Overview

overview

7

Static

static

3

07a3273b99...18.exe

windows7-x64

7

07a3273b99...18.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...te.dll

windows7-x64

1

$PLUGINSDI...te.dll

windows10-2004-x64

1

EBcds.exe

windows7-x64

1

EBcds.exe

windows10-2004-x64

1

EBcdssvc.exe

windows7-x64

5

EBcdssvc.exe

windows10-2004-x64

1

uninstall.exe

windows7-x64

7

uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    24/06/2024, 09:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uninstall.exe

  • Size

    52KB

  • MD5

    3d17a6e8d6e11feb3af9d05f5f198a54

  • SHA1

    f04819e1107659307af42a7a8de26212773d5386

  • SHA256

    add2f9fd39dbd2524494bcee7746cea84e45d600ea0c40b86bf2793718a73103

  • SHA512

    98fcac43cdb259e8afb061bc1d96f535c15aab61dd51cdcd12b90615e6210c5a2a8b49c1983da5ad80d74db31d3ff675fd977c17acfdb00221166e2763134338

  • SSDEEP

    1536:ApgpHzb9dZVX9fHMvG0D3XJkpSaLEYdVN25+Ql:WgXdZt9P6D3XJ6SsNzQl

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Users\Admin\AppData\Local\Temp\EBcdssvc.exe
        C:\Users\Admin\AppData\Local\Temp\EBcdssvc.exe -u
        3⤵
          PID:2740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsy33ED.tmp\KillProcDLL.dll
      Filesize

      32KB

      MD5

      83142eac84475f4ca889c73f10d9c179

      SHA1

      dbe43c0de8ef881466bd74861b2e5b17598b5ce8

      SHA256

      ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

      SHA512

      1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

      Download Submit

    • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      Filesize

      52KB

      MD5

      3d17a6e8d6e11feb3af9d05f5f198a54

      SHA1

      f04819e1107659307af42a7a8de26212773d5386

      SHA256

      add2f9fd39dbd2524494bcee7746cea84e45d600ea0c40b86bf2793718a73103

      SHA512

      98fcac43cdb259e8afb061bc1d96f535c15aab61dd51cdcd12b90615e6210c5a2a8b49c1983da5ad80d74db31d3ff675fd977c17acfdb00221166e2763134338

      Download Submit