cf2d6159d215863acbe6bb5eccf9fdfb42a89f77c426fc37e876250c54f8a767

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

126KB
MD5

6313c988b270390dc13bfe5ed2f1c7a2
SHA1

5722a42f8f546fd541f0041aaaff94316b1e429c
SHA256

71a4a74e6d5718ce17f714896d620ee247dbc423c4400e7191c33bea50e59aaf
SHA512

0cd6d2ea7c48a22a3a6797c93fc94214f818389cfb42633f6594d017adc76c9c3d553fcadab2b155472ab3b9c65095acd60ff89657086aea357969fec5e86178
SSDEEP

3072:qgXdZt9P6D3XJQ4+ByBCK5RfoCfpIhCxcE6rF60qf:qe34mpByBCeRug6rFpk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1660	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2392	Uninstall.exe
1660	Au_.exe
1660	Au_.exe
1660	Au_.exe
1660	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral19/files/0x00050000000194d1-2.dat	nsis_installer_1
behavioral19/files/0x00050000000194d1-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1660	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1660	2392	Uninstall.exe	30
PID 2392 wrote to memory of 1660	2392	Uninstall.exe	30
PID 2392 wrote to memory of 1660	2392	Uninstall.exe	30
PID 2392 wrote to memory of 1660	2392	Uninstall.exe	30
PID 2392 wrote to memory of 1660	2392	Uninstall.exe	30
PID 2392 wrote to memory of 1660	2392	Uninstall.exe	30
PID 2392 wrote to memory of 1660	2392	Uninstall.exe	30

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\ioSpecial.ini

Filesize
586B

MD5
92274856bbb29a0d07c16cee4d39b94a

SHA1
2cafcaf139f554b5e6c4ea72fef28c1c3641e7f8

SHA256
f92563d8f87026de4644cca8ac86b0f1d911990869c2ec78514e6cd0e857afc8

SHA512
2e684ef9f47a63c2347316e5e8bfad1aef674b9b15eee70c20224980874df25bf7b78468d2249c125e62341b7a8cad13427471ab486bf578fb054a2dd319c1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\ioSpecial.ini

Filesize
625B

MD5
48dbbdde7131c51cf7495e35c28ce157

SHA1
6a7d6dba3fefa1c21b4f0f697c5a007ab20bf786

SHA256
829069b51f7fe34a15cfde2f63d252c87136aa44b8b80c7c10f9a13e14edecaf

SHA512
8a7e536d902537682e3fabef51da0436d1527ed2ab1eb084083d25b340babeb1ae6492a090644c893a6cd73acc60049a19c4a8b38a9347106fa668200565a654

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\InstallOptions.dll

Filesize
14KB

MD5
eef9e469e8a30717974499f277d97e2a

SHA1
2d33c25984ebd9116beeb55cdde4c5c86c023e5d

SHA256
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078

SHA512
d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
126KB

MD5
6313c988b270390dc13bfe5ed2f1c7a2

SHA1
5722a42f8f546fd541f0041aaaff94316b1e429c

SHA256
71a4a74e6d5718ce17f714896d620ee247dbc423c4400e7191c33bea50e59aaf

SHA512
0cd6d2ea7c48a22a3a6797c93fc94214f818389cfb42633f6594d017adc76c9c3d553fcadab2b155472ab3b9c65095acd60ff89657086aea357969fec5e86178

Download Submit