d08d2cca65e2db0ce264dc275cfddf7cad218ca7d1362aa163c8d6791108bdb0

Analysis

max time kernel
138s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 15:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Bitdefender_2023_Uninstall_Tool.exe
Size

41.1MB
MD5

0e6a24ca1488b3b9d8ad9c413dd0818c
SHA1

80b565e46ce7f58ea0c98c763554b3e42fcfd651
SHA256

d08d2cca65e2db0ce264dc275cfddf7cad218ca7d1362aa163c8d6791108bdb0
SHA512

2f7596038d3fbdc5f0f00baf169aa48e6a768cbd8ac5c71df08654dec0cc2b5c93d0057f32ddbddf3c012c014b831f15f695eb9bb49649e061d873b3172c4374
SSDEEP

786432:NWWMacFK8eYf75ncbEL4QkbeoAjvpi6JflnZOMSMzaX2wjgAYNOkh1X:TgkXYz5cby49byzpi0fjeX29lNOc

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Bitdefender_2023_Uninstall_Tool.exe

Executes dropped EXE 4 IoCs

pid	Process
2060	UninstallTool.exe
4652	ucrt_x64.exe
2392	ut_x64.exe
4320	installer.exe

Loads dropped DLL 11 IoCs

pid	Process
4320	installer.exe
4320	installer.exe
4320	installer.exe
4320	installer.exe
4320	installer.exe
4320	installer.exe
4320	installer.exe
4320	installer.exe
4320	installer.exe
4320	installer.exe
4320	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bitdefender_2023_Uninstall_Tool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UninstallTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucrt_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ut_x64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2060	UninstallTool.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2060	1584	Bitdefender_2023_Uninstall_Tool.exe	87
PID 1584 wrote to memory of 2060	1584	Bitdefender_2023_Uninstall_Tool.exe	87
PID 1584 wrote to memory of 2060	1584	Bitdefender_2023_Uninstall_Tool.exe	87
PID 2060 wrote to memory of 4652	2060	UninstallTool.exe	91
PID 2060 wrote to memory of 4652	2060	UninstallTool.exe	91
PID 2060 wrote to memory of 4652	2060	UninstallTool.exe	91
PID 2060 wrote to memory of 2392	2060	UninstallTool.exe	94
PID 2060 wrote to memory of 2392	2060	UninstallTool.exe	94
PID 2060 wrote to memory of 2392	2060	UninstallTool.exe	94
PID 2060 wrote to memory of 4320	2060	UninstallTool.exe	96
PID 2060 wrote to memory of 4320	2060	UninstallTool.exe	96

C:\Users\Admin\AppData\Local\Temp\Bitdefender_2023_Uninstall_Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Bitdefender_2023_Uninstall_Tool.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\ucrt_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4652
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\ut_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe

Filesize
567KB

MD5
bebb432c663a58d89aa5a781fb424b1f

SHA1
d64318995392a7afb3010d16e28badda74ddfceb

SHA256
60025f3f50b09c983ee3461f9f0eef0e9beee28a10cc1ac9b99d9def3f99b183

SHA512
68d1aac2f812494bbe89d53d4e3dc5dd72724ead7d4b856e91a2914c9d7f29906dcbd07dd1e73d943c03c1b880609c42230d921947aca9547a546594bff16989

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ucrt_x64.exe

Filesize
6.0MB

MD5
da35912f5deb007de21c2c9d68e16a57

SHA1
ca4fd7e8e3e29eda9951e0690f3670eb7f71407a

SHA256
dbb601c9dcc8cf024f8268f1d2f985f071c6442e452a8dd89aece6a0b74d8f1e

SHA512
7df71660bda07db52f894436f1e80a359c7e7e0bcd6d43edcccdb8a40bf6688d1edede7784d3b5c1f59fdc54b552b1d039e241200fbd0bb7dcac297a2f2e508c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ut_x64.exe

