2b439a03a70011aaae44b6b2b56953188c6607d547b7aa3f5d6924bce9ef5d18

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninst.exe
Size

91KB
MD5

4f328289767df4f975169f92c2bb4127
SHA1

1a9a93f3209e2713a6c0cab9a54eb78733e24297
SHA256

1f9f2a47e8c6ba0adac309cd8bc3fa7858963bfed9ad42c669e194ae0eb13743
SHA512

8cd458bd64ccb4636eee355d84519dd9928c51687b59fd9d3e2b38a17f6b68ebd691780537067275c81d0ed05a01e7e59e084616175f6e1192ac01745749342d
SSDEEP

1536:UyZMSZFvknTePMZd4k4kJJe+zR5NSO3gaevfPzG+cZWoAN8GYiutIhy67j21v/hr:jZMJnTeM4cJJe+zlwa8fPz49biueh77m

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4560	Au_.exe

Loads dropped DLL 2 IoCs

pid	Process
4560	Au_.exe
4560	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral14/files/0x000600000002320a-3.dat	nsis_installer_1
behavioral14/files/0x000600000002320a-3.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 4560	968	Uninst.exe	87
PID 968 wrote to memory of 4560	968	Uninst.exe	87
PID 968 wrote to memory of 4560	968	Uninst.exe	87

C:\Users\Admin\AppData\Local\Temp\Uninst.exe
"C:\Users\Admin\AppData\Local\Temp\Uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv47C8.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv47C8.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv47C8.tmp\ioSpecial.ini

Filesize
622B

MD5
ab42507d59831c211be08889bdb62a1d

SHA1
529486d9462415966f98d5f79475a6d32af5c027

SHA256
614c420d9ce72c02a6d66c340e9b88ecece5b309aa05417ba2080ffa4e179f9f

SHA512
800b0b9f95b358647f9867427c3796abc0fb4ccefdb8631931cb05ea3ffc2434d97eaea2cba332cd459c2af336cbb8ca7ea10c3cad880f957331ae8a49672fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
91KB

MD5
4f328289767df4f975169f92c2bb4127

SHA1
1a9a93f3209e2713a6c0cab9a54eb78733e24297

SHA256
1f9f2a47e8c6ba0adac309cd8bc3fa7858963bfed9ad42c669e194ae0eb13743

SHA512
8cd458bd64ccb4636eee355d84519dd9928c51687b59fd9d3e2b38a17f6b68ebd691780537067275c81d0ed05a01e7e59e084616175f6e1192ac01745749342d

Download Submit