3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615

Analysis

max time kernel
86s
max time network
90s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
17-01-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

140KB
MD5

91069149dbc3b622415e8526caaed735
SHA1

8487fb850aabff16ab683b707cbcce4c69220d99
SHA256

09d1cc6f80cfa7d019365ca50de6dc78adcae147ebf061ae381e0304c3891f13
SHA512

c7cb0efe1256d4888d183740419f0f849fb8634ef1892791ac2bd25ad5b021e1ed3efeaad5616940926c4221d8312d781318e1e6addd6f1092b593ab42716f4f
SSDEEP

3072:gfY/TU9fE9PEturceAmpgcfpGmhStrEr04oDmcWEF5lWinUM:2Ya6lmmpR1dr04oDmIr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Un_A.exe

pid process

1472 Un_A.exe
Loads dropped DLL 2 IoCs

Processes:

Un_A.exe

pid process

1472 Un_A.exe
1472 Un_A.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1472	Un_A.exe

pid	process
1472	Un_A.exe
1472	Un_A.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

uninst.exe

description	pid	process	target process
PID 4248 wrote to memory of 1472	4248	uninst.exe	Un_A.exe
PID 4248 wrote to memory of 1472	4248	uninst.exe	Un_A.exe
PID 4248 wrote to memory of 1472	4248	uninst.exe	Un_A.exe

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsq88AA.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq88AA.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
50KB

MD5
e0bc6a3b8fbf0b41045fd8ab9661145e

SHA1
ff987a374d722b7ba2cf3e005303f2bb4ae69ae8

SHA256
d83073595eb5f7b615228072156dc444bab66f41ef0a6b4d2744754b383c1e8e

SHA512
a1a6a4df4581d99decfdb2210abb366b0740e196e4d402c76d538f608afcf97b1296f0e685096a86b8d017befdb6fda8760e0cf5187d6ca96314852bddc9c8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
140KB

MD5
91069149dbc3b622415e8526caaed735

SHA1
8487fb850aabff16ab683b707cbcce4c69220d99

SHA256
09d1cc6f80cfa7d019365ca50de6dc78adcae147ebf061ae381e0304c3891f13

SHA512
c7cb0efe1256d4888d183740419f0f849fb8634ef1892791ac2bd25ad5b021e1ed3efeaad5616940926c4221d8312d781318e1e6addd6f1092b593ab42716f4f

Download Submit