da51aca27777c2fd13be2e099f6657b7815633bbbfe3240b4d8ed171867786ad

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-01-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

50KB
MD5

4e480465798d180c4aaa22c370d2afce
SHA1

24a8ea7ee3370f0cc0860aa62af521b2a0df51b6
SHA256

c2c330ca281db344bc7f2cff55563bfc7993fcb440f3489a5b4a1981f46bd758
SHA512

e17eb327f1be48cd0180c10275e795f3a1ea746598ba1d3b1c64eb6739ca474bbaef66ece0c3794497c2d029c0ea3f3baf27e3899d8bc897c9ececbbbfae7f15
SSDEEP

768:91cVhpQI2EQK0iPDh84nScF15GYbWjXO3XJD3eOzwhPHPe0l8:LQpQ5EP0ijnRTXJD3eOsNHPP8

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

Au_.exe

pid process

2116 Au_.exe
Executes dropped EXE 1 IoCs

Processes:

Au_.exe

pid process

2116 Au_.exe
Loads dropped DLL 7 IoCs

Processes:

uninst.exeAu_.exe

pid process

1696 uninst.exe
2116 Au_.exe
2116 Au_.exe
2116 Au_.exe
2116 Au_.exe
2116 Au_.exe
2116 Au_.exe

pid	process
2116	Au_.exe

pid	process
2116	Au_.exe

pid	process
1696	uninst.exe
2116	Au_.exe
2116	Au_.exe
2116	Au_.exe
2116	Au_.exe
2116	Au_.exe
2116	Au_.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

True2Scan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\True2Scan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\True2ScanLaunch.exe"	True2Scan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Au_.exe

pid process

2116 Au_.exe
2116 Au_.exe
2116 Au_.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Au_.exe

pid process

2116 Au_.exe

pid	process
2116	Au_.exe
2116	Au_.exe
2116	Au_.exe

pid	process
2116	Au_.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

True2Scan.exeAu_.exe

description	pid	process
Token: SeRestorePrivilege	2540	True2Scan.exe
Token: SeBackupPrivilege	2540	True2Scan.exe
Token: SeRestorePrivilege	2116	Au_.exe
Token: SeBackupPrivilege	2116	Au_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

True2Scan.exe

pid process

2540 True2Scan.exe

pid	process
2540	True2Scan.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

uninst.exeAu_.exe

description	pid	process	target process
PID 1696 wrote to memory of 2116	1696	uninst.exe	Au_.exe
PID 1696 wrote to memory of 2116	1696	uninst.exe	Au_.exe
PID 1696 wrote to memory of 2116	1696	uninst.exe	Au_.exe
PID 1696 wrote to memory of 2116	1696	uninst.exe	Au_.exe
PID 1696 wrote to memory of 2116	1696	uninst.exe	Au_.exe
PID 1696 wrote to memory of 2116	1696	uninst.exe	Au_.exe
PID 1696 wrote to memory of 2116	1696	uninst.exe	Au_.exe
PID 2116 wrote to memory of 2540	2116	Au_.exe	True2Scan.exe
PID 2116 wrote to memory of 2540	2116	Au_.exe	True2Scan.exe
PID 2116 wrote to memory of 2540	2116	Au_.exe	True2Scan.exe
PID 2116 wrote to memory of 2540	2116	Au_.exe	True2Scan.exe
PID 2116 wrote to memory of 2540	2116	Au_.exe	True2Scan.exe
PID 2116 wrote to memory of 2540	2116	Au_.exe	True2Scan.exe
PID 2116 wrote to memory of 2540	2116	Au_.exe	True2Scan.exe

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\True2Scan.exe
"C:\Users\Admin\AppData\Local\Temp\True2Scan.exe" /uninstall
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsj6A69.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
50KB

MD5
4e480465798d180c4aaa22c370d2afce

SHA1
24a8ea7ee3370f0cc0860aa62af521b2a0df51b6

SHA256
c2c330ca281db344bc7f2cff55563bfc7993fcb440f3489a5b4a1981f46bd758

SHA512
e17eb327f1be48cd0180c10275e795f3a1ea746598ba1d3b1c64eb6739ca474bbaef66ece0c3794497c2d029c0ea3f3baf27e3899d8bc897c9ececbbbfae7f15

Download Submit
memory/2116-16-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2116-21-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2540-26-0x0000000000230000-0x0000000000269000-memory.dmp

Filesize
228KB

Download