550321da5b10c472bc719bca2c0df74b240f80eff828079eb5253598fe112ae3

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SAMPUninstall.exe
Size

56KB
MD5

bffa504cd63305418858b150faa8f408
SHA1

86886fd2378aa33935cf684f056454859713aed4
SHA256

d00f8bf2eaa1994b0064d7b14fc987b0aab9b3c440a4177257ee2d3217fe6d3b
SHA512

6b8958a4ccffce02ba8e4390f66121a02116e2b2ef9c4baa2eea62b8acfe380d0c0dd5e773f83b7062467a34019612d3f8a531e1a4ffcefb769de964cbf02019
SSDEEP

1536:HLXB65939tY6HBg4sXJOgdLeAyN/dIM6su:HLk395hYXJOceAlMM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3304	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
3304	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
3304	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral26/files/0x000700000002321b-3.dat	nsis_installer_1
behavioral26/files/0x000700000002321b-3.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3304	2104	SAMPUninstall.exe	89
PID 2104 wrote to memory of 3304	2104	SAMPUninstall.exe	89
PID 2104 wrote to memory of 3304	2104	SAMPUninstall.exe	89

C:\Users\Admin\AppData\Local\Temp\SAMPUninstall.exe
"C:\Users\Admin\AppData\Local\Temp\SAMPUninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjC238.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC238.tmp\ioSpecial.ini

Filesize
538B

MD5
ffd1fafb43e5e3ac56a3c70c278cd867

SHA1
e05a95c3a2cf36029fd2a7e41078a1c50b493b18

SHA256
6d30cd683b9a7510dcb849a229a39b759fcf7d883907a0eadcae58c94a939076

SHA512
1d8142467c5eb39571c0b5432bdfbcf1f4a8151d96ba0ba6581553fdf3c07934fe74a199d4be82f6d1baadfc2e5240ff0a8ab9878eca55e2de23672cfcb4f049

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
56KB

MD5
bffa504cd63305418858b150faa8f408

SHA1
86886fd2378aa33935cf684f056454859713aed4

SHA256
d00f8bf2eaa1994b0064d7b14fc987b0aab9b3c440a4177257ee2d3217fe6d3b

SHA512
6b8958a4ccffce02ba8e4390f66121a02116e2b2ef9c4baa2eea62b8acfe380d0c0dd5e773f83b7062467a34019612d3f8a531e1a4ffcefb769de964cbf02019

Download Submit