550321da5b10c472bc719bca2c0df74b240f80eff828079eb5253598fe112ae3

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-03-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SAMPUninstall.exe
Size

56KB
MD5

bffa504cd63305418858b150faa8f408
SHA1

86886fd2378aa33935cf684f056454859713aed4
SHA256

d00f8bf2eaa1994b0064d7b14fc987b0aab9b3c440a4177257ee2d3217fe6d3b
SHA512

6b8958a4ccffce02ba8e4390f66121a02116e2b2ef9c4baa2eea62b8acfe380d0c0dd5e773f83b7062467a34019612d3f8a531e1a4ffcefb769de964cbf02019
SSDEEP

1536:HLXB65939tY6HBg4sXJOgdLeAyN/dIM6su:HLk395hYXJOceAlMM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1728	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2252	SAMPUninstall.exe
1728	Au_.exe
1728	Au_.exe
1728	Au_.exe
1728	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral25/files/0x000d0000000126b7-2.dat	nsis_installer_1
behavioral25/files/0x000d0000000126b7-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1728	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1728	2252	SAMPUninstall.exe	28
PID 2252 wrote to memory of 1728	2252	SAMPUninstall.exe	28
PID 2252 wrote to memory of 1728	2252	SAMPUninstall.exe	28
PID 2252 wrote to memory of 1728	2252	SAMPUninstall.exe	28
PID 2252 wrote to memory of 1728	2252	SAMPUninstall.exe	28
PID 2252 wrote to memory of 1728	2252	SAMPUninstall.exe	28
PID 2252 wrote to memory of 1728	2252	SAMPUninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\SAMPUninstall.exe
"C:\Users\Admin\AppData\Local\Temp\SAMPUninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy48F3.tmp\ioSpecial.ini

Filesize
538B

MD5
bb6f758ded63aec0901015b3828f41d8

SHA1
0d2dfc6f11b0b88e894a99162a2021580fcd5454

SHA256
3f838bdd4ffc00e2563d7971f40a8fe3d2fc82debbbae62b16611505d71f71ad

SHA512
822a22f3f2e946dd8ad584e7a2f5642111adebbede024f90d63d4f85d581f4cad26918560c9e55757e821892d60b3b92d80ac4478300364f3a49f5abe377250e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy48F3.tmp\ioSpecial.ini

Filesize
551B

MD5
de1e9b9d38b3d390cc32cf72e11c6945

SHA1
195ba6fb0d73381dd0cd014736d97e14531073f5

SHA256
67bff7b4199014f046ec509ab417419caf94218fec2effd7d93caac18b2c73bc

SHA512
46d881b84bbe2ed419654271625ed4ba7be8565d1b6f59ff907efd842041aa86a95326d26a70c1465e894f3734a86818d9dc2d35ca5f38bf3b829107f128c126

Download Submit
\Users\Admin\AppData\Local\Temp\nsy48F3.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
56KB

MD5
bffa504cd63305418858b150faa8f408

SHA1
86886fd2378aa33935cf684f056454859713aed4

SHA256
d00f8bf2eaa1994b0064d7b14fc987b0aab9b3c440a4177257ee2d3217fe6d3b

SHA512
6b8958a4ccffce02ba8e4390f66121a02116e2b2ef9c4baa2eea62b8acfe380d0c0dd5e773f83b7062467a34019612d3f8a531e1a4ffcefb769de964cbf02019

Download Submit