478e5a10a2d3f41fd903448dd9d06c7d901a53933cfa7d90f10d905d01c8fb49

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$0/uninstall.exe
Size

87KB
MD5

ff795d8c92ba9e210087811450f07b86
SHA1

6c2959c83a4c460b77a285473cb02de79d01d1b0
SHA256

7911cc2005f04f64f514f0aedaf9bde9aec48e51ecb9e0b21981e39a3885cd68
SHA512

951620bede769f77b40f1d315841604212632a2f5095df5cf9134811f43328e95f4c36962fecc2fdc7639ed1570238a9578c6cc1d2e7b17b820ba3c7909cf401
SSDEEP

1536:HEkjY1zy214Qay0DGkJbvPJDtimfOx+cp17GP/W8eptep2/D90w:kkjAJ4dDGkJzniUkOPebp0o/Z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2472	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
1220	uninstall.exe
2472	Au_.exe
2472	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral3/files/0x000e000000016d52-2.dat	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2472	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2472	1220	uninstall.exe	28
PID 1220 wrote to memory of 2472	1220	uninstall.exe	28
PID 1220 wrote to memory of 2472	1220	uninstall.exe	28
PID 1220 wrote to memory of 2472	1220	uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$0\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd59D4.tmp\ioSpecial.ini

Filesize
598B

MD5
610f103817ee6fe921d3fd66137e0bca

SHA1
c1738e3a5490e87f3df239bee5c0992aac56a26a

SHA256
2ad6f8c923cf18c050856caf0a6752223849c33d3fd5dfb475bfa962dc14785d

SHA512
20072a018dbce724795a9255499f5666e4d49287323b5c0842e3420b1f7ce7e3301bdf6922c5f58ec1892795de927285d3fce61e865eaf24d85abf8268ea37ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd59D4.tmp\ioSpecial.ini

Filesize
611B

MD5
c5abe3e602678a768179383b3791cd13

SHA1
150673c0234fbfc79f7cfdebb5a48b93b23ebcde

SHA256
aaba5a1d4e7781c4e141a3594153cd4e9accfe7f2a68d3c548376b763e56494f

SHA512
bb7a9039492ce375ba134795624e230bd913120ceea6a1f83021c21f44c95808f1e0c01074c0ce94fff128270715af4be6a14f91ffe5e91e92493631624a5d33

Download Submit
\Users\Admin\AppData\Local\Temp\nsd59D4.tmp\InstallOptions.dll

Filesize
13KB

MD5
d765c492c21689e3d9d61634371fd861

SHA1
ac200933671ae52c9d5544d0e2e8e9144d286c83

SHA256
551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc

SHA512
9919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd59D4.tmp\System.dll

Filesize
10KB

MD5
fe24766ba314f620d57d0cf7339103c0

SHA1
8641545f03f03ff07485d6ec4d7b41cbb898c269

SHA256
802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

SHA512
60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
87KB

MD5
ff795d8c92ba9e210087811450f07b86

SHA1
6c2959c83a4c460b77a285473cb02de79d01d1b0

SHA256
7911cc2005f04f64f514f0aedaf9bde9aec48e51ecb9e0b21981e39a3885cd68

SHA512
951620bede769f77b40f1d315841604212632a2f5095df5cf9134811f43328e95f4c36962fecc2fdc7639ed1570238a9578c6cc1d2e7b17b820ba3c7909cf401

Download Submit