423eb70865e61db1c783542bc0e555dfead1751ee01ae05cc0ed358709e6edf1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninstall.exe
Size

35KB
MD5

61fb98cf034f0d1346b1c479772025c1
SHA1

a2e350516f7daefb2cc22b91a943aedc997844f2
SHA256

1dbf3b815618f4ab01145607683535e4f8cbe5b7d55b4f15516a88ac8e7d5f4a
SHA512

a99db3d8f2e6c0ea216ef689d34a715f78c55fc9357124efb0502b6f2cd5b35758cdbd596c22d285e70e43cd914f4c333ca9529dc12c441f7ebe517458e8637c
SSDEEP

768:/1cVhpQI2EQK0iPDh84nScF15GYbWjXO3XJ9JRnqQe:NQpQ5EP0ijnRTXJQQe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2424	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
2412	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral9/files/0x0008000000015d12-2.dat	nsis_installer_1
behavioral9/files/0x0008000000015d12-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2424	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2424	2412	uninstall.exe	28
PID 2412 wrote to memory of 2424	2412	uninstall.exe	28
PID 2412 wrote to memory of 2424	2412	uninstall.exe	28
PID 2412 wrote to memory of 2424	2412	uninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
35KB

MD5
61fb98cf034f0d1346b1c479772025c1

SHA1
a2e350516f7daefb2cc22b91a943aedc997844f2

SHA256
1dbf3b815618f4ab01145607683535e4f8cbe5b7d55b4f15516a88ac8e7d5f4a

SHA512
a99db3d8f2e6c0ea216ef689d34a715f78c55fc9357124efb0502b6f2cd5b35758cdbd596c22d285e70e43cd914f4c333ca9529dc12c441f7ebe517458e8637c

Download Submit