ad4fad7041437165a835858801b8aed8586bcd50647473c57dcb14b54e52178b

Analysis

max time kernel
1146s
max time network
1172s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10/11/2024, 00:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/uninstall.exe
Size

11.3MB
MD5

3275f97deebe74d4cbe4aab23720c189
SHA1

db88a1238247226bad0c3b3684bc09a8c7e59135
SHA256

ef1d0a7ede9eeb6966fd6f54821e15a0032e965af96ba9798942d67ae20707cd
SHA512

8f6eadcc900c6352f7a936152d99602924c9efe4e33f64b2d7187865428ddc67f7e228edd38ebb044b575d4e829a8eecc29f1a10d6bfe585427755b24b08e177
SSDEEP

196608:khKNDpw4uLfIZmDTlbu60Q1aBhUamtyoLu7j+062UjrmXdj8DK30YtUSuCKzP:khKnw4uLfRDTFu67IBNCLK2kdgDK30YA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4876	un.exe

Loads dropped DLL 9 IoCs

pid	Process
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	uninstall.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	uninstall.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe
3140	uninstall.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	un.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3140	uninstall.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3452	3140	uninstall.exe	79
PID 3140 wrote to memory of 3452	3140	uninstall.exe	79
PID 3140 wrote to memory of 3452	3140	uninstall.exe	79
PID 3452 wrote to memory of 1316	3452	cmd.exe	81
PID 3452 wrote to memory of 1316	3452	cmd.exe	81
PID 3452 wrote to memory of 1316	3452	cmd.exe	81
PID 3140 wrote to memory of 4876	3140	uninstall.exe	82
PID 3140 wrote to memory of 4876	3140	uninstall.exe	82
PID 3140 wrote to memory of 4876	3140	uninstall.exe	82

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"au-Windows\",\"user_id\":\"142AE49A\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"2.1.0.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-G1ZWRJY8K8&api_secret=vT2-CR2mSpKugIO5e8H3pQ""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\curl.exe
    curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"au-Windows\",\"user_id\":\"142AE49A\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"2.1.0.2\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-G1ZWRJY8K8&api_secret=vT2-CR2mSpKugIO5e8H3pQ"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1316
- C:\Users\Admin\AppData\Local\Temp\un.exe
  "C:\Users\Admin\AppData\Local\Temp\un.exe" """av:2.1.0" "gv:2.1.0.2" "gs:Official-com" "gi:UA-85655135-16" "an:AnyUnlock - iPhone Password Unlocker" "c:iMobie"""
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd7418.tmp\CheckProVs.dll

Filesize
18KB

MD5
5422e399fabd3a344e8dcc807a48637e

SHA1
59b0830698b15993671eb0dd43020041c351deb8

SHA256
64e6aad5d6628bc743196a42e28df3f8dc71cdf0d2ad4c250bab872d2a3991c7

SHA512
9d102954e0d7bb7e69219a14158e410c18adb85d1cca9e269f3955d3fc5e61b23872313b78d16cd6488eaac0f835b233356152575bf130f8ec91e0d481aa1493

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7418.tmp\GoogleTracingLib.dll

Filesize
46KB

MD5
3a914fc853188765010b73ff99834383

SHA1
374b9c4bcc852e42e85aab7b142ecdd80f0c40a1

SHA256
5b8cadf540dd47d19b1020bf5c0aca1b6d14d9d875b0a5794b432401c60ee5c7

SHA512
1e1a26dcb480cae7dc0fb89c0e8b560206b23b85a6f56458e2019af9c67ca9f942e2c75e78052e4e0eebcfff5e7a3c5eafb5538ba776c0a40b39cafee0bce0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7418.tmp\SkinBtn.dll

Filesize
15KB

MD5
0325c49a03baf13592272fec2b36968e

SHA1
ab10d9f3b420d7192ce6e3ceb953d94b669bdded

SHA256
72ddf9ec65f49d38ed181b4e73e095524d9c83118e6d7ae705227c7351300b95

SHA512
9009b5ebd7c45ecf9aa967aeddaf6b7695581ee8e212432eeaefd0777df3fbff41842975e0d09774f01b3b994500299042a004efc030162576cca925bdc0f43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7418.tmp\System.dll

