Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 11:40

General

  • Target

    Uninstall.exe

  • Size

    75KB

  • MD5

    f7eb4bc689e6cf7d36040dbe0d9331e5

  • SHA1

    19bca2dd29fb9f54822bd2cacb68bf85063cf92a

  • SHA256

    c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7

  • SHA512

    062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023

  • SSDEEP

    1536:DPx/CJAmx2/W5Ebnto4tmJK+ekp6jV++VIY2Znip6zv0:rx6UW6tpmJKS4ZxX2Zip6A

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" DelArcadeFromFireWallExceptions
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3956
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" convertShortcutsToLinks
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4900
      • C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinTrusted.exe" -remove
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3932
      • C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe
        "C:\Users\Admin\AppData\Local\Temp\WebInstaller.exe" -uninstall
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2180
      • C:\Users\Admin\AppData\Local\Temp\iWinGames.exe
        "C:\Users\Admin\AppData\Local\Temp\iWinGames.exe" /trackArcadeUninstall_reason_0
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3980
      • C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe
        "C:\Users\Admin\AppData\Local\Temp\AdminWorker.exe" uninstallDesktopAlerts
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4876
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinGamesHookIE.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2656
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\Admin\AppData\Local\Temp\iWinInfo.dll"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1976

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\iWinGames\Downloads\cache.dat

          Filesize

          160B

          MD5

          05da8f0281ad5626c84a5549650d1bf3

          SHA1

          9e742af52e9e439f63dc7788b472c73000a1da4f

          SHA256

          0f8e730f1b5a750f5f42698e020b25a8291b9c7336310d0999ef0d1660434016

          SHA512

          7b2d26f5ff4ce2d5b880fa9027e71bfeb576086f43c85a2885515969e18ee2fe8b8602115fbd55827e2c328f5b8102f9e3f7779694bfdd09430793e67eee2ea3

        • C:\Users\Admin\AppData\Local\Temp\iWinGames\iWinGames.log

          Filesize

          407B

          MD5

          559051f7e1657074cfff4e63fb9087c5

          SHA1

          a66f00c2b1ed6ce7fe91c881815f2eb336098769

          SHA256

          193ef850bbe75ade2aca30633f0f353e5f3b309e48049b244deb71fb069d814b

          SHA512

          eee555aca6c5a48d605432b7a33b93008021df35320f8e68413964890d16259751cac1affd6721db7d09eed4613ddb5974222f80b69ec4247781b9ff1179c6dc

        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

          Filesize

          75KB

          MD5

          f7eb4bc689e6cf7d36040dbe0d9331e5

          SHA1

          19bca2dd29fb9f54822bd2cacb68bf85063cf92a

          SHA256

          c8f0bd7f368607af6abaeaacc7b37a43ea0c807bf2bbc8e9d5a73cfe06c72fe7

          SHA512

          062c699df55ed81e1f0f77452bf7816fff9ebfb95885cb3ee132cf17d727c258b9a3c9d8983f8370227996e25f42d526f821950465df35bcda4ce0f8d6f6d023

        • memory/3932-12-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3932-14-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3956-9-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/3956-8-0x0000000000570000-0x0000000000572000-memory.dmp

          Filesize

          8KB

        • memory/3956-7-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/3980-15-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/3980-22-0x0000000000400000-0x0000000000FCD000-memory.dmp

          Filesize

          11.8MB

        • memory/4876-24-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/4900-11-0x0000000000400000-0x0000000000439000-memory.dmp

          Filesize

          228KB

        • memory/4900-10-0x00000000005A0000-0x00000000005A2000-memory.dmp

          Filesize

          8KB