ffc673f964fb067cdbb7998e307f8811e6cc161392dccf6273d03cadfb4e7917

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

104KB
MD5

8e24e81ec36f0af96be7690081ede13d
SHA1

e33106e7e8d1abf7b2ec77799b5d46129149525b
SHA256

7492a2a9ae55c125a8534c849479fd9e46024526f22d7bdd11e43ebe4debd2cc
SHA512

c8ac2dbc293631a68c3d6f1de4dd49992825302cdfa53b45d87ef9063706dad43aa50d7e646b9a9157e2d2bc68dd8160c8913597df2f1fa381125ace10a02114
SSDEEP

3072:LCaZ2Yrb0VTXJYJmfnX3+aLYZWX3we6Z97:LCIo2sfnX3PYZwwe6Z97

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2944	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2024	Uninstall.exe
2944	Au_.exe
2944	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral19/files/0x0037000000015d4e-2.dat	nsis_installer_1
behavioral19/files/0x0037000000015d4e-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2944	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2944	2024	Uninstall.exe	28
PID 2024 wrote to memory of 2944	2024	Uninstall.exe	28
PID 2024 wrote to memory of 2944	2024	Uninstall.exe	28
PID 2024 wrote to memory of 2944	2024	Uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi2405.tmp\ioSpecial.ini

Filesize
593B

MD5
08dc4de63c52ba89cbbd2fc85f1468f9

SHA1
63d246eecb0b5bd3de3b1cf863b8d157ffc4ebd8

SHA256
bdabb9d58a77b07a7535887cc94e4aaec0b93d7131e6b0ff3383944b3d218e95

SHA512
8b87ffdaf38078f4e975c300683d12192169c624b78180f6dd1806c41d75394d51ff9df58f9b80960643e82c3f18bdfa131ff715b0f11c006e3c0b0d6422db99

Download Submit
\Users\Admin\AppData\Local\Temp\nsi2405.tmp\InstallOptions.dll

Filesize
14KB

MD5
714e0ecd29f9ec555f350f38672726c7

SHA1
555b1492e782d7a30f280f2aecb64c642c1aaad3

SHA256
21fea4cf18de8e25d0ffa3375699150fcd04e6d470358696f2dffdd3fc09d7f3

SHA512
ced5814f25b688d1ede5a1395bcca69e1a0cba260104f156dc03de6ebb2015f6d832fed86ac234c36a10a75be33f489a63c8bd6111e3aaf4b078af1d94b00312

Download Submit
\Users\Admin\AppData\Local\Temp\nsi2405.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
104KB

MD5
8e24e81ec36f0af96be7690081ede13d

SHA1
e33106e7e8d1abf7b2ec77799b5d46129149525b

SHA256
7492a2a9ae55c125a8534c849479fd9e46024526f22d7bdd11e43ebe4debd2cc

SHA512
c8ac2dbc293631a68c3d6f1de4dd49992825302cdfa53b45d87ef9063706dad43aa50d7e646b9a9157e2d2bc68dd8160c8913597df2f1fa381125ace10a02114

Download Submit