cf59705549fe38cb445032ca34282d38f79405ed9f76898110b7a5c0aac88fd8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 16:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

81KB
MD5

9472129a2598738b6a3fbcbe49ade7c2
SHA1

037ceb9df120b13320b2f7be03874a2a26b55cdb
SHA256

a6c9d4ec68c8e55ba9cdda5b3af3cc5d657342566c302f98e907fac1fd9ce25d
SHA512

a8d4ef641639a433901c04f5cca785ac15bb906b555f9d1cd5dc9eccf2fbc95f015024d25e352b3821e0af216bcbaa78e30d2955edb7bafdc4f22c6b2a31800e
SSDEEP

1536:SQpQ5EP0ijnRTXJpdxQi5jaQkaB72/XQUKgO3jLm+BKVzCM:SQIURTXJBtjIg6fQUE3jpQlT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4752	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
4752	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral18/files/0x00070000000233cb-5.dat	nsis_installer_1
behavioral18/files/0x00070000000233cb-5.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4752	3668	Uninstall.exe	80
PID 3668 wrote to memory of 4752	3668	Uninstall.exe	80
PID 3668 wrote to memory of 4752	3668	Uninstall.exe	80

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsk39A0.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk39A0.tmp\ioSpecial.ini

Filesize
589B

MD5
b44eab39a9dc0455c37ce3c6b3db8c27

SHA1
2304b94b996e307abac873f8b809a88fca737908

SHA256
dca776687922a07e677d51c24025a652f277d44e176c740ea2275e0217464adc

SHA512
ae92ae529c9a2d23fce34160fef10e6b3240fc689d0184eb564a9ebd87c72d20735a22801ec9cc59af448fa517daa9a3c88870c63d8e67c84a22fdd9737dce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk39A0.tmp\ioSpecial.ini

Filesize
628B

MD5
3ef65510c45ed47904aac1d5a78fe139

SHA1
ccfb594aab1447315e78be7f292c70f18f378ec3

SHA256
6557a6fd33ca89043ab7606c1c19e9ba0e96565e1b5c2dad8d5de1ce55276af4

SHA512
d01608ad9d0e18c0eee98a5b1b8a1c3e8fcff0a07d1ec2038a3842798c5a3109eb0e81475d4135aef2b2c5e0a1c6cd2ca0772e643c5c24c1c6b3406eaef0727b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
81KB

MD5
9472129a2598738b6a3fbcbe49ade7c2

SHA1
037ceb9df120b13320b2f7be03874a2a26b55cdb

SHA256
a6c9d4ec68c8e55ba9cdda5b3af3cc5d657342566c302f98e907fac1fd9ce25d

SHA512
a8d4ef641639a433901c04f5cca785ac15bb906b555f9d1cd5dc9eccf2fbc95f015024d25e352b3821e0af216bcbaa78e30d2955edb7bafdc4f22c6b2a31800e

Download Submit