75b3c03b9e446ffe9417f6035b8334afc95d2f7a1d093df1c3aadfe024f4b92a

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/UninstallAbiWord2.exe
Size

106KB
MD5

8f91b88279dc5bfc76fa5d418a6c98d2
SHA1

7dca06911479e5f9d05e0a2b0b124010f55c6fd2
SHA256

bdf272534f428b8dfc84ca6a35171c8e25b9cfd382a35b4ff2010d6927a4319f
SHA512

de9c4b35f73c96a624cf3878fa752b4d504f9d05c7604c3fecf81b2b6081912be791020f26a6d9fb6c9ac4c6dfe001bdce34ce2d68fd29f16c03ae99807c5b1f
SSDEEP

1536:/YpQtMDc6fnpumJCAR8F1DZBoWWTdtp72iiBHn+1Y3mF/R1oj4463n6VeD5dU:/Yg4pumJPRKJZLiiBHD2Frp3dD5dU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3040	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2904	UninstallAbiWord2.exe
3040	Au_.exe
3040	Au_.exe
3040	Au_.exe
3040	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral21/files/0x003100000001341c-2.dat	nsis_installer_1
behavioral21/files/0x003100000001341c-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3040	2904	UninstallAbiWord2.exe	28
PID 2904 wrote to memory of 3040	2904	UninstallAbiWord2.exe	28
PID 2904 wrote to memory of 3040	2904	UninstallAbiWord2.exe	28
PID 2904 wrote to memory of 3040	2904	UninstallAbiWord2.exe	28
PID 2904 wrote to memory of 3040	2904	UninstallAbiWord2.exe	28
PID 2904 wrote to memory of 3040	2904	UninstallAbiWord2.exe	28
PID 2904 wrote to memory of 3040	2904	UninstallAbiWord2.exe	28

C:\Users\Admin\AppData\Local\Temp\bin\UninstallAbiWord2.exe
"C:\Users\Admin\AppData\Local\Temp\bin\UninstallAbiWord2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\bin\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiFEA.tmp\LangDLL.dll

Filesize
5KB

MD5
1775e8fe7832f0351d4024ba3478c58d

SHA1
3a2aafd8275f384332f6d08224d927040ce37cb4

SHA256
a2a159540c738c7bc4d6ce8dd203bf859078409c0021a2a60f4b0faa5352d375

SHA512
362cda0e1f50a8fecde1611863b1c6218962e3ec198ce3641ce50910d400ac647cdc3742888140fd6817ce6b30d83865aa0c72292bb80b1ae86cab419e0fb2b7

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
106KB

MD5
8f91b88279dc5bfc76fa5d418a6c98d2

SHA1
7dca06911479e5f9d05e0a2b0b124010f55c6fd2

SHA256
bdf272534f428b8dfc84ca6a35171c8e25b9cfd382a35b4ff2010d6927a4319f

SHA512
de9c4b35f73c96a624cf3878fa752b4d504f9d05c7604c3fecf81b2b6081912be791020f26a6d9fb6c9ac4c6dfe001bdce34ce2d68fd29f16c03ae99807c5b1f

Download Submit