e1fd5843ba483ebbeadff8ecf29a2c910192a8d31a200688cb35b8e6143e67a2

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$0/uninstall.exe
Size

82KB
MD5

a4b66dfdece1cbd9aca8989e2ce5564f
SHA1

012d1c32f21d18ba9856557ba583b4fd82f437fe
SHA256

96e706092e32bea4d4a5f3e2ed8c6a7d761366a93deade9bde56b246c82e8c70
SHA512

5705e53995e68fb01238ccd75938549b388c07931227d30ed927562d9e016dfaffb8a8cf40e45e5c6248cbbc7af20dc3a058750784b0419597f404d368e13161
SSDEEP

1536:BEkjY1zy214Qay0DGkJ7qAELVigJ3PhcptJgNfKeQ2/D5kAuH:OkjAJ4dDGkJ+AI0qGXJGKeH/2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1832	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2060	uninstall.exe
1832	Au_.exe
1832	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral7/files/0x000b00000001484b-2.dat	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1832	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1832	2060	uninstall.exe	28
PID 2060 wrote to memory of 1832	2060	uninstall.exe	28
PID 2060 wrote to memory of 1832	2060	uninstall.exe	28
PID 2060 wrote to memory of 1832	2060	uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$0\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstB48.tmp\ioSpecial.ini

Filesize
609B

MD5
08891172c8194f8b41cd03c11a2adac6

SHA1
a9533238b91088cc845a84300ec8bb2c493cee5e

SHA256
5467def224f4ef27a6408d06c861a94d6c4778e2091ba03b93e6ecfdf8a04bcc

SHA512
79b77ff7270e8cc70233b53ed8c11c94dfbe3240e7d8855df99cf9eb1ba7e2324fea1f1f8639e39dc777fb99964424a78b2c44949c199a45a92f84209b4181a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstB48.tmp\ioSpecial.ini

Filesize
622B

MD5
8ab9ba5bf6ea3dcc9e04e1d577fc60d9

SHA1
e062a6d4c33d27d122bcf2a887e65bb9a17185e9

SHA256
ce92b6f202e2797c2b4a37fb1cd36c822d3b27ecb05a3375063fece9d979e1e4

SHA512
c0ee401ab28540fda4a96737ffd9478e70f1411227bc0f938301d197c5722bfe88d5b6a0266489495a29c0633e0cacd6dc2cdd272573ccce314c4eeac6eb7ba2

Download Submit
\Users\Admin\AppData\Local\Temp\nstB48.tmp\InstallOptions.dll

Filesize
13KB

MD5
d765c492c21689e3d9d61634371fd861

SHA1
ac200933671ae52c9d5544d0e2e8e9144d286c83

SHA256
551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc

SHA512
9919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f

Download Submit
\Users\Admin\AppData\Local\Temp\nstB48.tmp\System.dll

Filesize
10KB

MD5
fe24766ba314f620d57d0cf7339103c0

SHA1
8641545f03f03ff07485d6ec4d7b41cbb898c269

SHA256
802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

SHA512
60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
82KB

MD5
a4b66dfdece1cbd9aca8989e2ce5564f

SHA1
012d1c32f21d18ba9856557ba583b4fd82f437fe

SHA256
96e706092e32bea4d4a5f3e2ed8c6a7d761366a93deade9bde56b246c82e8c70

SHA512
5705e53995e68fb01238ccd75938549b388c07931227d30ed927562d9e016dfaffb8a8cf40e45e5c6248cbbc7af20dc3a058750784b0419597f404d368e13161

Download Submit