47c2257df65a955f95b272e30b6a7256673de75a3900ae0f110bacc6f7a2ca14

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 07:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

126KB
MD5

6313c988b270390dc13bfe5ed2f1c7a2
SHA1

5722a42f8f546fd541f0041aaaff94316b1e429c
SHA256

71a4a74e6d5718ce17f714896d620ee247dbc423c4400e7191c33bea50e59aaf
SHA512

0cd6d2ea7c48a22a3a6797c93fc94214f818389cfb42633f6594d017adc76c9c3d553fcadab2b155472ab3b9c65095acd60ff89657086aea357969fec5e86178
SSDEEP

3072:qgXdZt9P6D3XJQ4+ByBCK5RfoCfpIhCxcE6rF60qf:qe34mpByBCeRug6rFpk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2624	Uninstall.exe
2860	Au_.exe
2860	Au_.exe
2860	Au_.exe
2860	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral15/files/0x00050000000194c1-2.dat	nsis_installer_1
behavioral15/files/0x00050000000194c1-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2860	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2860	2624	Uninstall.exe	30
PID 2624 wrote to memory of 2860	2624	Uninstall.exe	30
PID 2624 wrote to memory of 2860	2624	Uninstall.exe	30
PID 2624 wrote to memory of 2860	2624	Uninstall.exe	30
PID 2624 wrote to memory of 2860	2624	Uninstall.exe	30
PID 2624 wrote to memory of 2860	2624	Uninstall.exe	30
PID 2624 wrote to memory of 2860	2624	Uninstall.exe	30

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nse192D.tmp\ioSpecial.ini

Filesize
586B

MD5
4be308dc99e391dd9c1a63a2841097ff

SHA1
a305887be25014a3adfde1bc296fa5708b7781d4

SHA256
d5320fd19c7a5c2bb19d2fee3b47598e22241bc8d2f6dcb1fd9f403b78b75453

SHA512
a3ccafd05fa6400768e4c5e6d363b0fb7e52931174ef49d05af30812703c9a6e7e8c473a2d7f521e6d7af9faffd2fbece413fdf3d2b37dbf740f7a4edd48c273

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse192D.tmp\ioSpecial.ini

Filesize
625B

MD5
fc255923de553b7db05baebccf47eef8

SHA1
2155e3ecec4d68f16dc2344e093df4b21ef4e1fa

SHA256
e360cda0c8b0d98a58f179f2d57c4e5959b14dd6baa2326b75c94d6e5810872b

SHA512
143e840a84682263ac92e91cc309bbb8071f8cfff455beb619b16c1b4d883b2d131a639f19fc99c4400c1fcb6d9fd1b9d791dec782696f268ce7767929344410

Download Submit
\Users\Admin\AppData\Local\Temp\nse192D.tmp\InstallOptions.dll

Filesize
14KB

MD5
eef9e469e8a30717974499f277d97e2a

SHA1
2d33c25984ebd9116beeb55cdde4c5c86c023e5d

SHA256
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078

SHA512
d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
126KB

MD5
6313c988b270390dc13bfe5ed2f1c7a2

SHA1
5722a42f8f546fd541f0041aaaff94316b1e429c

SHA256
71a4a74e6d5718ce17f714896d620ee247dbc423c4400e7191c33bea50e59aaf

SHA512
0cd6d2ea7c48a22a3a6797c93fc94214f818389cfb42633f6594d017adc76c9c3d553fcadab2b155472ab3b9c65095acd60ff89657086aea357969fec5e86178

Download Submit