11c50f2f12ce77d8f1d6098733ba9e3e4e08e81e54ac613df2b006d53f08efc2

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$R1/$_1_/Uninstall.exe
Size

505KB
MD5

928add37b4bf01fab733ca156e10762c
SHA1

f10598e2bc14c7043caa99fd81b8f4c91e5a55da
SHA256

0b833e16c7156ae7d13ed37b0d92cd83067f698ede7f350f457ea8ae2ec817f6
SHA512

f1b56e56359cd474473236db768c6d16071babc762de889df14092e5eea5530bbd38a14c293dee36d8db51c814307314859379e166911f77c52df1a23531d5d9
SSDEEP

6144:r50gUCBmyti5ELY4jurdS5SbOV1p7VulOCkqW:d0gtmwO4SrdS2OV1p7klO8W

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3624	Au_.exe

Loads dropped DLL 7 IoCs

pid	Process
3624	Au_.exe
3624	Au_.exe
3624	Au_.exe
3624	Au_.exe
3624	Au_.exe
3624	Au_.exe
3624	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	Au_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 3624	3784	Uninstall.exe	50
PID 3784 wrote to memory of 3624	3784	Uninstall.exe	50
PID 3784 wrote to memory of 3624	3784	Uninstall.exe	50

C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsm3F7B.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F7B.tmp\UAC.dll

Filesize
13KB

MD5
a88baad3461d2e9928a15753b1d93fd7

SHA1
bb826e35264968bbc3b981d8430ac55df1e6d4a6

SHA256
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

SHA512
5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F7B.tmp\apphelp.dll

Filesize
1.5MB

MD5
342513de2a1ba458b8648f2f1cb6fef2

SHA1
715fa4fa36c8d7ce2ef0e2397140a5e69c7176ce

SHA256
9737f901d618bc148ab58a1c713281d8971b29db53f72d1b40e703708c906795

SHA512
efa3ccb501d77b0d7dbba787e40637568435b0abac659a9055c4fadb16ed3ef62c10f2a00ff80365565fc94f84a38a418ca5d96fbd9ae9f46d52d6caaed28f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F7B.tmp\apphelp.dll

Filesize
876KB

MD5
c715ce89c51890870b517918514c427d

SHA1
f710d6623258c0ef6792b2935d216746890d9873

SHA256
1088546303cea68752da91b145be197a56cf8b44da6be1c6995660467df15918

SHA512
706bda80c93189ea226f7a2be85fb112a4d227516e7c80d76b43c461431a14190d06b06c5aadfb2f550b68faa30ea1069ae5dd13ddeb76a485e0c5c72f345540

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F7B.tmp\nsDialogs.dll

Filesize
9KB

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F7B.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
505KB

MD5
928add37b4bf01fab733ca156e10762c

SHA1
f10598e2bc14c7043caa99fd81b8f4c91e5a55da

SHA256
0b833e16c7156ae7d13ed37b0d92cd83067f698ede7f350f457ea8ae2ec817f6

SHA512
f1b56e56359cd474473236db768c6d16071babc762de889df14092e5eea5530bbd38a14c293dee36d8db51c814307314859379e166911f77c52df1a23531d5d9

Download Submit
memory/3624-15-0x0000000002FF0000-0x0000000003049000-memory.dmp

Filesize
356KB

Download