295967ac71f014113a7e7c10737ff8b1b3fbe65bd037995ee7a998f16b94144a

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

77KB
MD5

ff11f586d42a888469164063c399d917
SHA1

b3feded2344ea9a22035f628a441883c6216bf3e
SHA256

869c31354b5c3f1c7586fec5c51270a606ca5210d4ea9df4a078a1d7bc62112e
SHA512

573c35c9f066a2fbfba29d1cee5157b0d518d62210beb088d8c5380d43da4ee749a215ff76531e9ff59161a6449bdb44e3e0ee2ec4b18e03e0d36cbb131cbc86
SSDEEP

1536:7iZU91Rzv4f/+LHgmpoM4sXJKTmdxQi5jaQkaB72/v97+N:7iezvrL9oMXJKatjIg639KN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2608	Au_.exe

Loads dropped DLL 2 IoCs

pid	Process
2452	Uninstall.exe
2608	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral13/files/0x0039000000013362-2.dat	nsis_installer_1
behavioral13/files/0x0039000000013362-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2608	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2608	2452	Uninstall.exe	28
PID 2452 wrote to memory of 2608	2452	Uninstall.exe	28
PID 2452 wrote to memory of 2608	2452	Uninstall.exe	28
PID 2452 wrote to memory of 2608	2452	Uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoF6D.tmp\ioSpecial.ini

Filesize
588B

MD5
9298e7379f610ccd56d701f9bc189de2

SHA1
8450d8bc890b918d782a99cc9a329fb8f8bb8d82

SHA256
850b45457e799843e1a7011f22be6ea7ae574d5568a81e4f8591e0b9d3c06632

SHA512
33407eed5216c89e43b4f8c3a0ac523f2ecf3e528f4dfc726de9fe979e47bbba4af61d81b1ec44f24acfcc04e7285d9f8789c2aee403158b49d4ced534e2ae43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoF6D.tmp\ioSpecial.ini

Filesize
601B

MD5
2ab8d590952f4750ffbc51fbfdfd75ac

SHA1
f702dfe471ea1d3ab839aea44a70cb3adba866a6

SHA256
c9addd0b43d77069a5d89710dc55bd438cc7ed1486b0bb195760fbf2d1fc1a75

SHA512
96aaea522fd2971d0015c6eb61cdd7fe17c53745d5775dbb5508008ab427f53195b72748848050f3e207c6ac975b9a315b3d00aeef0f657e50bc4d0865ad593f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF6D.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
77KB

MD5
ff11f586d42a888469164063c399d917

SHA1
b3feded2344ea9a22035f628a441883c6216bf3e

SHA256
869c31354b5c3f1c7586fec5c51270a606ca5210d4ea9df4a078a1d7bc62112e

SHA512
573c35c9f066a2fbfba29d1cee5157b0d518d62210beb088d8c5380d43da4ee749a215ff76531e9ff59161a6449bdb44e3e0ee2ec4b18e03e0d36cbb131cbc86

Download Submit