24d824fb3eacf87429dfc236d3c491dfaa13ed412c4aae09de1aea967f3191e7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

38KB
MD5

0e63a9277a56a8561a75342dd051d7d0
SHA1

bc0a5ade3b8a6484058a9f6b5686b96f86396658
SHA256

843c80a07e3cda86fb6e772cbf6ed28fe5e9bac4fa4eb305ecae08bf4e1e2fb1
SHA512

aa90d7b2eff6426cf923cc2ad025e3cb48ab64398d003288d03718bf12496de575897ab8a3e91f93ecb2706a9c474d5181232448739d33950e984a576c07bbf5
SSDEEP

768:qPH4rKS4GDkQBZ3ImWlTtEIRlJ+qFZ2bSgJzANqM3wJJNnRvOXv+:qf4exGDkeZ4mOoSgJEAJJho2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5064	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
5064	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral14/files/0x0007000000023205-3.dat	nsis_installer_1
behavioral14/files/0x0007000000023205-3.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 5064	2060	uninst.exe	88
PID 2060 wrote to memory of 5064	2060	uninst.exe	88
PID 2060 wrote to memory of 5064	2060	uninst.exe	88

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
38KB

MD5
0e63a9277a56a8561a75342dd051d7d0

SHA1
bc0a5ade3b8a6484058a9f6b5686b96f86396658

SHA256
843c80a07e3cda86fb6e772cbf6ed28fe5e9bac4fa4eb305ecae08bf4e1e2fb1

SHA512
aa90d7b2eff6426cf923cc2ad025e3cb48ab64398d003288d03718bf12496de575897ab8a3e91f93ecb2706a9c474d5181232448739d33950e984a576c07bbf5

Download Submit