47c2257df65a955f95b272e30b6a7256673de75a3900ae0f110bacc6f7a2ca14

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 07:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

126KB
MD5

6313c988b270390dc13bfe5ed2f1c7a2
SHA1

5722a42f8f546fd541f0041aaaff94316b1e429c
SHA256

71a4a74e6d5718ce17f714896d620ee247dbc423c4400e7191c33bea50e59aaf
SHA512

0cd6d2ea7c48a22a3a6797c93fc94214f818389cfb42633f6594d017adc76c9c3d553fcadab2b155472ab3b9c65095acd60ff89657086aea357969fec5e86178
SSDEEP

3072:qgXdZt9P6D3XJQ4+ByBCK5RfoCfpIhCxcE6rF60qf:qe34mpByBCeRug6rFpk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
2780	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral16/files/0x0008000000023425-3.dat	nsis_installer_1
behavioral16/files/0x0008000000023425-3.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2780	860	Uninstall.exe	84
PID 860 wrote to memory of 2780	860	Uninstall.exe	84
PID 860 wrote to memory of 2780	860	Uninstall.exe	84

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf616A.tmp\InstallOptions.dll

Filesize
14KB

MD5
eef9e469e8a30717974499f277d97e2a

SHA1
2d33c25984ebd9116beeb55cdde4c5c86c023e5d

SHA256
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078

SHA512
d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf616A.tmp\ioSpecial.ini

Filesize
586B

MD5
294b8350ef85b5325db769c53e893d33

SHA1
a6b75231039762ef5160c24d02c84509fb789707

SHA256
fc4b27ea38818ede654c950ae8c5d3c1da1a9f5dee03163ddfd6bbcc66397d20

SHA512
30cc568ab8a969c06862ea490565a2c3a34ab4afb4d921d5ad94593a559538920d10d4c5a5a9a755ee08aaa368e45797d6f75753bd240657d511825138988128

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
126KB

MD5
6313c988b270390dc13bfe5ed2f1c7a2

SHA1
5722a42f8f546fd541f0041aaaff94316b1e429c

SHA256
71a4a74e6d5718ce17f714896d620ee247dbc423c4400e7191c33bea50e59aaf

SHA512
0cd6d2ea7c48a22a3a6797c93fc94214f818389cfb42633f6594d017adc76c9c3d553fcadab2b155472ab3b9c65095acd60ff89657086aea357969fec5e86178

Download Submit