Resubmissions

05-11-2024 09:43

241105-lpwmlsydrh 7

05-11-2024 09:39

241105-lm15bazbnl 7

05-11-2024 09:32

241105-lh19hsxrbx 7

Analysis

  • max time kernel
    137s
  • max time network
    211s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 09:39

General

  • Target

    uninst.exe

  • Size

    2.3MB

  • MD5

    99c42f396b337a63112b3622d3c2a772

  • SHA1

    15e76e96b75fe8572824486dd255bafe7550790b

  • SHA256

    56f80df77382343e628237e116acce9c7354233280606f8bb85704b7ff6e88ed

  • SHA512

    61e0d7193465233434eb1b211290138298bc1b6e235672215b53a8e672fb02e0ae4b16bca49ac1cacc9804c80507174358ab365fd3fcb7db5a37148ab148bcec

  • SSDEEP

    49152:xCCtWdpFMcrbtqxJ4PyLoXOmcSD02xyKq1P+zO7+eBT7+8Cq:SGcPtq4PPXOmcStyKq1P+zY+C

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uninst.exe
    "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YouDaoDictUninstallTemp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Users\Admin\AppData\Local\Temp\240626718\YoudaoDictUninstallTemp.exe
        C:\Users\Admin\AppData\Local\Temp\240626718\YoudaoDictUninstallTemp.exe -temp "C:\Users\Admin\AppData\Local\Temp"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240626718\YoudaoDictUninstallTemp.exe

    Filesize

    2.3MB

    MD5

    99c42f396b337a63112b3622d3c2a772

    SHA1

    15e76e96b75fe8572824486dd255bafe7550790b

    SHA256

    56f80df77382343e628237e116acce9c7354233280606f8bb85704b7ff6e88ed

    SHA512

    61e0d7193465233434eb1b211290138298bc1b6e235672215b53a8e672fb02e0ae4b16bca49ac1cacc9804c80507174358ab365fd3fcb7db5a37148ab148bcec

  • C:\Users\Admin\AppData\Local\Temp\YouDaoDictUninstallTemp.bat

    Filesize

    264B

    MD5

    88d7f6fb02f21ca3c5a2f371f20bf607

    SHA1

    0d6b97df455aaf4e0e1ab8fb158980d862c451fa

    SHA256

    d4ecd8c51ddbc06fdff6056ab0d12cf5ad148d6b117c1242f74827d1e745e5e4

    SHA512

    5192cfd87f119dcec1632f601355b11e72e22510ac60edd49a9a54700a5b92a9db7a8a15f86591bb48bd6e80e5e553bf4547317deafff205a4b8da2890af88b0