3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c

General

Target

3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe
Size

4.5MB
MD5

0ea605a1d37f58fd69b564d3468acadd
SHA1

a505d7edc719afb52863775c88beef51b338c129
SHA256

3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c
SHA512

3f5b030379348759917c316c2ffb4f9d971ea6767bc903fb7ac6516dadfac680be8b009e817bb978fdfaf5baf545bec19dd8938573bc4c38458ffdb7b0731c56
SSDEEP

98304:CuWRw5bLGZWJ1GWk0y5rmhpJai8vhARFXM4jy+b+B5231DXqpYdVLEQ:CK5+35rQai8vhqFNyXB5OiUV4Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2764	UninstallTool.exe
2860	UninstallTool_x64.dat
2872	UninstallToolHelper.exe
1112	Process not Found

Loads dropped DLL 5 IoCs

pid	Process
2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe
2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe
2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe
2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe
2764	UninstallTool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	UninstallTool_x64.dat
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST	UninstallTool_x64.dat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UninstallTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UninstallToolHelper.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2860	UninstallTool_x64.dat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	UninstallTool_x64.dat

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2860	UninstallTool_x64.dat
2860	UninstallTool_x64.dat
2860	UninstallTool_x64.dat
2860	UninstallTool_x64.dat
2860	UninstallTool_x64.dat
2860	UninstallTool_x64.dat
2860	UninstallTool_x64.dat
2860	UninstallTool_x64.dat

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2764	2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe	30
PID 2688 wrote to memory of 2764	2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe	30
PID 2688 wrote to memory of 2764	2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe	30
PID 2688 wrote to memory of 2764	2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe	30
PID 2688 wrote to memory of 2764	2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe	30
PID 2688 wrote to memory of 2764	2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe	30
PID 2688 wrote to memory of 2764	2688	3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe	30
PID 2764 wrote to memory of 2860	2764	UninstallTool.exe	31
PID 2764 wrote to memory of 2860	2764	UninstallTool.exe	31
PID 2764 wrote to memory of 2860	2764	UninstallTool.exe	31
PID 2764 wrote to memory of 2860	2764	UninstallTool.exe	31
PID 2860 wrote to memory of 2872	2860	UninstallTool_x64.dat	32
PID 2860 wrote to memory of 2872	2860	UninstallTool_x64.dat	32
PID 2860 wrote to memory of 2872	2860	UninstallTool_x64.dat	32
PID 2860 wrote to memory of 2872	2860	UninstallTool_x64.dat	32
PID 2860 wrote to memory of 2872	2860	UninstallTool_x64.dat	32
PID 2860 wrote to memory of 2872	2860	UninstallTool_x64.dat	32
PID 2860 wrote to memory of 2872	2860	UninstallTool_x64.dat	32

C:\Users\Admin\AppData\Local\Temp\3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe
"C:\Users\Admin\AppData\Local\Temp\3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\dptools\Uninstall Tool\UninstallTool.exe
  "C:\dptools\Uninstall Tool\UninstallTool.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\dptools\Uninstall Tool\UninstallTool_x64.dat
    "C:\dptools\Uninstall Tool\UninstallTool_x64.dat"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\dptools\Uninstall Tool\UninstallToolHelper.exe
      UninstallToolHelper.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\dptools\Uninstall Tool\UninstallToolHelper.exe

Filesize
463KB

MD5
d82e0a3786dba17f88929d11d6b00b96

SHA1
098f9b676677dc3a30530ad5254b7fb41e1391d9

SHA256
ba8d7b5662f85aa901fd6bcf86fc5989013577b18c81a91bffc1211fec31d6c8

SHA512
4df64c5f421103fabf156342d41ff2cece82ce6b7015c454ac78680611d4ab64788c7ed50b0505edcd4cc704fdbe3c118370464c476f8047bd0e022ddbc3424d

Download Submit
C:\dptools\Uninstall Tool\languages\Chinese_Simplified.xml

Filesize
35KB

MD5
531bcf591629a57778aa3dd3a1e71fa7

SHA1
17e8108b5d6667cbf95f585c613dbc508128ce5a

SHA256
03581bf9ffa25c6f12a8ac994369f2cc13bd43df5257ead1fb40d45f0ca68753

SHA512
de66a073337c9ce8224217156a3b309824f126c26a9fafd2799b95bd9375b0525295f42e41ccd6690e5454327e4136a96da330aa83cef854513fb52d1da15665

Download Submit
C:\dptools\Uninstall Tool\license.dat

Filesize
27B

MD5
bc665464f458a36775aa32c224bef6dd

SHA1
921c21264eb946818e6a19395a82e830fdcb3542

SHA256
1b660a9444824b2ff536249b879a6d89989e674f7a09b86e8f93d088783167de

SHA512
881531f8cdbb1bf227efa83011c31d3745c4863cdc013db33593af623830f577f476aad7faabf7484a96fe87d668d7e1d4a6bed9368216bc802d40f3a6af0f20

Download Submit
C:\dptools\Uninstall Tool\preferences.xml

Filesize
2KB

MD5
5e23e0a994153cc073670589621b5c54

SHA1
1b15cf670d3fd7a25ad022852d4d6f9ef32a819c

SHA256
6ff62edc8155c641dfa5fb07bd3ce959a6405d24b6aa36179fbf16481fba86a5

SHA512
22da32d7ea7b64192bcde16614b37d25189e7405497f4c8e6fae24b7d10e126f97c4c29fd603808dffaafca67e162e652f3e62a0944772b1967498c58cfaa5c0

Download Submit
\dptools\Uninstall Tool\UninstallTool.exe

Filesize
327KB

MD5
56cfdeea82f27be12d1ad1c9bc737d9b

SHA1
c1d4d0147b680bf9a6f6dba2e8c174039c075744

SHA256
735925446abf2704e4adcafb495c9dd63d03eaf5888a72704e06655df35f35f0

SHA512
2f270042f202c978aaad688c54f383bcabd97a0a32be098229fcb846b079d549aee49940a104d3a0a931b32702743419d1a6e2d6679453bcdf54d787ea797064

Download Submit
\dptools\Uninstall Tool\UninstallTool_x64.dat

Filesize
4.7MB

MD5
4a90019c2a505c3b6688761836be5bc7

SHA1
63113eae62fdf2fbc660e206b4a296c20ee55b4b

SHA256
cd5d53a6e479b914b84841ed6d86103040046f52ac462b1f57614e6e6673b933

SHA512
d48b79f58e19c8c6f8e7068b167f00d5e92492e7d1316513fcd537b23a85fbd215730ddf398d12ad69ab7edf870eb5de84d056d23a3e5a38a6589d0d15d28cf0

Download Submit
memory/2872-62-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2872-65-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing