b7639a19b4fd49591312a9e235dd6e594d19308c6710d9e59b5667b5482ecde9

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

58KB
MD5

0b8467c25d608ea16dba60bf94c0dafe
SHA1

e2a2caa8af3afe81fcff45304ccf93352b4640a0
SHA256

b7639a19b4fd49591312a9e235dd6e594d19308c6710d9e59b5667b5482ecde9
SHA512

860e99e8937e754c199f6d90a150d6b5ac95f63d147073c2319c2d882f8f36243d760e20007ac0c738486a7c361626c57f2f27451963c652185e6d57483491bc
SSDEEP

768:qLFBcDhQzZSeGh1L9oZiFgfuMvmbdQcZJ11JHG732gd2iZQAm6kRRS+NoJRneBy:4TcVQzCLmZiFggbycZ71J/gdLeAyNxBy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2240	Un_A.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	Un_A.exe

Loads dropped DLL 1 IoCs

pid	Process
2372	Uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x001b000000015c72-2.dat	nsis_installer_1
behavioral1/files/0x001b000000015c72-2.dat	nsis_installer_2
behavioral1/files/0x001b000000015c72-6.dat	nsis_installer_1
behavioral1/files/0x001b000000015c72-6.dat	nsis_installer_2
behavioral1/files/0x001b000000015c72-7.dat	nsis_installer_1
behavioral1/files/0x001b000000015c72-7.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2240	2372	Uninstall.exe	28
PID 2372 wrote to memory of 2240	2372	Uninstall.exe	28
PID 2372 wrote to memory of 2240	2372	Uninstall.exe	28
PID 2372 wrote to memory of 2240	2372	Uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy3831.tmp

Filesize
12KB

MD5
b0420e972fa8eed5b9c4f687beda73bd

SHA1
84256f1ffb19c6935755a7540dc5502c5c107640

SHA256
039656b72d830f67969ca7cd94dca1021050b4166e76b227e23a4e524bb092cc

SHA512
66e60f633701fdffea7605437895da03d6dfa772b1fa6de938894376e756c9885c8aa6c8fe651d3ba0195f6a1e94e91b34b57dae0ea5a713b3e4e3aa12c93d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
58KB

MD5
0b8467c25d608ea16dba60bf94c0dafe

SHA1
e2a2caa8af3afe81fcff45304ccf93352b4640a0

SHA256
b7639a19b4fd49591312a9e235dd6e594d19308c6710d9e59b5667b5482ecde9

SHA512
860e99e8937e754c199f6d90a150d6b5ac95f63d147073c2319c2d882f8f36243d760e20007ac0c738486a7c361626c57f2f27451963c652185e6d57483491bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
58KB

MD5
0b8467c25d608ea16dba60bf94c0dafe

SHA1
e2a2caa8af3afe81fcff45304ccf93352b4640a0

SHA256
b7639a19b4fd49591312a9e235dd6e594d19308c6710d9e59b5667b5482ecde9

SHA512
860e99e8937e754c199f6d90a150d6b5ac95f63d147073c2319c2d882f8f36243d760e20007ac0c738486a7c361626c57f2f27451963c652185e6d57483491bc

Download Submit
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
58KB

MD5
0b8467c25d608ea16dba60bf94c0dafe

SHA1
e2a2caa8af3afe81fcff45304ccf93352b4640a0

SHA256
b7639a19b4fd49591312a9e235dd6e594d19308c6710d9e59b5667b5482ecde9

SHA512
860e99e8937e754c199f6d90a150d6b5ac95f63d147073c2319c2d882f8f36243d760e20007ac0c738486a7c361626c57f2f27451963c652185e6d57483491bc

Download Submit