826aff8ab1c2d827327b767b7a4b9fd1ded77cd2b754763cd85a74cf0fad7da1

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
23/09/2024, 04:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/uninstall.exe
Size

8.1MB
MD5

658b86ab0e3b32696afa02c79311faa0
SHA1

de1896bc3a1bb821ac29fb295ca2d6a200eea8aa
SHA256

ea5758a9f08524f81cc2924ce14985c8814fe7bc575e57e350e92219491718c0
SHA512

91e3c109cb9beb43633c815437e8dc605bae4fde0e9cd4a7cc585b4f6942ba0d2c7f9653ad68f67d5301919c07400dd6b3d8143f642b473731800cfb293313bd
SSDEEP

196608:Yp18/QDobE0TSkJzTtpQF6ZBPTS8y5BFwGIR6ip2eyWzi+8LX+1ZxWs:Y78/1EglTvS+S897pgGiNLeZxp

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	uninstall.exe

Executes dropped EXE 1 IoCs

pid	Process
3284	uninstall.exe

Loads dropped DLL 6 IoCs

pid	Process
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe
3172	uninstall.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	uninstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 3284	3172	uninstall.exe	82
PID 3172 wrote to memory of 3284	3172	uninstall.exe	82
PID 3172 wrote to memory of 3284	3172	uninstall.exe	82

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\uninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\uninstall.exe" "av:1.0.1" "gv:1.0.1.2" "gs:Official-es" "gi:UA-85655135-28" "an:DroidKit" "c:iMobie"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsxBF3A.tmp\GoogleTracingLib.dll

Filesize
36KB

MD5
d8fca35ff95fe00a7174177181f8bd13

SHA1
fbafea4d2790dd2c0d022dfb08ded91de7f5265e

SHA256
ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

SHA512
eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxBF3A.tmp\SkinBtn.dll

Filesize
4KB

MD5
29818862640ac659ce520c9c64e63e9e

SHA1
485e1e6cc552fa4f05fb767043b1e7c9eb80be64

SHA256
e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb

SHA512
ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxBF3A.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxBF3A.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxBF3A.tmp\un.exe

Filesize
7.4MB

MD5
839640ba4c87b4a0fbd4d81fc54f8f51

SHA1
0fdf3cf3685de715f8206400a232bf389ce319d6

SHA256
58b8642b2665efde3974c18c2613b6e27dcf31fbb4b048339f93b2019c26d6df

SHA512
14b97fd80c8b58422949b9d8db2660e93c6ee7c41873e8388cc9b62396e791f346346465527088a50a58d6d9a358e21a8652a0934149dd6ed3947841a7e59354

Download Submit
memory/3284-81-0x00000000063A0000-0x00000000063FA000-memory.dmp

Filesize
360KB

Download
memory/3284-83-0x0000000006C30000-0x0000000006F84000-memory.dmp

Filesize
3.3MB

Download
memory/3284-78-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/3284-79-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/3284-80-0x0000000006170000-0x0000000006272000-memory.dmp

Filesize
1.0MB

Download
memory/3284-76-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/3284-82-0x0000000006450000-0x0000000006470000-memory.dmp

Filesize
128KB

Download
memory/3284-77-0x0000000000190000-0x0000000000904000-memory.dmp

Filesize
7.5MB

Download
memory/3284-84-0x0000000009080000-0x0000000009088000-memory.dmp

Filesize
32KB

Download
memory/3284-85-0x0000000009480000-0x00000000094A0000-memory.dmp

Filesize
128KB

Download
memory/3284-86-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/3284-87-0x0000000006660000-0x0000000006668000-memory.dmp

Filesize
32KB

Download
memory/3284-88-0x00000000094E0000-0x0000000009518000-memory.dmp

Filesize
224KB

Download
memory/3284-89-0x00000000065F0000-0x00000000065FE000-memory.dmp

Filesize
56KB

Download
memory/3284-90-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/3284-91-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download