f2c0b14087985e4ab59152e15ec6c5933a996985196592c4671789bb6bd0634a

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/uninstall.exe
Size

1.4MB
MD5

f82baaa0b9e9740c8cdf06ba44e97fba
SHA1

a88894a9c596a963b97f6adceffaac6cbbec5057
SHA256

9c5fd53cc95011b72aecc9c5c76e5cdc8e7f033411f372899aba50f8bd4f8c39
SHA512

fe7360a96637ee2a705e5c24d72954ad8a56ca4ceffac7f36456a9ebabf0ba13e9b0fbeaab49e4da348df7a10ad94fe9ed7d32e4d7e335e4dfa01b32cd5780ab
SSDEEP

24576:WzZ0ydiAffz/QszBAKiPvEWnkD/zFAN/uY1zj68oMTLO1bccU/wueBFfik:WndzXQvtnmzFAN/uYTdTCKcU/wuWik

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	uninstall.exe

Loads dropped DLL 9 IoCs

pid	Process
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	uninstall.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	uninstall.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe
448	uninstall.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2060	448	uninstall.exe	86
PID 448 wrote to memory of 2060	448	uninstall.exe	86
PID 448 wrote to memory of 2060	448	uninstall.exe	86
PID 2060 wrote to memory of 2240	2060	cmd.exe	88
PID 2060 wrote to memory of 2240	2060	cmd.exe	88
PID 2060 wrote to memory of 2240	2060	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\uninstall.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"am-Windows\",\"user_id\":\"40CD5815\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"UN Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-XNF39PYMC3&api_secret=hFampYwYTA-ehMc_pN7qfw""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\curl.exe
    curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"am-Windows\",\"user_id\":\"40CD5815\",\"events\":[{\"name\":\"Uninstall_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"UN Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-XNF39PYMC3&api_secret=hFampYwYTA-ehMc_pN7qfw"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\CheckProVs.dll

Filesize
7KB

MD5
62e85098ce43cb3d5c422e49390b7071

SHA1
df6722f155ce2a1379eff53a9ad1611ddecbb3bf

SHA256
ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

SHA512
dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\GoogleTracingLib.dll

Filesize
36KB

MD5
d8fca35ff95fe00a7174177181f8bd13

SHA1
fbafea4d2790dd2c0d022dfb08ded91de7f5265e

SHA256
ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

SHA512
eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\SkinBtn.dll

Filesize
4KB

MD5
29818862640ac659ce520c9c64e63e9e

SHA1
485e1e6cc552fa4f05fb767043b1e7c9eb80be64

SHA256
e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb

SHA512
ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\btn_close.bmp

Filesize
19KB

MD5
acca1d3aefee543933b828e87805b070

SHA1
eb38dbeaf534688a5ce17d01e1bf3215130bd3c5

SHA256
9838055ce42310581a66dd6e1a63d695828f0d70507fb247f8ceef9c4f3b1e9b

SHA512
7bd7f62b4b2399d2eb725dfff5fc1432cf4ee49de7a2e3124f38727152c9c59274e9854e8a04d134b8adeb0bc4c37dbe4f3ac99e5598d363c5a430d04823820d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\btn_minmize.bmp

Filesize
19KB

MD5
1a13056f23a53aad032497e9b947dc5a

SHA1
08b4c66f2d67d174686c24efbef8d03bc032b2d9

SHA256
4cd5234d53606818075291c56ed6b264c49466c389ba47f9c42183d735a1a99f

SHA512
cccbc6d0b3c7fcf2ebe0e38c1e3c3d0689ae9467c39a4b701e18e48099cddaf00e2629ca358c078d4048597ea15241ce60e4669e5949d975d8b6bd4d8c0e14ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\nsDialogs.dll

Filesize
9KB

MD5
904d8313031ac05e2bac3dd329828833

SHA1
6c8322f76e5c38bc24b0bcc057a510c92ec40b43

SHA256
a7c5516478ab02b5d6c1684b3c2b31ee03331712bcd9f9a8ef8309d2b72c8ec4

SHA512
9d524ebc965f224e1a16f537f71df0963c586fd548cb9a901f8afb1951416dd656d5493cc5e304157dfa6d70d69bcd4c5a5b140fceb3736548e71fe7086b6de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9F7D.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit