71b96d709cb160b579ec5010ce38b00084a49c420cd5945b69714dfc9acb811e

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

58KB
MD5

95d238fa10af0485c2d56f5fe7cc2dc8
SHA1

7b1d1e5324315fa4baf11f2b1f5d5b60091a6ad5
SHA256

a419aa52e8d356c64429fb89b941d7897ea868077cc7cf0a15ca364e035b36e0
SHA512

d22a75b8368b6ff4895995292307e93fb23eba3eaf96a5109a4114899df3fa31851dcc9c10aead53dc99a5cf12c8bb5ff998871b4a239d2bd3fcb4c8bbc8b3b4
SSDEEP

1536:yFGGrf+wMRVrkxmJoqAELVigRzKWbm1/sJ:yFG6UVYxmJXAI0GKWbCG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4232	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
4232	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral10/files/0x0007000000023454-3.dat	nsis_installer_1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 4232	3696	Uninstall.exe	86
PID 3696 wrote to memory of 4232	3696	Uninstall.exe	86
PID 3696 wrote to memory of 4232	3696	Uninstall.exe	86

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsn8C83.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8C83.tmp\ioSpecial.ini

Filesize
525B

MD5
46208c5d332cd12f2eba2125a30c3788

SHA1
22926efd2b4a4b28dfabceb6eff5e780822f9a8a

SHA256
3d9a4de57977c5ab0260f7f54c15406c31c69cf59e72bb25cceb55b1cd905600

SHA512
4cb1dd21dd158a37e65b1c559fff47dead6193640b37685acd9dd53b1e9e7ccbc9b84f17486f6057d3a7bf94b45ecc3707c19bcf471bd91d1963a722ca0385a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8C83.tmp\ioSpecial.ini

Filesize
551B

MD5
057605cefbe7f98eb73c613b5811a56c

SHA1
44ab832d7135e027736415b5eab01cce304defdd

SHA256
9773a31b13842870a076cd1a169963d46aa3b7faae726d4ebad485deab600ae3

SHA512
a688e6753786bce2ccc802264f84deaf36ed49d407c5971305e06c529e548e89654e1e936fc125b1c70c9634b9380eb34db026643652b58973924ea4fd6829e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
58KB

MD5
95d238fa10af0485c2d56f5fe7cc2dc8

SHA1
7b1d1e5324315fa4baf11f2b1f5d5b60091a6ad5

SHA256
a419aa52e8d356c64429fb89b941d7897ea868077cc7cf0a15ca364e035b36e0

SHA512
d22a75b8368b6ff4895995292307e93fb23eba3eaf96a5109a4114899df3fa31851dcc9c10aead53dc99a5cf12c8bb5ff998871b4a239d2bd3fcb4c8bbc8b3b4

Download Submit