Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-11-2024 21:51
General
-
Target
$PLUGINSDIR/uninstall.exe
-
Size
11.3MB
-
MD5
6765828d8b0b8583353054be50c8250a
-
SHA1
b736d93ac930a804379a02f4c1cc74ed465f5931
-
SHA256
c77e04966f1595e5786e902fd85275639846283724b6337da79d946590bc6fb9
-
SHA512
8a668dab4084e2b58ffa11d0579b65370d3ccb807e9b81c50702fa419136b9ec5f63348bc76bf1ccc7e704028c77df18d291c539abad9b6c31a8eb00af9fb382
-
SSDEEP
196608:/hKXDpw4uLfIZmDTlbu60Q1aBhUamtyoLu7j+062UjrmXdj8DK30YtUSuCKz5:/hK1w4uLfRDTFu67IBNCLK2kdgDK30Y+
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"au-Windows\",\"user_id\":\"333D24C1\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com-pp\",\"install_trackversion\":\"2.1.0.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-G1ZWRJY8K8&api_secret=vT2-CR2mSpKugIO5e8H3pQ""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"au-Windows\",\"user_id\":\"333D24C1\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com-pp\",\"install_trackversion\":\"2.1.0.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-G1ZWRJY8K8&api_secret=vT2-CR2mSpKugIO5e8H3pQ"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\un.exe"C:\Users\Admin\AppData\Local\Temp\un.exe" """av:2.1.0" "gv:2.1.0.2" "gs:Official-com-pp" "gi:UA-85655135-16" "an:AnyUnlock - iPhone Password Unlocker" "c:iMobie"""2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD55422e399fabd3a344e8dcc807a48637e
SHA159b0830698b15993671eb0dd43020041c351deb8
SHA25664e6aad5d6628bc743196a42e28df3f8dc71cdf0d2ad4c250bab872d2a3991c7
SHA5129d102954e0d7bb7e69219a14158e410c18adb85d1cca9e269f3955d3fc5e61b23872313b78d16cd6488eaac0f835b233356152575bf130f8ec91e0d481aa1493
-
Filesize
46KB
MD53a914fc853188765010b73ff99834383
SHA1374b9c4bcc852e42e85aab7b142ecdd80f0c40a1
SHA2565b8cadf540dd47d19b1020bf5c0aca1b6d14d9d875b0a5794b432401c60ee5c7
SHA5121e1a26dcb480cae7dc0fb89c0e8b560206b23b85a6f56458e2019af9c67ca9f942e2c75e78052e4e0eebcfff5e7a3c5eafb5538ba776c0a40b39cafee0bce0e7
-
Filesize
15KB
MD50325c49a03baf13592272fec2b36968e
SHA1ab10d9f3b420d7192ce6e3ceb953d94b669bdded
SHA25672ddf9ec65f49d38ed181b4e73e095524d9c83118e6d7ae705227c7351300b95
SHA5129009b5ebd7c45ecf9aa967aeddaf6b7695581ee8e212432eeaefd0777df3fbff41842975e0d09774f01b3b994500299042a004efc030162576cca925bdc0f43c
-
Filesize
22KB
MD586a488bf743dfab80ff142713adb5d48
SHA102e4b39f2fa40cd4edcc42cb524dc3ce911bfdac
SHA2563924b57f8993a880d53e1e4e18eb6ba9b5dc610cbb00345c954c7e8a9078c309
SHA5120ed09bcddd5bd13a91e7b99b78e37a01a36d62a29ad74acaacbe0da6446c8523e83ed2c089d2847e4d1ba467da93e2fd2de104feb51bcda445511b334bf932c8
-
Filesize
15KB
MD58205bee74d498724aa5508e93c6d21f8
SHA12564cc3032e59d538826596a88d80c3d022ef595
SHA256382aad28fa439b18d3d41a4652201c1d1542d73ff756a738c4cee6b75ebeca8f
SHA51267c1e7fcfbc03565ddcd0cde4a91104231b30e0e3edbfe338ba5da76085fe849ea2dea199554dd3b25b90ab9722c30fd22399932463ef4a95e6000fcb5ef3ca1
-
Filesize
35KB
MD52e7ced24d47e40e0725e8d80c2d2ba6b
SHA1b74c0fd4d1111bc461558a96720d40adb314a21e
SHA25659120dcdf3315804ecaa8cb76b9cf5ee99f992407f30a11c6df8e23c09294c06
SHA512ba0afcb54ed33265faa45a22ece8ee8f35fe3ee96170bd231e4e11b409330216c95b1a2f360a4d1955c6ef77a45a4c65385047333b2bd46f3e27fbfbfcc19713
-
Filesize
11.7MB
MD5d24750b3221c6c773781e262bb117a84
SHA10d7eede38e541f18115151736395e24f95b9e4f3
SHA2564f31cc76ab71792c4487795bf2f7d2106a9bbbe24b53ac2af6fcefd8c958b319
SHA5127759a88ef3079f8f6e0e0524416ae360df44eb5506e93b9a7f6348546e5249f76ee339de45cf1820db1c44bf5f316a28f2c150c3627ae784f583a2d1c79c7da5
-
Filesize
356KB
-
Filesize
7.7MB
-
Filesize
11.8MB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
360KB
-
Filesize
128KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
4KB
-
Filesize
7.7MB