Overview

overview

7

Static

static

3

725aaf787e...18.exe

windows7-x64

7

725aaf787e...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...er.exe

windows7-x64

3

$PLUGINSDI...er.exe

windows10-2004-x64

3

$PLUGINSDI...ar.exe

windows7-x64

3

$PLUGINSDI...ar.exe

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...st.exe

windows7-x64

7

$PLUGINSDI...st.exe

windows10-2004-x64

7

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

AdminWorker.exe

windows7-x64

3

AdminWorker.exe

windows10-2004-x64

3

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

WebInstaller.exe

windows7-x64

6

WebInstaller.exe

windows10-2004-x64

6

WebUpdater.exe

windows7-x64

3

WebUpdater.exe

windows10-2004-x64

3

content/iwa-ovr.js

windows7-x64

3

content/iwa-ovr.js

windows10-2004-x64

3

content/iwinarcade.js

windows7-x64

3

content/iwinarcade.js

windows10-2004-x64

3

firefox/iW...er.exe

windows7-x64

3

firefox/iW...er.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    132s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uninstall.exe

  • Size

    124KB

  • MD5

    0f98374016e2f3a77034ecf068624e89

  • SHA1

    6c363894525531dfd2135d648cbd18341c0e0c53

  • SHA256

    3958f341474249b0fc1772c46bf4b2a8f6531bea26caceb44ec5c6c7aa1619cb

  • SHA512

    2d6e5e928a23767203c86a01e9cc9bad99e430d57175a71b7743deccd2b665dfa5e88e7614825709b446b107edef74fdb2cc5fcb9377723799b3c0e125459756

  • SSDEEP

    3072:yLk395hYXJTS4Z+H22Zip6dmDHgG2ojdotyeILc:yQqI4ITsp6dAT2ojdoIeILc

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1464
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1960
      • C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1932
      • C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2292
      • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3180
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1328
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3752
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2172
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" KillProcess iWinGames.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1104
  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
    C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:2152
  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
    C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:1524
  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
    C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:3380
  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
    C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:2188
  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
    C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:4876
  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
    C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:3176
  • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
    C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:1816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\iWinGames\iWinGames.log
    Filesize

    525B

    MD5

    3fab6cace3e92ea46392c914505e3099

    SHA1

    6dec01efb1bcb49f537c323f8fa522409dd8596c

    SHA256

    5044b64eaf3b3b3f60cfae8b775b73f207de734a599891109ec5c5c91d830b8a

    SHA512

    8dd789ff23c0d7501a618227360f3e3dd1ef17f4a6c2d46adb61c6fdb6c3116faea11d6acc5576464978b6cda7bc0e51f33999efe3494e4b829cab0c1749b52c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nslADB6.tmp\GameuxInstallHelper.dll
    Filesize

    94KB

    MD5

    4d3ac88054df63fc810427bdaa96c458

    SHA1

    e4d554e03ba91f6b53a2a80253b339f56e303c94

    SHA256

    b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6

    SHA512

    d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nslADB6.tmp\System.dll
    Filesize

    11KB

    MD5

    00a0194c20ee912257df53bfe258ee4a

    SHA1

    d7b4e319bc5119024690dc8230b9cc919b1b86b2

    SHA256

    dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

    SHA512

    3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    124KB

    MD5

    0f98374016e2f3a77034ecf068624e89

    SHA1

    6c363894525531dfd2135d648cbd18341c0e0c53

    SHA256

    3958f341474249b0fc1772c46bf4b2a8f6531bea26caceb44ec5c6c7aa1619cb

    SHA512

    2d6e5e928a23767203c86a01e9cc9bad99e430d57175a71b7743deccd2b665dfa5e88e7614825709b446b107edef74fdb2cc5fcb9377723799b3c0e125459756

    Download Submit