ffaa6ae5e499945093a6fe2a7a05504f8796127cd6f4de239b47a7e86715214c

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SAMPUninstall.exe
Size

56KB
MD5

bffa504cd63305418858b150faa8f408
SHA1

86886fd2378aa33935cf684f056454859713aed4
SHA256

d00f8bf2eaa1994b0064d7b14fc987b0aab9b3c440a4177257ee2d3217fe6d3b
SHA512

6b8958a4ccffce02ba8e4390f66121a02116e2b2ef9c4baa2eea62b8acfe380d0c0dd5e773f83b7062467a34019612d3f8a531e1a4ffcefb769de964cbf02019
SSDEEP

1536:HLXB65939tY6HBg4sXJOgdLeAyN/dIM6su:HLk395hYXJOceAlMM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

Au_.exe

pid process

1704 Au_.exe
Executes dropped EXE 1 IoCs

Processes:

Au_.exe

pid process

1704 Au_.exe
Loads dropped DLL 5 IoCs

Processes:

SAMPUninstall.exeAu_.exe

pid process

1916 SAMPUninstall.exe
1704 Au_.exe
1704 Au_.exe
1704 Au_.exe
1704 Au_.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1704	Au_.exe

pid	process
1704	Au_.exe

pid	process
1916	SAMPUninstall.exe
1704	Au_.exe
1704	Au_.exe
1704	Au_.exe
1704	Au_.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Au_.exe

pid process

1704 Au_.exe

pid	process
1704	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SAMPUninstall.exe

description	pid	process	target process
PID 1916 wrote to memory of 1704	1916	SAMPUninstall.exe	Au_.exe
PID 1916 wrote to memory of 1704	1916	SAMPUninstall.exe	Au_.exe
PID 1916 wrote to memory of 1704	1916	SAMPUninstall.exe	Au_.exe
PID 1916 wrote to memory of 1704	1916	SAMPUninstall.exe	Au_.exe
PID 1916 wrote to memory of 1704	1916	SAMPUninstall.exe	Au_.exe
PID 1916 wrote to memory of 1704	1916	SAMPUninstall.exe	Au_.exe
PID 1916 wrote to memory of 1704	1916	SAMPUninstall.exe	Au_.exe

C:\Users\Admin\AppData\Local\Temp\SAMPUninstall.exe
"C:\Users\Admin\AppData\Local\Temp\SAMPUninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst55A0.tmp\ioSpecial.ini

Filesize
538B

MD5
57306d647251980383208ca3c402f51c

SHA1
64cc30945353c2799aa552d1fde9fca9b850573d

SHA256
6b46647db4af556e72c1fdac72436f80fa2c3ba5a436196178e895e4e0699df6

SHA512
9370e8b570b6ebe8049469b9e9daf4d7c259ce332c60ac7829053a331952815ffebc2861253e8b97ccd3e44039b923a9c15987e9c1d095f1d495d57c351f4966

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst55A0.tmp\ioSpecial.ini

Filesize
577B

MD5
76a886991debf28edb13216826b66823

SHA1
0a88f0db2289ec48d1cf7a6fa33c5a72e649b108

SHA256
2fac33f63d2752658f10c079b073d0dea774deee25125fbaf9f4b423780dc130

SHA512
af36dc4d91ec7f58552fe1e4fc25a37b56c113d0c7cd09dab7e041e46b00575385a1ccca91c16f2880c5167e448402bbcb3cda8838a4322c0e4bd13d0f8167b4

Download Submit
\Users\Admin\AppData\Local\Temp\nst55A0.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
56KB

MD5
bffa504cd63305418858b150faa8f408

SHA1
86886fd2378aa33935cf684f056454859713aed4

SHA256
d00f8bf2eaa1994b0064d7b14fc987b0aab9b3c440a4177257ee2d3217fe6d3b

SHA512
6b8958a4ccffce02ba8e4390f66121a02116e2b2ef9c4baa2eea62b8acfe380d0c0dd5e773f83b7062467a34019612d3f8a531e1a4ffcefb769de964cbf02019

Download Submit