30aecb1d0bb7c6f8de3f21937ff121ccfee96e0454a1e9a156fefbf8accc8770

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

39KB
MD5

b462f3c38bc5b56e06976a94a7c36bc7
SHA1

0106bf912fa9a37bb975afb00fd4ebaf7dff13cd
SHA256

446c3dc2041bd1d0968e92ec21d538da95dd85c62535293fdca425b02587bbe5
SHA512

f33baef794d57eec26df2b173719c3dde0e8e1f9354d598662d1b86c1317b21fbff17b1ce373495f9bfe717d10b8dba1d486fee18bbb51b726e480300c606343
SSDEEP

768:0Gn4o4BL/akfpI1nu0LXGS8BPfeyWMZtuHvwbtOuIYdPciuc1sJ:T4hwgonu0fJytuPwbdNcir1sJ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4340	Un.exe

Executes dropped EXE 1 IoCs

pid	Process
4340	Un.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral16/files/0x000600000002322b-3.dat	nsis_installer_1
behavioral16/files/0x000600000002322b-3.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4340	2124	uninst.exe	84
PID 2124 wrote to memory of 4340	2124	uninst.exe	84
PID 2124 wrote to memory of 4340	2124	uninst.exe	84

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe

Filesize
39KB

MD5
b462f3c38bc5b56e06976a94a7c36bc7

SHA1
0106bf912fa9a37bb975afb00fd4ebaf7dff13cd

SHA256
446c3dc2041bd1d0968e92ec21d538da95dd85c62535293fdca425b02587bbe5

SHA512
f33baef794d57eec26df2b173719c3dde0e8e1f9354d598662d1b86c1317b21fbff17b1ce373495f9bfe717d10b8dba1d486fee18bbb51b726e480300c606343

Download Submit