Overview

overview

7

Static

static

3

264b27b9ac...18.exe

windows7-x64

7

264b27b9ac...18.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

pluginsetupadmin.exe

windows7-x64

4

pluginsetupadmin.exe

windows10-2004-x64

4

sz.exe

windows7-x64

1

sz.exe

windows10-2004-x64

1

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uninst.exe

  • Size

    400KB

  • MD5

    7ded51e887171a321fd7f5f59925ea42

  • SHA1

    2d2654c5e0c4fb557383842a7de1c2036a2f569c

  • SHA256

    1cb9f1b81e6c5b98feddee92c9d14fff89d4b111b0c0974c6e804d7dfdc36bdb

  • SHA512

    980489325baa4c17d727334076e4228d582afe0884548bc132f4991cca6e96a92605c9b777af0b62162f90a326ee1145d2dcb056fc30390b28d6c9f015138827

  • SSDEEP

    6144:H8LxBH3+tUVHZfKfj+v9ETgRPOILnMLPAiaINBIs/IYlAJA3Tfk6:M+tUT7OKMLPTaINBIs/nAW3Q6

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uninst.exe
    "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Users\Admin\AppData\Local\Temp\sz.exe
        "C:\Users\Admin\AppData\Local\Temp\sz.exe" /uninstallsucc
        3⤵
        • Writes to the Master Boot Record (MBR)
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
    Filesize

    400KB

    MD5

    7ded51e887171a321fd7f5f59925ea42

    SHA1

    2d2654c5e0c4fb557383842a7de1c2036a2f569c

    SHA256

    1cb9f1b81e6c5b98feddee92c9d14fff89d4b111b0c0974c6e804d7dfdc36bdb

    SHA512

    980489325baa4c17d727334076e4228d582afe0884548bc132f4991cca6e96a92605c9b777af0b62162f90a326ee1145d2dcb056fc30390b28d6c9f015138827

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsi2675.tmp\FindProcDLL.dll
    Filesize

    3KB

    MD5

    8614c450637267afacad1645e23ba24a

    SHA1

    e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

    SHA256

    0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

    SHA512

    af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsi2675.tmp\inetc.dll
    Filesize

    20KB

    MD5

    50fdadda3e993688401f6f1108fabdb4

    SHA1

    04a9ae55d0fb726be49809582cea41d75bf22a9a

    SHA256

    6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

    SHA512

    e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

    Download Submit

  • memory/2384-14-0x0000000010000000-0x0000000010003000-memory.dmp

    Filesize

    12KB

    Download