7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninstall.exe
Size

155KB
MD5

32109e2aac377fa07b849f4f4033edc5
SHA1

a7b87a221744fb2e36327be0a34c17b7d734c47f
SHA256

72ffe8859eaa63637f5a62b7c454241db35938f8326f6ccf20352e00f8df2fe5
SHA512

688d9b51060d84c4e2dd0ddbb20d43bbc8bf93a903f26e855f546335bd7a5c9ef5c6f888dff35d379cbb1d782c5e231b33831b7272cde2b40c2d7fc2b85ffc0d
SSDEEP

3072:iIAe+3aJpgWXTBuq/JFONM2cZ6iKowuq12ApG3s/6:izB+pgURJFOS21iQ5i+6

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4372	Un_A.exe

Loads dropped DLL 1 IoCs

pid	Process
4372	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 4372	4092	uninstall.exe	83
PID 4092 wrote to memory of 4372	4092	uninstall.exe	83
PID 4092 wrote to memory of 4372	4092	uninstall.exe	83

C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc8C92.tmp\LangDLL.dll

Filesize
16KB

MD5
46ba3881f8b27f54a8d92d600e61ee7b

SHA1
15933b6ece85a6d45fd78ae499b445a3bc6d2d05

SHA256
4fca692a36f0c99e26b5bc7ef9db5269d2c1e21288184953898130fea9b1c4fc

SHA512
6f64d3cb4634ed51710f578667b92a429aa871a0a141092df3cf7e0134a0b145f802f91126f1ce43ddb4b9d6cc6fb875c9acec22eab0cec86a72dd916e1f9eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
155KB

MD5
32109e2aac377fa07b849f4f4033edc5

SHA1
a7b87a221744fb2e36327be0a34c17b7d734c47f

SHA256
72ffe8859eaa63637f5a62b7c454241db35938f8326f6ccf20352e00f8df2fe5

SHA512
688d9b51060d84c4e2dd0ddbb20d43bbc8bf93a903f26e855f546335bd7a5c9ef5c6f888dff35d379cbb1d782c5e231b33831b7272cde2b40c2d7fc2b85ffc0d

Download Submit