75b5cfebdf8cf449aedfc6e6faf14c3b8b7aec2556d7a2d0baefcfa4a9ea15dd

Analysis

max time kernel
51s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

70KB
MD5

261884d819280564428fcdd1838f10e9
SHA1

cb8bc90c7cb5cc2cc366dc194e2a4985d117f898
SHA256

f30de4459e06ae84bf9b61cfb229fdb2af607f9d0ca553dea0399f3561788740
SHA512

fe2cb5d09a4692f0354d48da06d77d6bc7f31f54f72cca30ee2b6bed5d4839ae4586693f3e052505cfb70bc765a8ed26cff124424e8d79d684fcff0ef135d45f
SSDEEP

1536:myZMSZFvknTePMZd4k4kJJ7O5b3R23RB9mixpsMmy67j21v/hZ:hZMJnTeM4cJJ03CQMm77j2NZZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	Au_.exe

Loads dropped DLL 52 IoCs

pid	Process
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral16/files/0x0007000000023433-4.dat	nsis_installer_1
behavioral16/files/0x0007000000023433-4.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe
2632	Au_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2632	3228	Uninstall.exe	82
PID 3228 wrote to memory of 2632	3228	Uninstall.exe	82
PID 3228 wrote to memory of 2632	3228	Uninstall.exe	82

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdA7CA.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA7CA.tmp\Inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA7CA.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
70KB

MD5
261884d819280564428fcdd1838f10e9

SHA1
cb8bc90c7cb5cc2cc366dc194e2a4985d117f898

SHA256
f30de4459e06ae84bf9b61cfb229fdb2af607f9d0ca553dea0399f3561788740

SHA512
fe2cb5d09a4692f0354d48da06d77d6bc7f31f54f72cca30ee2b6bed5d4839ae4586693f3e052505cfb70bc765a8ed26cff124424e8d79d684fcff0ef135d45f

Download Submit