Overview

overview

7

Static

static

3

4b5223b206...18.exe

windows7-x64

7

4b5223b206...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...er.exe

windows7-x64

1

$PLUGINSDI...er.exe

windows10-2004-x64

1

$PLUGINSDI...ar.exe

windows7-x64

1

$PLUGINSDI...ar.exe

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ne.exe

windows7-x64

7

$PLUGINSDI...ne.exe

windows10-2004-x64

7

AdminWorker.exe

windows7-x64

1

AdminWorker.exe

windows10-2004-x64

1

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

WebInstaller.exe

windows7-x64

6

WebInstaller.exe

windows10-2004-x64

6

WebUpdater.exe

windows7-x64

1

WebUpdater.exe

windows10-2004-x64

1

content/iwa-ovr.js

windows7-x64

3

content/iwa-ovr.js

windows10-2004-x64

3

content/iwinarcade.js

windows7-x64

3

content/iwinarcade.js

windows10-2004-x64

3

content/un...l.html

windows7-x64

1

content/un...l.html

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uninstall.exe

  • Size

    129KB

  • MD5

    49c9d6cadd02bfff54851d0b0cafd557

  • SHA1

    9bb1dbff1ff7fcf171610133354ffeab1f522d82

  • SHA256

    c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

  • SHA512

    c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

  • SSDEEP

    3072:w+8uyHOQXJoHS4Z5t2Zip6dmDHgG2ojdotyVnwz:w8+/4fQsp6dAT2ojdoIBwz

Score
7/10
persistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions
        3⤵
          PID:2040
        • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
          "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks
          3⤵
            PID:1092
          • C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
            "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove
            3⤵
              PID:1920
            • C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
              "C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2340
              • C:\Windows\SysWOW64\regsvr32.exe
                regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
                4⤵
                  PID:772
              • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
                "C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0
                3⤵
                • Suspicious use of SetWindowsHookEx
                PID:2704
              • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
                "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts
                3⤵
                  PID:2648
                • C:\Windows\SysWOW64\regsvr32.exe
                  "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
                  3⤵
                    PID:2640
                  • C:\Windows\SysWOW64\regsvr32.exe
                    "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"
                    3⤵
                      PID:2204
                    • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
                      "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" KillProcess iWinGames.exe
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2892
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {A0C58C08-2D92-4C6D-A2B9-551879D6BA02} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:736
                  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
                    C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
                    2⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:2872

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\iWinGames\AdminWorker.log
                  Filesize

                  4KB

                  MD5

                  e4ff7a8a662ba6151401707eb0c65396

                  SHA1

                  05b30ca99eafc9ddfcbc073c10589f40d3b9eba0

                  SHA256

                  159b8848d81f649ba5e715a0805567b9ac0a4b2ffdce0c3559406eecc332fb76

                  SHA512

                  5f5bebefc547ea5de9a172b41ded950be8a079113178fcbe4dc20dab68e95f2ed7bc5c27d157aa0f3eb481aab7fc98cddf308c39bde6f87fe04a8d73a7483a0c

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nstD71E.tmp\GameuxInstallHelper.dll
                  Filesize

                  94KB

                  MD5

                  4d3ac88054df63fc810427bdaa96c458

                  SHA1

                  e4d554e03ba91f6b53a2a80253b339f56e303c94

                  SHA256

                  b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6

                  SHA512

                  d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\nstD71E.tmp\System.dll
                  Filesize

                  11KB

                  MD5

                  c17103ae9072a06da581dec998343fc1

                  SHA1

                  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

                  SHA256

                  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

                  SHA512

                  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
                  Filesize

                  129KB

                  MD5

                  49c9d6cadd02bfff54851d0b0cafd557

                  SHA1

                  9bb1dbff1ff7fcf171610133354ffeab1f522d82

                  SHA256

                  c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

                  SHA512

                  c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

                  Download Submit

                • memory/2204-12-0x0000000074C30000-0x0000000074D2A000-memory.dmp

                  Filesize

                  1000KB

                  Download