0d2aa550e3d4a067756104651411ba28400c760c1c359ea4e0096907a045d3c3

Analysis

max time kernel
110s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 19:22

Target

uninstall.exe
Size

88KB
MD5

a3cafef00777a9c71750cf1dc13b9462
SHA1

b7050ab4d8733a0e26a9b7d5c463daf01f71fc93
SHA256

29952c776c620ca8689039364712c828eaf001fdba894e001d3a95e9681e5ef2
SHA512

638d8f2722cc9c93cee643df2975733aa025a450aebbcd11cedeb77a619e7e220539311dd539979f482c9848187ebed4660d6435380c73243894feb261271bb9
SSDEEP

1536:cPJ95o2++/qtHWCBwdO2LFL65H9BHTpRICbAf+5Ug4LHwxYhtxagmmzk:cPJ9q2+CqBz6OIxUjTpRIkAf+5UjfIgk

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

Un_A.exe

pid process

2656 Un_A.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2656	Un_A.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

uninstall.exe

description	pid	process	target process
PID 4192 wrote to memory of 2656	4192	uninstall.exe	Un_A.exe
PID 4192 wrote to memory of 2656	4192	uninstall.exe	Un_A.exe
PID 4192 wrote to memory of 2656	4192	uninstall.exe	Un_A.exe

C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
2⤵
- Executes dropped EXE
PID:2656

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Filesize
88KB

MD5
a3cafef00777a9c71750cf1dc13b9462

SHA1
b7050ab4d8733a0e26a9b7d5c463daf01f71fc93

SHA256
29952c776c620ca8689039364712c828eaf001fdba894e001d3a95e9681e5ef2

SHA512
638d8f2722cc9c93cee643df2975733aa025a450aebbcd11cedeb77a619e7e220539311dd539979f482c9848187ebed4660d6435380c73243894feb261271bb9

Download Submit
memory/2656-7-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4192-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download