Filesize
7.9MB

MD5
e85c239e2641b44ae054d0e8ef14105d

SHA1
773a23412b05ba7dc1c548577ab2e0df8c032b13

SHA256
300851bc98196a797a3839690bf00385ac34afc745396dc2f546fb8cd22ceeb2

SHA512
eb9f67bf9dc04762e83f5eaad799bf906666d8e5620d24eab9f2ee52abc79593fba38eed0f9cf5e89198737f021c807b0477599a4ad625ded117698c6a169b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\additional.dll

Filesize
699KB

MD5
a8a05c993c2fdee3009397458c31abe4

SHA1
707c67136e5f9a1ad5476c43ec5eb204610d3f71

SHA256
bdf20eea5933a2a583e55bfd8178e7e4457e5a003db8f5ca48573d93bee88f36

SHA512
8bf66014c09fcc689083e078d67aa3274aa5402fac8a1f03fb21f4360ba85f96cb17bc1b263df4031513908115510a8ad66ec5c6f36476e7f440e0e419b4c87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\installer.exe

Filesize
821KB

MD5
05c3bbcdc89c07efd329fb60c3033b21

SHA1
96f905654f92577d65a26ad183f70914b3a5e1df

SHA256
5ffa0c7ef8501c49f33da6b0dc173de83e007501402d64473c41bb60d9abefba

SHA512
e65fefa2b1179c1bcc232e9e7fee78bff8ab68efd31ae43b4ad443ce971d64667ef0e943aa7e5a83f9d84dccfd83ec38a8ad35c916b2892af7b0cfbcab4e9e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\lang\en-us.dll

Filesize
22KB

MD5
c16989247c8faefe3a8c8c715d2e13fd

SHA1
59fbf93fa3f16ae5cbdaac9a8227013e9bc2b7fe

SHA256
461a8f68c2cacc0d8bc1235fdbd4db73bec09c0a3706c932d00e60286f8565bc

SHA512
ab2e98ac6fef0c35bd1cb506de130ca0b62b0ed99c9e5a02f6c8c22d8f68a256f36317ec1902f170a6d2dfec57b95292e86e12ce78650818af5ce5c0c43f29bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\lang\ltr\resources.dll

Filesize
210KB

MD5
86daac1bad237f4641dc48b82dcc4792

SHA1
e76725967523cf7e019961f4075048c16ce6426f

SHA256
85f77cee949d9965698fd1f21803ba73cab3de200886f150100bf775923c6249

SHA512
8c5864daa286a1eed3a72801d990a42a475cdc77d0d2ac1cb8e0167653479b48348961345832f3b48425617b2bfc18dd7ab8caea9edb79749d1065cf0382fd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\msvcp140.dll

Filesize
566KB

MD5
a62a22c33ed01a2cf362d3890ffa70e1

SHA1
ea3f55d92cdcb788876d689d394ec3225b1d222c

SHA256
003da4807acdc912e67edba49be574daa5238bb7acff871d8666d16f8072ff89

SHA512
7da909a6c5dc26631fec8a382d5cb677d3aabf5b5c4e98b545c120685f879adcef8cc98e7bf74d37f7fc24b0f18999780d70aa28061f50adf6b28f19ce06930a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\sciter.dll

Filesize
5.6MB

MD5
797f32a4dfb54f4fbf0d9224542494c0

SHA1
404b21111ad08512fddf6afd0086228d4b68ba53

SHA256
38fc87fbfea821280ecfc127d52b22a7eacb995fd2bc53b5ccc46b88fa0d49fc

SHA512
ce52a0d2b64ec44e221f2c800c9d03b457b9250e9f1b8d750330cdc11eb09a6175f5e6df8d891e109f24acbe36e5596be1804e4cf34da5a998493ec21df690bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\vcruntime140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\{A4ABF5E0-F369-4C43-BD48-5380666C982B}\vcruntime140_1.dll

Filesize
48KB

MD5
7e668ab8a78bd0118b94978d154c85bc

SHA1
dbac42a02a8d50639805174afd21d45f3c56e3a0

SHA256
e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f

SHA512
72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

Download Submit