2d525fa6fad3018ca0558d7ebbd5359090988f2bdb1e8eb46b8d6d23cad6ec34

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

59KB
MD5

8ee25140f1d6ce3d0324ede46fdb5416
SHA1

423901f3cd0ed957b29a877bef90e56eb4744229
SHA256

7f7be3541260b8704b2e4f23ad93aa56cc1bd61c32ce167dd2237a9a81b00b2d
SHA512

92cee9dfc87a0d103f412dd77fff8eef4f110a1f67e7ef0a8f2c4b5574a3d66af250ef16d13c4c64fca510959053427ad2b42cf8544c8b3e1a57a20febae17bf
SSDEEP

1536:IpgpHzb9dZVX9fHMvG0D3XJCgdLeAyN/4kiV/B:+gXdZt9P6D3XJCceAbf/B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2100	Au_.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	Uninstall.exe
2100	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral13/files/0x00050000000193ee-2.dat	nsis_installer_1
behavioral13/files/0x00050000000193ee-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2100	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2100	2900	Uninstall.exe	30
PID 2900 wrote to memory of 2100	2900	Uninstall.exe	30
PID 2900 wrote to memory of 2100	2900	Uninstall.exe	30
PID 2900 wrote to memory of 2100	2900	Uninstall.exe	30

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoC469.tmp\ioSpecial.ini

Filesize
652B

MD5
21a7cd17e3d51ab6f40889a72df3f23b

SHA1
63e2fc8ba7c563559094bd27b9dc2d12b4dee353

SHA256
b128a6a3ed64389a29bb5758d5c82deb0a2933da5965193d46ef40f24da8af13

SHA512
16d317b313c5cebb35a1edb160d1117320cc744dfe247147312986a6ba4ae99e261ed13b3ed41daefa4af403e77b9bb6efd8eb641777ae2974f2a221c98ba0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoC469.tmp\ioSpecial.ini

Filesize
691B

MD5
f72ec55ad38a7fb30eb68c9c7f316233

SHA1
d21aa22ffec092faaa7f1213f13aea89ee0ac9a1

SHA256
70f2e00ef30eadff07c9089c76e3cb115e26e8826092f46f78af7a9c55c08e15

SHA512
d482160501d9e10aa3eeb37d8db9f4a09e1af3f33f7444dc442444e2dd22cf5704e5a80cc5ec80ddca2b8b891cdc3b5f9cf2b52783bb2b5b3e2dd6391ed58753

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC469.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
59KB

MD5
8ee25140f1d6ce3d0324ede46fdb5416

SHA1
423901f3cd0ed957b29a877bef90e56eb4744229

SHA256
7f7be3541260b8704b2e4f23ad93aa56cc1bd61c32ce167dd2237a9a81b00b2d

SHA512
92cee9dfc87a0d103f412dd77fff8eef4f110a1f67e7ef0a8f2c4b5574a3d66af250ef16d13c4c64fca510959053427ad2b42cf8544c8b3e1a57a20febae17bf

Download Submit