0e6dc61eef774aaaf2688f2d1052089d0740c9e9d80cc9d877b1b6cb6b94a68c

Analysis

max time kernel
87s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-01-2025 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

apt/php/unins000.exe
Size

3.1MB
MD5

11878001a28ce434f6eb02aa85c3199b
SHA1

47dd4e5fb52236913b63d4b520775ba0685a8334
SHA256

b3a2140b8ca0babc75daea00d59a3804b616b10bacf2559a3b3f510298882065
SHA512

9afa2daffea483a57f0d85bce9e598792714433bcda3f100562f60066e84d5b506c79b638c20c859c80f039e4b784ad0adce6d10cf059503e624b0fb05ce5be0
SSDEEP

49152:cWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbF333K/ogj7m50yIUO9:4tLutqgwh4NYxtJpkxhGK333k

Score

5^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	_unins.tmp

Executes dropped EXE 1 IoCs

pid	Process
3068	_unins.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_unins.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3068	_unins.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3068	3552	unins000.exe	77
PID 3552 wrote to memory of 3068	3552	unins000.exe	77
PID 3552 wrote to memory of 3068	3552	unins000.exe	77
PID 3068 wrote to memory of 4360	3068	_unins.tmp	78
PID 3068 wrote to memory of 4360	3068	_unins.tmp	78
PID 3068 wrote to memory of 4360	3068	_unins.tmp	78

C:\Users\Admin\AppData\Local\Temp\apt\php\unins000.exe
"C:\Users\Admin\AppData\Local\Temp\apt\php\unins000.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp
  "C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp" /SECONDPHASE="C:\Users\Admin\AppData\Local\Temp\apt\php\unins000.exe" /FIRSTPHASEWND=$801C0
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp

Filesize
3.1MB

MD5
11878001a28ce434f6eb02aa85c3199b

SHA1
47dd4e5fb52236913b63d4b520775ba0685a8334

SHA256
b3a2140b8ca0babc75daea00d59a3804b616b10bacf2559a3b3f510298882065

SHA512
9afa2daffea483a57f0d85bce9e598792714433bcda3f100562f60066e84d5b506c79b638c20c859c80f039e4b784ad0adce6d10cf059503e624b0fb05ce5be0

Download Submit
memory/3068-7-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3068-10-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3068-9-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/3068-12-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/3552-0-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/3552-8-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download