ab461b97c31c0c1ad6a28ba9472c42800561740e3b94406b3ba6e54b61991824

Analysis

max time kernel
7s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
08-07-2024 01:35

Target

SvgFileType.Uninstall.exe
Size

58KB
MD5

b9239046307f0750370f8295e54144b2
SHA1

72a17ed09010b54ccf96ce3d0236af7b0dc9dfed
SHA256

6d74509ec3ce17550d5c7eac6f7f9cc307057026fe2115b30201adb2f8f6cba5
SHA512

0ff371d913ccf556da806aa1119b6ee5ed263593cc70b18521e37b9dbd2a322a45eeed7e9915673f648f5f5ba1790fec86b78771bcca675b9a350a7df1afb184
SSDEEP

1536:isuNLvSFVVeozLpPudZX92JR2QQv7di82M0MZ:i1NjcVVnLpPudeGB2Fk

Score

7^/10

Deletes itself 1 IoCs

pid	Process
4476	Un_A.exe

Executes dropped EXE 1 IoCs

pid	Process
4476	Un_A.exe

Loads dropped DLL 2 IoCs

pid	Process
4476	Un_A.exe
4476	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4476	4388	SvgFileType.Uninstall.exe	80
PID 4388 wrote to memory of 4476	4388	SvgFileType.Uninstall.exe	80
PID 4388 wrote to memory of 4476	4388	SvgFileType.Uninstall.exe	80

C:\Users\Admin\AppData\Local\Temp\SvgFileType.Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\SvgFileType.Uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4476

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
58KB

MD5
b9239046307f0750370f8295e54144b2

SHA1
72a17ed09010b54ccf96ce3d0236af7b0dc9dfed

SHA256
6d74509ec3ce17550d5c7eac6f7f9cc307057026fe2115b30201adb2f8f6cba5

SHA512
0ff371d913ccf556da806aa1119b6ee5ed263593cc70b18521e37b9dbd2a322a45eeed7e9915673f648f5f5ba1790fec86b78771bcca675b9a350a7df1afb184

Download Submit