71b96d709cb160b579ec5010ce38b00084a49c420cd5945b69714dfc9acb811e

Analysis

max time kernel
101s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

58KB
MD5

95d238fa10af0485c2d56f5fe7cc2dc8
SHA1

7b1d1e5324315fa4baf11f2b1f5d5b60091a6ad5
SHA256

a419aa52e8d356c64429fb89b941d7897ea868077cc7cf0a15ca364e035b36e0
SHA512

d22a75b8368b6ff4895995292307e93fb23eba3eaf96a5109a4114899df3fa31851dcc9c10aead53dc99a5cf12c8bb5ff998871b4a239d2bd3fcb4c8bbc8b3b4
SSDEEP

1536:yFGGrf+wMRVrkxmJoqAELVigRzKWbm1/sJ:yFG6UVYxmJXAI0GKWbCG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1828	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
1656	Uninstall.exe
1828	Au_.exe
1828	Au_.exe
1828	Au_.exe
1828	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral9/files/0x00040000000192a8-2.dat	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1828	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1828	1656	Uninstall.exe	29
PID 1656 wrote to memory of 1828	1656	Uninstall.exe	29
PID 1656 wrote to memory of 1828	1656	Uninstall.exe	29
PID 1656 wrote to memory of 1828	1656	Uninstall.exe	29
PID 1656 wrote to memory of 1828	1656	Uninstall.exe	29
PID 1656 wrote to memory of 1828	1656	Uninstall.exe	29
PID 1656 wrote to memory of 1828	1656	Uninstall.exe	29

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nse36FA.tmp\ioSpecial.ini

Filesize
525B

MD5
376fbf34c481541b6489fd7fd7b6169e

SHA1
004458b00b0d61bea863190106757153a58238a3

SHA256
09e2373809e811ef14560063105e0680041689d97f76e858bec10bd18621109f

SHA512
b9d420198b0d5915b65f1fba96cb4e2d46049baf452e73f0a9191a038761ab4e5da4bedc6e7cabb9856146e3fc371d568a41120df58a15c4e57a384918b1eb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse36FA.tmp\ioSpecial.ini

Filesize
538B

MD5
b6c33d2d4adf942ff45ceaa1a1b6391a

SHA1
a02ca07588b15134449d94fe56f5f17ea52ae56b

SHA256
7de3494ada5843f6af294fb67c4bf6eea35286069d9fef16b1c525608abfd26b

SHA512
b24c7d882327f37397b38d3778fe89cb7356b87cd4e1bca1d36d298ee9767fde4daf1f41f12f1e31393c5223eaf9459f83eec8dc61b0d86a81f5ca72717a13ed

Download Submit
\Users\Admin\AppData\Local\Temp\nse36FA.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
58KB

MD5
95d238fa10af0485c2d56f5fe7cc2dc8

SHA1
7b1d1e5324315fa4baf11f2b1f5d5b60091a6ad5

SHA256
a419aa52e8d356c64429fb89b941d7897ea868077cc7cf0a15ca364e035b36e0

SHA512
d22a75b8368b6ff4895995292307e93fb23eba3eaf96a5109a4114899df3fa31851dcc9c10aead53dc99a5cf12c8bb5ff998871b4a239d2bd3fcb4c8bbc8b3b4

Download Submit