4e7982c1a982141773e2a47f43d0212c6e966457a4f96f7d05f5476d3e18a9af

Resubmissions

30-10-2024 19:47

241030-yhpxpszgrm 7

30-10-2024 19:45

241030-ygfyeaypby 7

Analysis

max time kernel
437s
max time network
489s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-10-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/uninstall.exe
Size

8.2MB
MD5

dc81c01374e9543469920d763402b10a
SHA1

535e9355a31bd2a06381e67ff24f52953071478a
SHA256

87801f6c52b6660a9f1cb8a832a5bbad75f7d086e3c141f547eafd633bd7cb76
SHA512

c37cc90e8b1319b5edb0a55f8462f664fa138d80938053b521d0cd713e04f137244b14d03063a2da9e4e3fdd6c4f8e5a219dc36752eb5caf190b5ef2a6204611
SSDEEP

196608:JD18/QDptRqcnqnJ1CcWpxriRRpO/fg/OfPTsxnoygd5:Jh8/EtRqcqnJ8WRRp8g/oTXygX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2592	uninstall.exe

Loads dropped DLL 6 IoCs

pid	Process
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe
3420	uninstall.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	uninstall.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3420	uninstall.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2592	3420	uninstall.exe	80
PID 3420 wrote to memory of 2592	3420	uninstall.exe	80
PID 3420 wrote to memory of 2592	3420	uninstall.exe	80

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\uninstall.exe
  "C:\Users\Admin\AppData\Local\Temp\uninstall.exe" "av:1.0.1" "gv:1.0.1.3" "gs:Official-com" "gi:UA-85655135-28" "an:DroidKit" "c:iMobie"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx8C72.tmp\GoogleTracingLib.dll

Filesize
46KB

MD5
3a914fc853188765010b73ff99834383

SHA1
374b9c4bcc852e42e85aab7b142ecdd80f0c40a1

SHA256
5b8cadf540dd47d19b1020bf5c0aca1b6d14d9d875b0a5794b432401c60ee5c7

SHA512
1e1a26dcb480cae7dc0fb89c0e8b560206b23b85a6f56458e2019af9c67ca9f942e2c75e78052e4e0eebcfff5e7a3c5eafb5538ba776c0a40b39cafee0bce0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8C72.tmp\SkinBtn.dll

Filesize
15KB

MD5
0325c49a03baf13592272fec2b36968e

SHA1
ab10d9f3b420d7192ce6e3ceb953d94b669bdded

SHA256
72ddf9ec65f49d38ed181b4e73e095524d9c83118e6d7ae705227c7351300b95

SHA512
9009b5ebd7c45ecf9aa967aeddaf6b7695581ee8e212432eeaefd0777df3fbff41842975e0d09774f01b3b994500299042a004efc030162576cca925bdc0f43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8C72.tmp\System.dll

Filesize
22KB

MD5
86a488bf743dfab80ff142713adb5d48

SHA1
02e4b39f2fa40cd4edcc42cb524dc3ce911bfdac

SHA256
3924b57f8993a880d53e1e4e18eb6ba9b5dc610cbb00345c954c7e8a9078c309

SHA512
0ed09bcddd5bd13a91e7b99b78e37a01a36d62a29ad74acaacbe0da6446c8523e83ed2c089d2847e4d1ba467da93e2fd2de104feb51bcda445511b334bf932c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8C72.tmp\nsProcess.dll

Filesize
15KB

MD5
8205bee74d498724aa5508e93c6d21f8

SHA1
2564cc3032e59d538826596a88d80c3d022ef595

SHA256
382aad28fa439b18d3d41a4652201c1d1542d73ff756a738c4cee6b75ebeca8f

SHA512
67c1e7fcfbc03565ddcd0cde4a91104231b30e0e3edbfe338ba5da76085fe849ea2dea199554dd3b25b90ab9722c30fd22399932463ef4a95e6000fcb5ef3ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8C72.tmp\un.exe

Filesize
7.4MB

MD5
be3bb1b8ec4f4dff02c1e7af5410ea2d

SHA1
5bc2a48ed40407018139e897a47df1d65ffe37e8

SHA256
d7d45e9e1db7e196bdfa365e6a17c6cf5ad356207e140e63358cd8272981336c

SHA512
0bffaa33eba62af045b2fc788fb2268eea2805dc86c68c4f4d2dd62589fe74140d56f7497f083332e4c67086f3e6fc835dc3848696472e307ea7b4a534a61859

Download Submit
memory/2592-84-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/2592-88-0x0000000007420000-0x0000000007777000-memory.dmp

Filesize
3.3MB

Download
memory/2592-83-0x00000000723A0000-0x0000000072B51000-memory.dmp

Filesize
7.7MB

Download
memory/2592-81-0x00000000723AE000-0x00000000723AF000-memory.dmp

Filesize
4KB

Download
memory/2592-85-0x00000000723A0000-0x0000000072B51000-memory.dmp

Filesize
7.7MB

Download
memory/2592-86-0x0000000006DB0000-0x0000000006E0A000-memory.dmp

Filesize
360KB

Download
memory/2592-87-0x0000000006E30000-0x0000000006E50000-memory.dmp

Filesize
128KB

Download
memory/2592-82-0x0000000000BD0000-0x0000000001346000-memory.dmp

Filesize
7.5MB

Download
memory/2592-89-0x0000000007A60000-0x0000000007A68000-memory.dmp

Filesize
32KB

Download
memory/2592-90-0x0000000007050000-0x0000000007058000-memory.dmp

Filesize
32KB

Download
memory/2592-92-0x0000000007010000-0x000000000701E000-memory.dmp

Filesize
56KB

Download
memory/2592-91-0x000000000A1B0000-0x000000000A1E8000-memory.dmp

Filesize
224KB

Download
memory/2592-93-0x00000000723AE000-0x00000000723AF000-memory.dmp

Filesize
4KB

Download
memory/2592-94-0x00000000723A0000-0x0000000072B51000-memory.dmp

Filesize
7.7MB

Download