29e64829bd04e20c4c0ea0cfb4d5acda50fdeff7917daa994df2ef97b39cac62

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 11:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Auto Reply For Y!Messenger/Uninstall.exe
Size

66KB
MD5

34e3072d1635af9a4ccfdf80aefddde0
SHA1

48a97f1ed606777f1a3b3b0282d9c01ba37efbef
SHA256

672a2f9be2faa466717d53702e1ac6ec737ad5cb847a028ae8015fd2e568c92c
SHA512

28ce7165a73d8d00242a5558b1278fb05321702d2eb33bc047bf8b4994272ba9aa5987c66d6cce73b7a51f1148ebcbea91021b54ce7a98837c4e8d3a89ad47e3
SSDEEP

1536:hpgpHzb9dZVX9fHMvG0D3XJrYRN6QcIGESdS:bgXdZt9P6D3XJrqBaS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2232	Au_.exe

Loads dropped DLL 4 IoCs

pid	Process
2620	Uninstall.exe
2232	Au_.exe
2232	Au_.exe
2232	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral3/files/0x000900000001225e-2.dat	nsis_installer_1
behavioral3/files/0x000900000001225e-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2232	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2232	2620	Uninstall.exe	28
PID 2620 wrote to memory of 2232	2620	Uninstall.exe	28
PID 2620 wrote to memory of 2232	2620	Uninstall.exe	28
PID 2620 wrote to memory of 2232	2620	Uninstall.exe	28
PID 2620 wrote to memory of 2232	2620	Uninstall.exe	28
PID 2620 wrote to memory of 2232	2620	Uninstall.exe	28
PID 2620 wrote to memory of 2232	2620	Uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\Auto Reply For Y!Messenger\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Auto Reply For Y!Messenger\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\Auto Reply For Y!Messenger\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
66KB

MD5
34e3072d1635af9a4ccfdf80aefddde0

SHA1
48a97f1ed606777f1a3b3b0282d9c01ba37efbef

SHA256
672a2f9be2faa466717d53702e1ac6ec737ad5cb847a028ae8015fd2e568c92c

SHA512
28ce7165a73d8d00242a5558b1278fb05321702d2eb33bc047bf8b4994272ba9aa5987c66d6cce73b7a51f1148ebcbea91021b54ce7a98837c4e8d3a89ad47e3

Download Submit