Overview

overview

7

Static

static

3

b1a93a43d8...18.exe

windows7-x64

7

b1a93a43d8...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...er.exe

windows7-x64

3

$PLUGINSDI...er.exe

windows10-2004-x64

3

$PLUGINSDI...ar.exe

windows7-x64

3

$PLUGINSDI...ar.exe

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ne.exe

windows7-x64

7

$PLUGINSDI...ne.exe

windows10-2004-x64

7

AdminWorker.exe

windows7-x64

3

AdminWorker.exe

windows10-2004-x64

3

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

WebInstaller.exe

windows7-x64

6

WebInstaller.exe

windows10-2004-x64

6

WebUpdater.exe

windows7-x64

3

WebUpdater.exe

windows10-2004-x64

3

content/iwa-ovr.js

windows7-x64

3

content/iwa-ovr.js

windows10-2004-x64

3

content/iwinarcade.js

windows7-x64

3

content/iwinarcade.js

windows10-2004-x64

3

content/un...l.html

windows7-x64

3

content/un...l.html

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uninstall.exe

  • Size

    129KB

  • MD5

    49c9d6cadd02bfff54851d0b0cafd557

  • SHA1

    9bb1dbff1ff7fcf171610133354ffeab1f522d82

  • SHA256

    c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

  • SHA512

    c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

  • SSDEEP

    3072:w+8uyHOQXJoHS4Z5t2Zip6dmDHgG2ojdotyVnwz:w8+/4fQsp6dAT2ojdoIBwz

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2968
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820
      • C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2768
      • C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2912
      • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2884
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3064
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1660
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1780
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" KillProcess iWinGames.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:280
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9FAC820A-E69E-4B5F-AE56-66B86DD6CDC1} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
      C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\iWinGames\AdminWorker.log
    Filesize

    4KB

    MD5

    69d6f4f1c0e8d878d5e8bfb4f25685f8

    SHA1

    ae7a5e960a5eae9b672a7a436bb576ff591f82fa

    SHA256

    224cb1c214e5cb583acdaa88fadd6a5db626cd61fe9b376609c0994c4d8953bf

    SHA512

    d76bfb0170dad29b9e0d2fd13b1ad7b6d1716af55e2417065c4877a1bfcda79866e771d08528e048dd7ff9c5b5117b181c338dec441c4c774c587872a89be4e8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj35C.tmp\GameuxInstallHelper.dll
    Filesize

    94KB

    MD5

    4d3ac88054df63fc810427bdaa96c458

    SHA1

    e4d554e03ba91f6b53a2a80253b339f56e303c94

    SHA256

    b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6

    SHA512

    d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj35C.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    129KB

    MD5

    49c9d6cadd02bfff54851d0b0cafd557

    SHA1

    9bb1dbff1ff7fcf171610133354ffeab1f522d82

    SHA256

    c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

    SHA512

    c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

    Download Submit