16b6f6d90d3660f8adc39145ac20c2089ea376f9861f24d1925063f4aece2a22

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninstall.exe
Size

38KB
MD5

0cddde4152eb66c33077cb0cca09bd27
SHA1

f7238a6b1e08ce3fbf6cf18cb7ca8b20f4bc376f
SHA256

f85d6144303a2e8faf9253cd61070895fa3af04db656703990d0f1404d6d494a
SHA512

18f8064128388a382651c913add2b414d81af558acb5ed070b78b0751129e25d31b78ea2758097097618c41735c2876c7e3b490a19108a3840173ba5371c01b9
SSDEEP

768:cnHmFZIFRQp8lDhdQLErWV/AVHxI0Z0D32uInmyd0csJRnopdw:+HYMiClDhdyA5x5Z0Dvyec/p+

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Un_A.exe

Deletes itself 1 IoCs

pid	Process
2620	Un_A.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	Un_A.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	uninstall.exe
2620	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral7/files/0x002e000000015d24-2.dat	nsis_installer_1
behavioral7/files/0x002e000000015d24-2.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2620	2312	uninstall.exe	28
PID 2312 wrote to memory of 2620	2312	uninstall.exe	28
PID 2312 wrote to memory of 2620	2312	uninstall.exe	28
PID 2312 wrote to memory of 2620	2312	uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Drops file in Drivers directory
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso2F1D.tmp\UserInfo.dll

Filesize
4KB

MD5
dada3e1836af78d5b24499da252d01e4

SHA1
d2a1c25405e3c74973cf18dec2c7138df9e96a83

SHA256
0073337816509851476c2cc154f471a3e3a1a2806b97c363870acc09a30a5ed7

SHA512
f8bda8413dadb00a644341da5e076f203a3134daaefd2961fa0341f5a533eee28582ce9872354ead698bb1275ee7726fa574267e909a3e2f977908392e7a5c66

Download Submit
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
38KB

MD5
0cddde4152eb66c33077cb0cca09bd27

SHA1
f7238a6b1e08ce3fbf6cf18cb7ca8b20f4bc376f

SHA256
f85d6144303a2e8faf9253cd61070895fa3af04db656703990d0f1404d6d494a

SHA512
18f8064128388a382651c913add2b414d81af558acb5ed070b78b0751129e25d31b78ea2758097097618c41735c2876c7e3b490a19108a3840173ba5371c01b9

Download Submit