d24bf1f30ace8ccdc2e79ffce4

      SHA256

      ae29ce5e517fa86fc0dbc67c816cb39d568f5c34c9662654d44bffce2b3f1f7f

      SHA512

      e07a65a204dc253b97c0735f7550bb9b14e3d7ad3d5e7c89cf6dc5753f85e9dad102036c1427a08db27a29c237a886e6c2261162aacdd28e7e188c80f0a3f221

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsn9982.tmp\System.dll
      Filesize

      11KB

      MD5

      ca332bb753b0775d5e806e236ddcec55

      SHA1

      f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

      SHA256

      df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

      SHA512

      2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsn9982.tmp\nsProcess.dll
      Filesize

      4KB

      MD5

      f0438a894f3a7e01a4aae8d1b5dd0289

      SHA1

      b058e3fcfb7b550041da16bf10d8837024c38bf6

      SHA256

      30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

      SHA512

      f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsn9982.tmp\uninstall.exe
      Filesize

      3.2MB

      MD5

      87ddccf3d6174b9e28c85d3832540960

      SHA1

      1725e442eb960947284984b90b6709a8d7537c19

      SHA256

      1cc67d488441417c67e6816e220886f336af2230eff4e2f9af4de5cbc776914f

      SHA512

      ff6fc2e0bbdb2c0c89fb3ccc4d7c1dc2087f3e23a7f36f321b3b8fc8ae9010e393d5da1fb93f05e8ac8d47c30b3fe63c7f0bcce7e34a57050845c7f2540ae4ca

      Download Submit

    • memory/1264-43-0x0000000006260000-0x0000000006268000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1264-45-0x0000000006270000-0x000000000627E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1264-39-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1264-40-0x0000000005B30000-0x0000000005B96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1264-42-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1264-37-0x000000007428E000-0x000000007428F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1264-44-0x00000000062B0000-0x00000000062E8000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1264-38-0x0000000000480000-0x00000000007BE000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/1264-46-0x00000000062F0000-0x000000000634A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1264-47-0x00000000090C0000-0x00000000090E0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1264-48-0x0000000009AE0000-0x0000000009E37000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1264-49-0x0000000009720000-0x0000000009728000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1264-50-0x000000007428E000-0x000000007428F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1264-51-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1264-52-0x0000000074280000-0x0000000074A31000-memory.dmp

      Filesize

      7.7MB

      Download