0d60601a1157cff3eba748a058ac48b94f25989aa30aba124be9c45877a7e034

Analysis

max time kernel
180s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
24/02/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninstall.exe
Size

40KB
MD5

2638bec69fe0827b8e4fb94640100074
SHA1

d5531ad040b8223c9811d772becc3d9904fbea6e
SHA256

4db2852af10e8cf301989b2bbf3d76c38390171ce00b7b02ad5444877e1a4b21
SHA512

99524c97b03e787bead55dffd8537d4fb5d561963f5b26eaaf725b0bf4914b06fbe5041aee4af18628cc33843c9a25f6b2cf9026a1f0e1d992dbbb34bfb3634b
SSDEEP

768:CzV60pic8jAQVSISj980nSwRdxi4XAfF/O71mJCxk0Zx0GATo:uFicEAwSIknNAUmJCbrfAU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
792	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
792	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral26/files/0x0006000000021371-4.dat	nsis_installer_1
behavioral26/files/0x0006000000021371-4.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 792	4396	uninstall.exe	73
PID 4396 wrote to memory of 792	4396	uninstall.exe	73
PID 4396 wrote to memory of 792	4396	uninstall.exe	73

C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
40KB

MD5
2638bec69fe0827b8e4fb94640100074

SHA1
d5531ad040b8223c9811d772becc3d9904fbea6e

SHA256
4db2852af10e8cf301989b2bbf3d76c38390171ce00b7b02ad5444877e1a4b21

SHA512
99524c97b03e787bead55dffd8537d4fb5d561963f5b26eaaf725b0bf4914b06fbe5041aee4af18628cc33843c9a25f6b2cf9026a1f0e1d992dbbb34bfb3634b

Download Submit
\Users\Admin\AppData\Local\Temp\nse9DD8.tmp\LangDLL.dll

Filesize
5KB

MD5
356977adc8dc0d8d17d7f8a2b789004f

SHA1
c4bf52c11425e6c061d4e36d97c5a2d7a4360191

SHA256
8091a25eb5307bc1837e1e59a5d7dc36faa5190114202a835c415cc6df069dee

SHA512
4d6ec569ea719845b31f98713e67e27ab6d6a4037b74a121ab768197a6ee6c4c5581348c9dfa7f228c489ef09e54bead9ed422f39eef74742fffebc8f6658de5

Download Submit