Overview

overview

7

Static

static

3

089e5228da...18.exe

windows7-x64

7

089e5228da...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...er.exe

windows7-x64

1

$PLUGINSDI...er.exe

windows10-2004-x64

1

$PLUGINSDI...ar.exe

windows7-x64

1

$PLUGINSDI...ar.exe

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ne.exe

windows7-x64

7

$PLUGINSDI...ne.exe

windows10-2004-x64

7

AdminWorker.exe

windows7-x64

1

AdminWorker.exe

windows10-2004-x64

1

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

WebInstaller.exe

windows7-x64

6

WebInstaller.exe

windows10-2004-x64

6

WebUpdater.exe

windows7-x64

1

WebUpdater.exe

windows10-2004-x64

1

content/iwa-ovr.js

windows7-x64

3

content/iwa-ovr.js

windows10-2004-x64

3

content/iwinarcade.js

windows7-x64

3

content/iwinarcade.js

windows10-2004-x64

3

content/un...l.html

windows7-x64

1

content/un...l.html

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 18:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Uninstall.exe

  • Size

    129KB

  • MD5

    49c9d6cadd02bfff54851d0b0cafd557

  • SHA1

    9bb1dbff1ff7fcf171610133354ffeab1f522d82

  • SHA256

    c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

  • SHA512

    c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

  • SSDEEP

    3072:w+8uyHOQXJoHS4Z5t2Zip6dmDHgG2ojdotyVnwz:w8+/4fQsp6dAT2ojdoIBwz

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions
        3⤵
          PID:2632
        • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
          "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks
          3⤵
            PID:2656
          • C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
            "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove
            3⤵
              PID:2764
            • C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
              "C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2572
              • C:\Windows\SysWOW64\regsvr32.exe
                regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
                4⤵
                  PID:2544
              • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
                "C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0
                3⤵
                • Suspicious use of SetWindowsHookEx
                PID:2548
              • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
                "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts
                3⤵
                  PID:2488
                • C:\Windows\SysWOW64\regsvr32.exe
                  "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
                  3⤵
                    PID:2584
                  • C:\Windows\SysWOW64\regsvr32.exe
                    "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"
                    3⤵
                      PID:2832
                    • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
                      "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" KillProcess iWinGames.exe
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2468
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {70768273-4805-428B-BA1F-F65F1E190298} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2532
                  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
                    C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
                    2⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:2668

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\iWinGames\AdminWorker.log
                  Filesize

                  4KB

                  MD5

                  234d89c9713f9c7de6889b415fc36ea7

                  SHA1

                  005c31a7943e2dc363dfa9a7422b13601d8c8222

                  SHA256

                  13c38539188c73ca552d0e806dceaa242ab09e943f2bf9240b8e1dcd383620fa

                  SHA512

                  70449df974709121e5659741193b2c1f7fb5317c40e5f4333f537ca1d6b2089be4456b89b19d01bdea892a02ab5ae1da2d95071c5ad5f2ed73fa92ddc18ead80

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nsd2FC8.tmp\GameuxInstallHelper.dll
                  Filesize

                  94KB

                  MD5

                  4d3ac88054df63fc810427bdaa96c458

                  SHA1

                  e4d554e03ba91f6b53a2a80253b339f56e303c94

                  SHA256

                  b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6

                  SHA512

                  d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nsd2FC8.tmp\System.dll
                  Filesize

                  11KB

                  MD5

                  c17103ae9072a06da581dec998343fc1

                  SHA1

                  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

                  SHA256

                  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

                  SHA512

                  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
                  Filesize

                  129KB

                  MD5

                  49c9d6cadd02bfff54851d0b0cafd557

                  SHA1

                  9bb1dbff1ff7fcf171610133354ffeab1f522d82

                  SHA256

                  c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

                  SHA512

                  c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

                  Download Submit

                • memory/2832-12-0x0000000074270000-0x000000007436A000-memory.dmp

                  Filesize

                  1000KB

                  Download