0078eb05ca7f4851acdfeb0fca6d238e38f3f2c492c43ce4040b2b0d6a9bba7f

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_13_/uninstall.exe
Size

56KB
MD5

efcc8ab31f68f5eb25b079569ef458ee
SHA1

b1ce0a059866160bd7f73aeabe819804ed679b38
SHA256

f3676a72aa83bd61f96954af0a71bbec458ddcd43068e9431de2fb73a50ec4a8
SHA512

39fc3957cc201213b503bcc74c9db7ec78b0314e3dd8dba9e43c9c011f67f09964a6430132d6b96f0d27a11abf91f629b65c09355d38f25dd0a828f845297038
SSDEEP

1536:CRYpHXbpdF1XJfHM3S0DamJogdLeAyNlurYsqx:YY3dFNJPmDamJoceAjro

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1988	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral17/files/0x0032000000015d09-2.dat	nsis_installer_1
behavioral17/files/0x0032000000015d09-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1988	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1988	1708	uninstall.exe	28
PID 1708 wrote to memory of 1988	1708	uninstall.exe	28
PID 1708 wrote to memory of 1988	1708	uninstall.exe	28
PID 1708 wrote to memory of 1988	1708	uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\$_13_\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$_13_\uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$_13_\
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
56KB

MD5
efcc8ab31f68f5eb25b079569ef458ee

SHA1
b1ce0a059866160bd7f73aeabe819804ed679b38

SHA256
f3676a72aa83bd61f96954af0a71bbec458ddcd43068e9431de2fb73a50ec4a8

SHA512
39fc3957cc201213b503bcc74c9db7ec78b0314e3dd8dba9e43c9c011f67f09964a6430132d6b96f0d27a11abf91f629b65c09355d38f25dd0a828f845297038

Download Submit