Overview

overview

7

Static

static

3

f529d7434c...18.exe

windows7-x64

7

f529d7434c...18.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...er.exe

windows7-x64

3

$PLUGINSDI...er.exe

windows10-2004-x64

3

$PLUGINSDI...ar.exe

windows7-x64

3

$PLUGINSDI...ar.exe

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ne.exe

windows7-x64

7

$PLUGINSDI...ne.exe

windows10-2004-x64

7

AdminWorker.exe

windows7-x64

3

AdminWorker.exe

windows10-2004-x64

3

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

WebInstaller.exe

windows7-x64

6

WebInstaller.exe

windows10-2004-x64

6

WebUpdater.exe

windows7-x64

3

WebUpdater.exe

windows10-2004-x64

3

content/iwa-ovr.js

windows7-x64

3

content/iwa-ovr.js

windows10-2004-x64

3

content/iwinarcade.js

windows7-x64

3

content/iwinarcade.js

windows10-2004-x64

3

content/un...l.html

windows7-x64

3

content/un...l.html

windows10-2004-x64

3

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uninstall.exe

  • Size

    129KB

  • MD5

    49c9d6cadd02bfff54851d0b0cafd557

  • SHA1

    9bb1dbff1ff7fcf171610133354ffeab1f522d82

  • SHA256

    c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

  • SHA512

    c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

  • SSDEEP

    3072:w+8uyHOQXJoHS4Z5t2Zip6dmDHgG2ojdotyVnwz:w8+/4fQsp6dAT2ojdoIBwz

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2836
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1952
      • C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2120
      • C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3012
      • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2676
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2644
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2452
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2712
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" KillProcess iWinGames.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9226E14A-D2E8-4C19-A066-A99782A80D97} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
      C:\Users\Admin\AppData\Local\Temp\iWinGames.exe /trackArcadeUninstall_reason_0
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\iWinGames\AdminWorker.log
    Filesize

    4KB

    MD5

    14731a22860c4c55c77bb79af4ad415d

    SHA1

    775f41ef6faa8122e900fb189158cc7ac7d28549

    SHA256

    dd0cf133acc430187f22b6e8880907b4d86babd5b62ca720f02912038889ed0a

    SHA512

    6d70672c3d0c71bfe30775167ee5a4ee7885fcd1b75c19f3faab34c9c43eb40d4d3bee13caab297f3a3f674ef7c4873097cfa606cf4b3092ba8c8530ea9025d8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstF596.tmp\GameuxInstallHelper.dll
    Filesize

    94KB

    MD5

    4d3ac88054df63fc810427bdaa96c458

    SHA1

    e4d554e03ba91f6b53a2a80253b339f56e303c94

    SHA256

    b07ffcd0af80f6b9fba09abe816ba2f0ff0d336639f1768fc317291bc635ece6

    SHA512

    d4732ad89bbb19b316dff1b9c534acf98bb985c89d1295f08e24b21531123426500b3712979dda2f0e941a5969c0cbca15bbd52f6c167653f96a494a6677ca54

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstF596.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    129KB

    MD5

    49c9d6cadd02bfff54851d0b0cafd557

    SHA1

    9bb1dbff1ff7fcf171610133354ffeab1f522d82

    SHA256

    c7550a63d4547fb15d9eb84b10bd7ed68e71e860604da1b7fd3c375ce58f0cbe

    SHA512

    c982f388f605bbdb784b04078a2e2cce7794867b45cc89359425efa7ab3101ba9410b3867554da0f2ebc62895e8ed0ff6211fb1e0408860962907a49942f76eb

    Download Submit

  • memory/2712-12-0x00000000745E0000-0x00000000746DA000-memory.dmp

    Filesize

    1000KB

    Download