Overview

overview

9

Static

static

9

399d264c0a...18.exe

windows7-x64

7

399d264c0a...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

DuiLib.dll

windows7-x64

3

DuiLib.dll

windows10-2004-x64

3

DuiLib_u.dll

windows7-x64

3

DuiLib_u.dll

windows10-2004-x64

3

MeMeLiveShow.exe

windows7-x64

1

MeMeLiveShow.exe

windows10-2004-x64

1

UninstallMeMeLive.exe

windows7-x64

7

UninstallMeMeLive.exe

windows10-2004-x64

7

installstat.exe

windows7-x64

1

installstat.exe

windows10-2004-x64

1

plugins/NP...09.dll

windows7-x64

1

plugins/NP...09.dll

windows10-2004-x64

1

update.exe

windows7-x64

1

update.exe

windows10-2004-x64

1

wke.dll

windows7-x64

1

wke.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UninstallMeMeLive.exe

  • Size

    394KB

  • MD5

    5b4c0f4589753cf28114c0cf73a729a8

  • SHA1

    aeaa96eff6b4a43c0761b418119fb0fb96aa5073

  • SHA256

    a186be7d61b6ac54de13410110086f81fdded6987182d15867cb45a104c236cc

  • SHA512

    c343835c4cc5d9f6a3b4cea080e4d592f83563966b65e978aed5c93a5b9891eb97a246b1b36e68ec911142a903f8156d2f8340c6a1c50a7294b61eaf5e14d8a4

  • SSDEEP

    1536:ZPzUmdx2gahvwPBW7rfoOcZ1VBBUY5zQVmp2A:ZPzUQ2gyYqrf5cZ1bBPtUmpp

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UninstallMeMeLive.exe
    "C:\Users\Admin\AppData\Local\Temp\UninstallMeMeLive.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
    Filesize

    394KB

    MD5

    5b4c0f4589753cf28114c0cf73a729a8

    SHA1

    aeaa96eff6b4a43c0761b418119fb0fb96aa5073

    SHA256

    a186be7d61b6ac54de13410110086f81fdded6987182d15867cb45a104c236cc

    SHA512

    c343835c4cc5d9f6a3b4cea080e4d592f83563966b65e978aed5c93a5b9891eb97a246b1b36e68ec911142a903f8156d2f8340c6a1c50a7294b61eaf5e14d8a4

    Download Submit