35b4e8741b7dbac277c6c0b52921f60a95469c5f5982eeda7b2976a31bbff9e6

Analysis

max time kernel
300s
max time network
300s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20/09/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unins000.exe
Size

1.2MB
MD5

834d0bc7abd1b336f905dbfe51f32ed9
SHA1

c51c187de6df4ed9f3b29b2b6e7bf94fe6eee3cb
SHA256

607842155e4f7cfc63448601808a12bd409cc14d6ac588dd31da60e805091828
SHA512

29c7922c4c6b31fdb6b8c327373af1fb3d3920f43782c25deaa4eaefba0a22a79890264b8095cc89d9acb7c7d6e0ef7ca1c2d8e7214db88e1dc4a0b88a95a888
SSDEEP

24576:xOl4OghT53jK9kKMIuQjmOmhCdmG/cAJw92N+86MYCrlOh5x9ES:hpg9m4Yr2NVYCID

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\svchost.exe"	unins000.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	unins000.exe

Executes dropped EXE 1 IoCs

pid	Process
4656	unins000.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.exe	unins000.exe
File opened for modification	C:\Windows\conime.exe	unins000.exe
File created	C:\Windows\svchost.exe	unins000.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
4056	unins000.exe
4056	unins000.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4656	4056	unins000.exe	78
PID 4056 wrote to memory of 4656	4056	unins000.exe	78
PID 4056 wrote to memory of 4656	4056	unins000.exe	78

C:\Users\Admin\AppData\Local\Temp\unins000.exe
"C:\Users\Admin\AppData\Local\Temp\unins000.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\unins000.exe
  "C:\Users\Admin\AppData\Local\Temp\unins000.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\unins000.exe

Filesize
1.2MB

MD5
efa0a9c6b6a8a1937615d8d3226bdff1

SHA1
e94db3d479a09f79b256268cf25f9eea5bac1c56

SHA256
91f6d6ba49f2366a9db1ded89b038b03f249a557e34e8b4217ae344ff2982f9e

SHA512
7f7056b3a92967445478c415efc88fdc9e99153fd3a6596a3c025df65af37ee9a40214bfc5f48e9579352364e9c2808b7247af928eb86a26c8762b8ba38ba92d

Download Submit
C:\Windows\conime.exe

Filesize
35KB

MD5
1c71f2126a5cb4e8cd91959cedc4742b

SHA1
cbc960a8b1acf995e2f34ed3731955e92a8391ad

SHA256
431306bc0031bc9367fb96b67270b53810c8b63fe7a9c9ce1eb06f43031b63c4

SHA512
9eaf12af8d797b5a9facc74d02ee7ec4dd5276406581da95f6a2251e4ffd465df15fb913302dd089496703872561407ccfa45550e535385aafcab20eb58fe6e8

Download Submit
memory/4656-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4656-15-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads