6abf9fcec5883b6e4d70810e60bd2d8a133a1a62bc28ca5d17dcc6f45d35214a

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

85KB
MD5

1051242fb44103a5534ff0356c1b00fb
SHA1

513bf55b6813bd9ff19ca7bf2b6979a3ef8b5b1d
SHA256

a5d85bfcb4373db41295deef8d54f4591edf69403d6bb709a5ccd861455d1af7
SHA512

54670c286816ab9b853eaad0ca928e69e061eb233fa3979c2dd37fae379e50a4cc86f67504c2b0205df23c30ef2218edd23ba68caa72c5495aeeeb338728f74a
SSDEEP

1536:QCaIoX1oYOcbTMV88TXJLEDnnrmnx36FPhjtxQsOk63dcBuX6gSzR/7N:QCaZ2Yrb0VTXJYDnqxwZWX3we6Z9R

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Au_.exe

pid process

3056 Au_.exe
Loads dropped DLL 3 IoCs

Processes:

Uninstall.exeAu_.exe

pid process

2604 Uninstall.exe
3056 Au_.exe
3056 Au_.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3056	Au_.exe

pid	process
2604	Uninstall.exe
3056	Au_.exe
3056	Au_.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Au_.exe

pid process

3056 Au_.exe

pid	process
3056	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Uninstall.exe

description	pid	process	target process
PID 2604 wrote to memory of 3056	2604	Uninstall.exe	Au_.exe
PID 2604 wrote to memory of 3056	2604	Uninstall.exe	Au_.exe
PID 2604 wrote to memory of 3056	2604	Uninstall.exe	Au_.exe
PID 2604 wrote to memory of 3056	2604	Uninstall.exe	Au_.exe

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst83F0.tmp\ioSpecial.ini

Filesize
572B

MD5
fa595efad798c117c939938abd75dd55

SHA1
7816bc74b8731daba7bb39fca090eabf1ae22520

SHA256
5fc0deb7d71f52d51fe9b21b857b5f4f9b3b331aebb955f13b26ce85d7e17953

SHA512
afaae13f431a67fc6f4d81259edca90401c351ec08a8f8d19baee2cac33d04aa2ae190d8fdfbdcb23cef29fd16812e4bf46f09cfe5bef469ccf98c08966e2811

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst83F0.tmp\ioSpecial.ini

Filesize
611B

MD5
16c43d1b75e7cf307f2203c9cf5bf8cb

SHA1
25f757b4ca595124571c1fb296e00971347eaf12

SHA256
acb8496060aa1f6044995e1ef6145c0a25a291c004b25e080c00c229b31ecdca

SHA512
3d5c2e44e5b7102b36b7efda80cad5fae134116ce6c42629c68f996100acfb8f913c22251defafb55ffff8203316797b28daa796069b6a22ff85737b05e70bf8

Download Submit
\Users\Admin\AppData\Local\Temp\nst83F0.tmp\InstallOptions.dll

Filesize
14KB

MD5
714e0ecd29f9ec555f350f38672726c7

SHA1
555b1492e782d7a30f280f2aecb64c642c1aaad3

SHA256
21fea4cf18de8e25d0ffa3375699150fcd04e6d470358696f2dffdd3fc09d7f3

SHA512
ced5814f25b688d1ede5a1395bcca69e1a0cba260104f156dc03de6ebb2015f6d832fed86ac234c36a10a75be33f489a63c8bd6111e3aaf4b078af1d94b00312

Download Submit
\Users\Admin\AppData\Local\Temp\nst83F0.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
85KB

MD5
1051242fb44103a5534ff0356c1b00fb

SHA1
513bf55b6813bd9ff19ca7bf2b6979a3ef8b5b1d

SHA256
a5d85bfcb4373db41295deef8d54f4591edf69403d6bb709a5ccd861455d1af7

SHA512
54670c286816ab9b853eaad0ca928e69e061eb233fa3979c2dd37fae379e50a4cc86f67504c2b0205df23c30ef2218edd23ba68caa72c5495aeeeb338728f74a

Download Submit