Filesize
22KB

MD5
86a488bf743dfab80ff142713adb5d48

SHA1
02e4b39f2fa40cd4edcc42cb524dc3ce911bfdac

SHA256
3924b57f8993a880d53e1e4e18eb6ba9b5dc610cbb00345c954c7e8a9078c309

SHA512
0ed09bcddd5bd13a91e7b99b78e37a01a36d62a29ad74acaacbe0da6446c8523e83ed2c089d2847e4d1ba467da93e2fd2de104feb51bcda445511b334bf932c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7418.tmp\nsProcess.dll

Filesize
15KB

MD5
8205bee74d498724aa5508e93c6d21f8

SHA1
2564cc3032e59d538826596a88d80c3d022ef595

SHA256
382aad28fa439b18d3d41a4652201c1d1542d73ff756a738c4cee6b75ebeca8f

SHA512
67c1e7fcfbc03565ddcd0cde4a91104231b30e0e3edbfe338ba5da76085fe849ea2dea199554dd3b25b90ab9722c30fd22399932463ef4a95e6000fcb5ef3ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7418.tmp\registry.dll

Filesize
35KB

MD5
2e7ced24d47e40e0725e8d80c2d2ba6b

SHA1
b74c0fd4d1111bc461558a96720d40adb314a21e

SHA256
59120dcdf3315804ecaa8cb76b9cf5ee99f992407f30a11c6df8e23c09294c06

SHA512
ba0afcb54ed33265faa45a22ece8ee8f35fe3ee96170bd231e4e11b409330216c95b1a2f360a4d1955c6ef77a45a4c65385047333b2bd46f3e27fbfbfcc19713

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd7418.tmp\un.exe

Filesize
11.7MB

MD5
d24750b3221c6c773781e262bb117a84

SHA1
0d7eede38e541f18115151736395e24f95b9e4f3

SHA256
4f31cc76ab71792c4487795bf2f7d2106a9bbbe24b53ac2af6fcefd8c958b319

SHA512
7759a88ef3079f8f6e0e0524416ae360df44eb5506e93b9a7f6348546e5249f76ee339de45cf1820db1c44bf5f316a28f2c150c3627ae784f583a2d1c79c7da5

Download Submit
memory/3140-30-0x00000000034E0000-0x0000000003539000-memory.dmp

Filesize
356KB

Download
memory/4876-61-0x00000000720A0000-0x0000000072851000-memory.dmp

Filesize
7.7MB

Download
memory/4876-60-0x0000000000180000-0x0000000000D42000-memory.dmp

Filesize
11.8MB

Download
memory/4876-59-0x00000000720AE000-0x00000000720AF000-memory.dmp

Filesize
4KB

Download
memory/4876-62-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/4876-63-0x0000000006800000-0x000000000685A000-memory.dmp

Filesize
360KB

Download
memory/4876-64-0x0000000006C60000-0x0000000006C80000-memory.dmp

Filesize
128KB

Download
memory/4876-65-0x0000000006D10000-0x0000000006D18000-memory.dmp

Filesize
32KB

Download
memory/4876-66-0x0000000008D40000-0x0000000009097000-memory.dmp

Filesize
3.3MB

Download
memory/4876-67-0x0000000009720000-0x0000000009728000-memory.dmp

Filesize
32KB

Download
memory/4876-68-0x00000000069F0000-0x0000000006A28000-memory.dmp

Filesize
224KB

Download
memory/4876-69-0x00000000069E0000-0x00000000069EE000-memory.dmp

Filesize
56KB

Download
memory/4876-70-0x00000000720AE000-0x00000000720AF000-memory.dmp

Filesize
4KB

Download
memory/4876-71-0x00000000720A0000-0x0000000072851000-memory.dmp

Filesize
7.7MB

Download