Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 16:23

General

  • Target

    uninstall.exe

  • Size

    289KB

  • MD5

    c7d816fa307003c2d95f1a8e81320c65

  • SHA1

    d00690f03698b67d6e869d888b5a220bc61b029b

  • SHA256

    a6ae21b528c0aadb2abdb052bca5520421be28f6eae029fcbb2170dd910e0047

  • SHA512

    e5b7421e77979b8003122bc9bed7e9a70d608d1f9981529e6db12e53b2b9cd50fbb19a7898a0ec7b49670bc02bde637f5de2f098ed384dd4bfb7e41882463abb

  • SSDEEP

    6144:Ue346TRg4l8ai5PQtTZ763J8eWW43YLYjn5uO7D32fuCa7Bmk:zTq4OaQQTYJ8eP4/L5uO7D3f5BB

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1728

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsi55AF.tmp\aminsis.dll

          Filesize

          567KB

          MD5

          450753ad96785a240a39deccab3af0d0

          SHA1

          21c544064d2ffa6444508268ce258a330d459fc5

          SHA256

          1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3

          SHA512

          c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

          Filesize

          146KB

          MD5

          2209fd8c19f9ba3829d10c6dbaba5c93

          SHA1

          33f4e63e76a9e19201a63f538e17bfdbe67efade

          SHA256

          0ef5324c4f2dca09451d81f18b23ca7c6e36fb11a396e6685c6f84e52f71daef

          SHA512

          b1e859218341c82ad296d8b18e5105b89e005ca61c2bec831458e9c14438faf5a5f1232ac4a4ab327751d5ee62842c417d322e89eb2f5ac6667eedd74d593c10

        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

          Filesize

          102KB

          MD5

          3eea7cf389986a43b7134ab8e14b9971

          SHA1

          fd583f6bbba5ae19ee99bff6ce7d1c0177038a87

          SHA256

          2cf0c6600502227fff466c81cd027dda80ba550c70c38e405cfdf20ac54b4843

          SHA512

          8a5a9951a4175c35f39a795fbe367fb36084fa0be217f11a196b1da75316be35d00f705fc0c8a228d0fa539b70e32397305c1ec105e27145fa7796c611a1dfa5

        • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

          Filesize

          250KB

          MD5

          5b2ef119a26f0723f8a42711289d1c08

          SHA1

          34758c943eb983156339a807c595bd7bff338e56

          SHA256

          882824f4f2f030eb9d717a7371ea9a8df78aa01a5e341d415f6fcc3446bfae4e

          SHA512

          94a10ea57636669b2b7fdcf22e61f642e115782be2ee215c9d13bf4d5f7704ba73803f7804b501c395181b2459e30a3be78ccd7ded36f73daa9b529972e0afdb