b570bb151f66847a7c06f0f8a4630a9982fd4742e3ea85b93807d856929fc457

Analysis

max time kernel
150s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

4.5MB
MD5

fa31a70b20d5d1666ddd40cf3305e334
SHA1

530a9bc75d351810f8e4690a7041339ce255bbe0
SHA256

b2d659ecaaa662f6366cbbef01ea76506632a95d169e6d06dca7fd6452608c94
SHA512

5cfe701112133127ac73a302ac9a1ce3f1f6da42d60fffed1007f9931cb47bcd6d0d5557a25faaecf1c692d1f70916cc6c1136619703f9c71c171663377b9fa0
SSDEEP

49152:1z6XIrSYssIOfbCcWYLdNBpQkdmTlrg12d8xfMHFnJgxy5CVB0cEWxPZ/xHdbrsi:1+Pc2Q2d6Ml6xBB0nWxPZDuJWP

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

uninst.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	uninst.exe

Executes dropped EXE 1 IoCs

Processes:

tomemb.exe

pid	Process
1564	tomemb.exe

Loads dropped DLL 1 IoCs

Processes:

tomemb.exe

pid	Process
1564	tomemb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tomemb.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tomemb = "C:\\Users\\Public\\Documents\\tomemb.exe"	tomemb.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tomemb.exe

description	pid	Process	procid_target
PID 1564 set thread context of 3500	1564	tomemb.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tomemb.exesvchost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tomemb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

uninst.exesvchost.exe

pid	Process
2136	uninst.exe
2136	uninst.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uninst.exe

description	pid	Process
Token: SeDebugPrivilege	2136	uninst.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

uninst.exesvchost.exe

pid	Process
2136	uninst.exe
3500	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

uninst.exetomemb.exe

description	pid	Process	procid_target
PID 2136 wrote to memory of 792	2136	uninst.exe	10
PID 2136 wrote to memory of 792	2136	uninst.exe	10
PID 2136 wrote to memory of 1564	2136	uninst.exe	92
PID 2136 wrote to memory of 1564	2136	uninst.exe	92
PID 2136 wrote to memory of 1564	2136	uninst.exe	92
PID 1564 wrote to memory of 3500	1564	tomemb.exe	96
PID 1564 wrote to memory of 3500	1564	tomemb.exe	96
PID 1564 wrote to memory of 3500	1564	tomemb.exe	96
PID 1564 wrote to memory of 3500	1564	tomemb.exe	96

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Public\Music\tomemb.exe
  "C:\Users\Public\Music\tomemb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Music\libemb.dll

Filesize
576KB

MD5
1273d6d6be7ef615d07ece772e1db9d1

SHA1
4936d2d7c7d9e44837a341289aecfa785b541aac

SHA256
3a0673e15e7c6b19c989105077e49fe73483ab180f55138b86baa05b9598da3c

SHA512
2d61ae001d6acdc48ce4e6bedb4007a8650fd1cc09aba76f5ca9badddbc622aa656cba2e4d789d32e126ec152e3010efbf7c4a8dd4ab5a62c471f1f03e6fa28e

Download Submit
C:\Users\Public\Music\tom.ox

Filesize
116KB

MD5
a58593c975d020cbcad9f06d87f80444

SHA1
d3e206bbb811ee0ddb62fe9459a042fa4c344a01

SHA256
b5579f9e315cc2cfda4e0a337d42f03e31f5963abe1b274f2f857e44131386c0

SHA512
066f195e15a608ad1c9ec2c85a0d6d6e1964b09e8fb8932db79adcc74d2f041110823d16b4f8991f000463e484ddb76e92515bcdd8e4064f8112cfdf8e157a8c

Download Submit
C:\Users\Public\Music\tomemb.exe

Filesize
243KB

MD5
c6a9fb54e338765cfb396ac72801bd56

SHA1
07b0329d2a82c38d67a7ddcca8612dcb41f1dc1d

SHA256
ce383621cbbdc57b24515b312517e294ee38bb48fd405710228843cdbe445056

SHA512
ae640c97b4da26fe9418f48bf6da4c9f470a9ad24d0809dfc3e3b18a81ec63e9b7ee79a8f9e5640a7aa91a42a6fdfc48520cd25de8eb2d3fbd3bc9e93b8f5468

Download Submit
memory/792-28-0x0000026F101D0000-0x0000026F101F3000-memory.dmp

Filesize
140KB

Download
memory/792-1-0x0000026F101D0000-0x0000026F101F3000-memory.dmp

Filesize
140KB

Download
memory/1564-21-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1564-27-0x0000000075C60000-0x0000000075CF4000-memory.dmp

Filesize
592KB

Download
memory/1564-26-0x0000000000B20000-0x0000000000B5D000-memory.dmp

Filesize
244KB

Download
memory/3500-33-0x00000000011A0000-0x00000000011C2000-memory.dmp

Filesize
136KB

Download
memory/3500-36-0x0000000003560000-0x0000000003598000-memory.dmp

Filesize
224KB

Download
memory/3500-30-0x00000000011A0000-0x00000000011C2000-memory.dmp

Filesize
136KB

Download
memory/3500-29-0x0000000001110000-0x0000000001191000-memory.dmp

Filesize
516KB

Download
memory/3500-25-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3500-32-0x00000000011A0000-0x00000000011C2000-memory.dmp

Filesize
136KB

Download
memory/3500-34-0x00000000011A0000-0x00000000011C2000-memory.dmp

Filesize
136KB

Download
memory/3500-31-0x00000000011A0000-0x00000000011C2000-memory.dmp

Filesize
136KB

Download
memory/3500-37-0x0000000003560000-0x0000000003598000-memory.dmp

Filesize
224KB

Download
memory/3500-35-0x00000000033E0000-0x0000000003412000-memory.dmp

Filesize
200KB

Download
memory/3500-38-0x0000000003560000-0x0000000003598000-memory.dmp

Filesize
224KB

Download
memory/3500-39-0x0000000003560000-0x0000000003598000-memory.dmp

Filesize
224KB

Download
memory/3500-40-0x0000000003560000-0x0000000003598000-memory.dmp

Filesize
224KB

Download
memory/3500-41-0x00000000011A0000-0x00000000011C2000-memory.dmp

Filesize
136KB

Download
memory/3500-42-0x00000000011A0000-0x00000000011C2000-memory.dmp

Filesize
136KB

Download
memory/3500-43-0x0000000003560000-0x0000000003598000-memory.dmp

Filesize
224KB

Download