6e95aeb33d6452681c95ef8a96a4302c8dea8a320b7e438f1407cb074520f880

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 16:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

86KB
MD5

2a053e50ce59d8e63e9d3f0feb4a1d91
SHA1

c4738d5cdb89772657d4c5ed797bd8a03b0d32d1
SHA256

664b085e957963f3e296759ffc81fc9f6016845fd1cdf9580822be1287911bb3
SHA512

4782d15693d2e081ba60e710ef491e06ad53c8d64c17856fb3a3e214ebd4bed98ba2860f346e31d1e6de70e1c998a7c2c19b15bc1c9307cce2ced765c110a2cf
SSDEEP

1536:czuB7YE8wFS+P2NE35TlA4wbY2XJpdlGtWmMz0arJXMo+ELzbekLx3yPlPlJ:czuB7HS+uWpxA4EXJvXzJlao2kLwVlJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3132	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
3132	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral14/files/0x0006000000023223-5.dat	nsis_installer_1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 3132	3684	uninst.exe	23
PID 3684 wrote to memory of 3132	3684	uninst.exe	23
PID 3684 wrote to memory of 3132	3684	uninst.exe	23

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj512F.tmp\LangDLL.dll

Filesize
5KB

MD5
51e7fd0885b7d7bf6edc030e17145950

SHA1
be7a62d254f897789cde5b9a77a8b3b0add6d141

SHA256
1a56dfe0bdae779b40d11b9caee5c96e81b9d69b0d45be7c7b11717e1db8c5a5

SHA512
a57c57a3d01839df10ab669bead1d757ef85e4a35cac65a3a147c5e1adaccaae52bb355ed8d4d460a6698cbda3ee8fba395875739670c8cf57884f66306d011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
86KB

MD5
2a053e50ce59d8e63e9d3f0feb4a1d91

SHA1
c4738d5cdb89772657d4c5ed797bd8a03b0d32d1

SHA256
664b085e957963f3e296759ffc81fc9f6016845fd1cdf9580822be1287911bb3

SHA512
4782d15693d2e081ba60e710ef491e06ad53c8d64c17856fb3a3e214ebd4bed98ba2860f346e31d1e6de70e1c998a7c2c19b15bc1c9307cce2ced765c110a2cf

Download Submit