5c28b949507a6330ec9e768251131e823e1ed1587b5e8913c9e70009f235e9bb

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base/uninst.exe
Size

100KB
MD5

812ceda63e8fb52f08d13a270f60064f
SHA1

3b3108938aab9ccc4d0fbbe16d7670e0b0b4d244
SHA256

d2093bfff19f6f22e50aee57086375d99f630eab21c5c429fc5f5bf00583b5c6
SHA512

9e09625a39304049d5d4c78f3d420ed8859189a473568b3d8747cc3336c237c65fde4c89f480238f9001a05830bda50a604d0b760f358f1138d617df5a002ce8
SSDEEP

3072:bgXdZt9P6D3XJbOpo2eAjEu5fiXEVgfo7M:be341OpTjEu5qXEVgfo7M

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Au_.exe

pid process

5036 Au_.exe
Loads dropped DLL 6 IoCs

Processes:

Au_.exe

pid process

5036 Au_.exe
5036 Au_.exe
5036 Au_.exe
5036 Au_.exe
5036 Au_.exe
5036 Au_.exe

pid	process
5036	Au_.exe

pid	process
5036	Au_.exe
5036	Au_.exe
5036	Au_.exe
5036	Au_.exe
5036	Au_.exe
5036	Au_.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegisterUninstall.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\FCcleaner = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FCcleaner.bat"	RegisterUninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1472 1928 WerFault.exe RegisterUninstall.exe

pid	pid_target	process	target process
1472	1928	WerFault.exe	RegisterUninstall.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Au_.exeRegisterUninstall.exe

pid process

5036 Au_.exe
5036 Au_.exe
5036 Au_.exe
5036 Au_.exe
1928 RegisterUninstall.exe
1928 RegisterUninstall.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegisterUninstall.exe

description pid process

Token: SeDebugPrivilege 1928 RegisterUninstall.exe

pid	process
5036	Au_.exe
5036	Au_.exe
5036	Au_.exe
5036	Au_.exe
1928	RegisterUninstall.exe
1928	RegisterUninstall.exe

description	pid	process
Token: SeDebugPrivilege	1928	RegisterUninstall.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

uninst.exeAu_.exe

description	pid	process	target process
PID 2268 wrote to memory of 5036	2268	uninst.exe	Au_.exe
PID 2268 wrote to memory of 5036	2268	uninst.exe	Au_.exe
PID 2268 wrote to memory of 5036	2268	uninst.exe	Au_.exe
PID 5036 wrote to memory of 1928	5036	Au_.exe	RegisterUninstall.exe
PID 5036 wrote to memory of 1928	5036	Au_.exe	RegisterUninstall.exe

C:\Users\Admin\AppData\Local\Temp\base\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\base\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\base\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\base\RegisterUninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\base\RegisterUninstall.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1928 -s 1612
      4⤵
      Program crash
      PID:1472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1928 -ip 1928
1⤵
PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsgB183.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB183.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB183.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB183.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB183.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB183.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
100KB

MD5
812ceda63e8fb52f08d13a270f60064f

SHA1
3b3108938aab9ccc4d0fbbe16d7670e0b0b4d244

SHA256
d2093bfff19f6f22e50aee57086375d99f630eab21c5c429fc5f5bf00583b5c6

SHA512
9e09625a39304049d5d4c78f3d420ed8859189a473568b3d8747cc3336c237c65fde4c89f480238f9001a05830bda50a604d0b760f358f1138d617df5a002ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
100KB

MD5
812ceda63e8fb52f08d13a270f60064f

SHA1
3b3108938aab9ccc4d0fbbe16d7670e0b0b4d244

SHA256
d2093bfff19f6f22e50aee57086375d99f630eab21c5c429fc5f5bf00583b5c6

SHA512
9e09625a39304049d5d4c78f3d420ed8859189a473568b3d8747cc3336c237c65fde4c89f480238f9001a05830bda50a604d0b760f358f1138d617df5a002ce8

Download Submit
memory/1928-140-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/1928-141-0x0000000002CA0000-0x0000000002CB4000-memory.dmp

Filesize
80KB

Download
memory/1928-142-0x000000001C3F0000-0x000000001C458000-memory.dmp

Filesize
416KB

Download
memory/1928-143-0x00007FFC1C6E0000-0x00007FFC1D1A1000-memory.dmp

Filesize
10.8MB

Download
memory/1928-144-0x000000001C3C0000-0x000000001C3E0000-memory.dmp

Filesize
128KB

Download
memory/1928-145-0x00007FFC1C6E0000-0x00007FFC1D1A1000-memory.dmp

Filesize
10.8MB

Download
memory/1928-139-0x0000000000000000-mapping.dmp

Download
memory/5036-148-0x00000000028F1000-0x00000000028F3000-memory.dmp

Filesize
8KB

Download
memory/5036-132-0x0000000000000000-mapping.dmp

Download