02ed70ca5fc0e47d0cb7016a0959a0793853beaa8bba1e1d26b9fe9489c798fe

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

132KB
MD5

46841052d7e2a47af13f8845ea018484
SHA1

d6f5e38b803a2ffa654c681bd1244f77097769e3
SHA256

529830765e44fb8dabfb8fe92aa242005edc2ca83fbe13f4fc4d6cfa7d6b4a50
SHA512

0d68120e128caa6c47f11b318f452b7596600c9b6bf6741e761115e0be6f3010bc8fcf05a0b3c8ebba9d7919f87084d08f2a799f256812eab6026b6dd49be178
SSDEEP

1536:jQpQ5EP0ijnRTXJfiSFxYrZqa9WXkI8s3ofkP0r0eLuUeFEv8VeOF/B:jQIURTXJfiokZqa9+8qo6hUeFEv8v

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

Au_.exe

pid process

1200 Au_.exe
Executes dropped EXE 1 IoCs

Processes:

Au_.exe

pid process

1200 Au_.exe
Loads dropped DLL 7 IoCs

Processes:

uninst.exeAu_.exe

pid process

2412 uninst.exe
1200 Au_.exe
1200 Au_.exe
1200 Au_.exe
1200 Au_.exe
1200 Au_.exe
1200 Au_.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1200	Au_.exe

pid	process
1200	Au_.exe

pid	process
2412	uninst.exe
1200	Au_.exe
1200	Au_.exe
1200	Au_.exe
1200	Au_.exe
1200	Au_.exe
1200	Au_.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Au_.exe

pid process

1200 Au_.exe
1200 Au_.exe
1200 Au_.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Au_.exe

description pid process

Token: SeRestorePrivilege 1200 Au_.exe
Token: SeBackupPrivilege 1200 Au_.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SpyOut.exe

pid process

2592 SpyOut.exe

pid	process
1200	Au_.exe
1200	Au_.exe
1200	Au_.exe

description	pid	process
Token: SeRestorePrivilege	1200	Au_.exe
Token: SeBackupPrivilege	1200	Au_.exe

pid	process
2592	SpyOut.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

uninst.exeAu_.exe

description	pid	process	target process
PID 2412 wrote to memory of 1200	2412	uninst.exe	Au_.exe
PID 2412 wrote to memory of 1200	2412	uninst.exe	Au_.exe
PID 2412 wrote to memory of 1200	2412	uninst.exe	Au_.exe
PID 2412 wrote to memory of 1200	2412	uninst.exe	Au_.exe
PID 2412 wrote to memory of 1200	2412	uninst.exe	Au_.exe
PID 2412 wrote to memory of 1200	2412	uninst.exe	Au_.exe
PID 2412 wrote to memory of 1200	2412	uninst.exe	Au_.exe
PID 1200 wrote to memory of 2592	1200	Au_.exe	SpyOut.exe
PID 1200 wrote to memory of 2592	1200	Au_.exe	SpyOut.exe
PID 1200 wrote to memory of 2592	1200	Au_.exe	SpyOut.exe
PID 1200 wrote to memory of 2592	1200	Au_.exe	SpyOut.exe
PID 1200 wrote to memory of 2592	1200	Au_.exe	SpyOut.exe
PID 1200 wrote to memory of 2592	1200	Au_.exe	SpyOut.exe
PID 1200 wrote to memory of 2592	1200	Au_.exe	SpyOut.exe

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\SpyOut.exe
"C:\Users\Admin\AppData\Local\Temp\SpyOut.exe" /uninstall
3⤵
- Suspicious use of SetWindowsHookEx
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy2ACA.tmp\KillProcDLL.dll
Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
Filesize
132KB

MD5
46841052d7e2a47af13f8845ea018484

SHA1
d6f5e38b803a2ffa654c681bd1244f77097769e3

SHA256
529830765e44fb8dabfb8fe92aa242005edc2ca83fbe13f4fc4d6cfa7d6b4a50

SHA512
0d68120e128caa6c47f11b318f452b7596600c9b6bf6741e761115e0be6f3010bc8fcf05a0b3c8ebba9d7919f87084d08f2a799f256812eab6026b6dd49be178

Download Submit
memory/1200-16-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/1200-25-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download