Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 16:23

General

  • Target

    uninstall.exe

  • Size

    289KB

  • MD5

    500944508b93944c309eb5d0e6402270

  • SHA1

    1ac655b33ebb16e650aefa9178ac1502d4c51b0b

  • SHA256

    9820f4a5bc14e8359ef67b537e573015fada262501b6d7169d75c26b1b468ad8

  • SHA512

    8d337b97f5998019f0f8cff733e98d52510eff2f24d8323063eb07468bbb5fa0803b329b00d72b72ce8c476f11d51d1fd19364aabb1847b06ae3ac0fcf80f873

  • SSDEEP

    6144:Ue341CRg4l8ai5PQtTZ763J8eWW43YLYjn5uO7D32fuCa7Bmd:YCq4OaQQTYJ8eP4/L5uO7D3f5B8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2812

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsj7DE8.tmp\aminsis.dll

          Filesize

          567KB

          MD5

          450753ad96785a240a39deccab3af0d0

          SHA1

          21c544064d2ffa6444508268ce258a330d459fc5

          SHA256

          1c371dcc6c3428ea98fb0d2dcb612b4ebc731f3ed72e683c8e33058cd2a952d3

          SHA512

          c41b834f4228b7668316095569c836b4e0d55c5fbf310c65b0e0453ef0e74a3ce8f9357cea90b80f6590f85dd7708eeb4eec27518811ea4aab20c0e7f5643dab

        • \Users\Admin\AppData\Local\Temp\nsj7DE8.tmp\aminsis.dll

          Filesize

          256KB

          MD5

          226b97cd4b37b2b9d37a5ea8ebd7b468

          SHA1

          e274e2aa5a8b6eea160d30a487bef91918c8963c

          SHA256

          7c581ecee63acd6ea54a47fbebbf2af76c277504a0033f53f6086f35b7709768

          SHA512

          495b6449ccb7a358d829da6681f86f03153c86e8d3a42421f9056127dc8871b8e45943cd0f13c0e98abfd76e2e8b6e9098c0861c1e4ab7204a010875bcf1cd79

        • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

          Filesize

          289KB

          MD5

          500944508b93944c309eb5d0e6402270

          SHA1

          1ac655b33ebb16e650aefa9178ac1502d4c51b0b

          SHA256

          9820f4a5bc14e8359ef67b537e573015fada262501b6d7169d75c26b1b468ad8

          SHA512

          8d337b97f5998019f0f8cff733e98d52510eff2f24d8323063eb07468bbb5fa0803b329b00d72b72ce8c476f11d51d1fd19364aabb1847b06ae3ac0fcf80f873