4c41f2783d06008860fab234871376902930f6e07b85ab0c0a0f0c47e555534c

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

163KB
MD5

558e768c6841fc5b375c454876a60199
SHA1

ef8a8e16ae8719bd1c63f498f0954496217e3046
SHA256

5c16680536014a3220767b2eece1a5c1f946dc8cfdda64b5db150ad760d42f8a
SHA512

60e538909b527682bc086a81f3d2ad2fab8f36941deff08720fb312c25f2dbc83100284dd4b3dc18ec7be2fe89a6ec3d3c83409bd68f4eef9e4fb8a63b907863
SSDEEP

3072:u4eYZ4+1JXJJc+zpi25shi25XSaINIH2cdbAi/0JArXNaeoLY1sSVTwH:b5O8Y+1JmhJYaIGMe0eXNykSGTA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
1724	Uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral19/files/0x000b000000015c98-2.dat	nsis_installer_1
behavioral19/files/0x000b000000015c98-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2772	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2772	1724	Uninstall.exe	28
PID 1724 wrote to memory of 2772	1724	Uninstall.exe	28
PID 1724 wrote to memory of 2772	1724	Uninstall.exe	28
PID 1724 wrote to memory of 2772	1724	Uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
163KB

MD5
558e768c6841fc5b375c454876a60199

SHA1
ef8a8e16ae8719bd1c63f498f0954496217e3046

SHA256
5c16680536014a3220767b2eece1a5c1f946dc8cfdda64b5db150ad760d42f8a

SHA512
60e538909b527682bc086a81f3d2ad2fab8f36941deff08720fb312c25f2dbc83100284dd4b3dc18ec7be2fe89a6ec3d3c83409bd68f4eef9e4fb8a63b907863

Download Submit