Analysis

  • max time kernel
    90s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 16:23

General

  • Target

    uninstall.exe

  • Size

    289KB

  • MD5

    c7d816fa307003c2d95f1a8e81320c65

  • SHA1

    d00690f03698b67d6e869d888b5a220bc61b029b

  • SHA256

    a6ae21b528c0aadb2abdb052bca5520421be28f6eae029fcbb2170dd910e0047

  • SHA512

    e5b7421e77979b8003122bc9bed7e9a70d608d1f9981529e6db12e53b2b9cd50fbb19a7898a0ec7b49670bc02bde637f5de2f098ed384dd4bfb7e41882463abb

  • SSDEEP

    6144:Ue346TRg4l8ai5PQtTZ763J8eWW43YLYjn5uO7D32fuCa7Bmk:zTq4OaQQTYJ8eP4/L5uO7D3f5BB

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3084
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4956

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nss5B11.tmp\aminsis.dll

          Filesize

          567KB

          MD5

          450753ad96785a240a39deccab3af0d0

          SHA1

          21c544064d2ffa6444508268ce258a330d459fc5

          SHA256

          1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3

          SHA512

          c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

          Filesize

          88KB

          MD5

          f5caa1c66725e248566f9ffade1d55a4

          SHA1

          12f20dc1b06045934bcf0c9b23490fd799d7cd2c

          SHA256

          7fa7eb7b38ef4d8907ed009b82f5f41b620e6457b794a9f781d26a91b3071498

          SHA512

          9b101f3660b6d5ccf72bbdd7fc1eca021d0571bb115615276a47555646b62d8d7cbd003014464823a508975679949b3ff84e881ce1578b4976fdd0c805eda75d

        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

          Filesize

          98KB

          MD5

          1f903feb8cd2da1b88e2836781a5abf2

          SHA1

          e5aa39eee8cb0045f77388c99e16ff65a25dfafd

          SHA256

          caaedd1582a1e4fcbce623e961701ae1bc95a88ecbc90872db3f5be120791dca

          SHA512

          17427ad4cdc220d46e8c958e5844a4f13bf676628c0a2ddd15869af9228f7dab1f3166d5edf9e06d18fca2dcb85d6c732e1eae575af3e5fe91152d239edc0fe6