752fa6e4b62d30146d4639d84307a5cbbd74ef990305327cd15c7a6f070d53e4

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

99KB
MD5

938a3a38a1f3305e267f050f4567e259
SHA1

5f39937c32ace402530c93a8ec445ebcfe2bfdd1
SHA256

081b40881c097faa045087133cd2353386c1066f95a3f2ec2ef10a9909f3f12c
SHA512

ffe97f9960fb28d68dd9659589f01894064207b2e38d23401181bc021dc6cbfa6f920010c65938e0d020068ff414fddeb7ebc190471153f420752e8581b3c86b
SSDEEP

3072:X5TDpNFVbxDSXJF3BaVHhiLas+rgHjoc2YvH+mN:X57Tcf3BcHhkTO/nYvB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2224	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2892	Uninstall.exe
2224	Au_.exe
2224	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral17/files/0x002c000000014b6d-2.dat	nsis_installer_1
behavioral17/files/0x002c000000014b6d-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2224	2892	Uninstall.exe	28
PID 2892 wrote to memory of 2224	2892	Uninstall.exe	28
PID 2892 wrote to memory of 2224	2892	Uninstall.exe	28
PID 2892 wrote to memory of 2224	2892	Uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso9619.tmp\ioSpecial.ini

Filesize
575B

MD5
8cb5294eb249c7d24f29438df3962c0c

SHA1
ae384f9b1048eb2c140a9c8ba195e9e8b3bc38d6

SHA256
44bde71ff4b2f3915a00f65e1d476bd9a57bb300c14cc2a95c0762623af3b650

SHA512
a558a943b748cd88e01a6a07903206120b8516fd5ce9bfa4931cf6971827a6ba968e93a4eb71467a379e3906589c7608326c6797b2e37214249d8884db6cc5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9619.tmp\ioSpecial.ini

Filesize
588B

MD5
a353348c17861e0e4c75e5f65f80a2f3

SHA1
d3d2355a32ac95c3d59e9d795fecbd8864c089d2

SHA256
8e3ea58c69348efe6ce64747eda0273fc5de80685d335db2b911cccf7e2c0cb0

SHA512
313ed842a18c4bed7f86b05b5e3f49184f4d86e37015e5f464f84dcda9b1f2c5ae65d0339bfbfcd31846ba163d026049a8b9c48d4c7f4c99b6c2b5d26a95bedf

Download Submit
\Users\Admin\AppData\Local\Temp\nso9619.tmp\InstallOptions.dll

Filesize
14KB

MD5
714e0ecd29f9ec555f350f38672726c7

SHA1
555b1492e782d7a30f280f2aecb64c642c1aaad3

SHA256
21fea4cf18de8e25d0ffa3375699150fcd04e6d470358696f2dffdd3fc09d7f3

SHA512
ced5814f25b688d1ede5a1395bcca69e1a0cba260104f156dc03de6ebb2015f6d832fed86ac234c36a10a75be33f489a63c8bd6111e3aaf4b078af1d94b00312

Download Submit
\Users\Admin\AppData\Local\Temp\nso9619.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
99KB

MD5
938a3a38a1f3305e267f050f4567e259

SHA1
5f39937c32ace402530c93a8ec445ebcfe2bfdd1

SHA256
081b40881c097faa045087133cd2353386c1066f95a3f2ec2ef10a9909f3f12c

SHA512
ffe97f9960fb28d68dd9659589f01894064207b2e38d23401181bc021dc6cbfa6f920010c65938e0d020068ff414fddeb7ebc190471153f420752e8581b3c86b

Download Submit