94a47191fb3a307fdaa84a1f8f31d8e1b4b79b34048814725c373e54f3d4e37a

Analysis

max time kernel
141s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

3.1MB
MD5

dd830000e3cadbd45d2d08b0c77c8cd3
SHA1

130295b33d11e62db959499de8d6365c222b05ab
SHA256

e262c2b744613496e27a8cd3e9c260da1723218852c071a4532ae5aace3cc642
SHA512

1c2dcccf9d6db98a6865730497ab137737c49dd01ba28aa291e743cbc3aa399238c2cf4f87f5ef69d00e3526bfda424f95796519998f54f6642e16868cd5d345
SSDEEP

98304:zuxNBVhR63NHbnG7Cstb0WnqP2oJkslcLSg7MINUWT:zafs3Fy7iDPUvMzWT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1968	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1968	1052	uninst.exe	85
PID 1052 wrote to memory of 1968	1052	uninst.exe	85
PID 1052 wrote to memory of 1968	1052	uninst.exe	85

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc4D65.tmp\nsNiuniuSkin.dll

Filesize
891KB

MD5
cb9ccb0f6923b5e38221a2c9603eb669

SHA1
7214cae53f36cab79841e9d49b07cffd7ce5e1c5

SHA256
6a38b8084e7493ff57ea3eda7101fbfd6113d8470531b479ce05cefb4e34bc79

SHA512
5d510870559737ba9f10447716a654e3aa609b64a1b753e2d3722b7b92e1768980d2ff070e639add57a13a7941c1d680ffa6e13abd47c44b1d18a230590ebb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4D65.tmp\skin.zip

Filesize
2.4MB

MD5
293238829de472db381be13aa9173495

SHA1
75d6d4bc7992385167d1d4318edc9beb953db641

SHA256
7442eea2b3cc5865d6a18d47828840e5545b32ca8273c1d90ab55092e1c760af

SHA512
c7b44786810957f45c5e955c2880dd2f1d83fbe7715855d0f495de98372cf74b3a4a6e00e2dbe851fe69ec4212d1938fcb5fca882f722811060fccb3e5d5939a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
3.1MB

MD5
dd830000e3cadbd45d2d08b0c77c8cd3

SHA1
130295b33d11e62db959499de8d6365c222b05ab

SHA256
e262c2b744613496e27a8cd3e9c260da1723218852c071a4532ae5aace3cc642

SHA512
1c2dcccf9d6db98a6865730497ab137737c49dd01ba28aa291e743cbc3aa399238c2cf4f87f5ef69d00e3526bfda424f95796519998f54f6642e16868cd5d345

Download Submit