4ca108ce17aabfc2f93d897304b19cce3ce624cb2da34220343cb33332b8ae26

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PROGRAMFILES/Ruckus Software/Putty Session Launcher/Uninstall.exe
Size

52KB
MD5

cfb9ef7e192e3f1705a5a832f4fc1a26
SHA1

008168a8f2afdc32fde7ec269c2a5e5f2521885f
SHA256

bd832d0ae523c497ca494beca588075c830b875bb404c41971b3157fa5e5c407
SHA512

4d026f3e96ebd6db7310d03525ca65e093329bcd2d3ffd8cce216dbc43b16b3e3586dcb487e8ed58f92cff6f2028d191a287d198e0ef500d14c3518fea1f122d
SSDEEP

1536:EU+dcy3fxBk9UmZHs/hcWQgdLeAyNSz49s:ENzPHk9MpcWQceAx49s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2328	Un_A.exe

Loads dropped DLL 1 IoCs

pid	Process
1872	Uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral3/files/0x0007000000016d07-2.dat	nsis_installer_1
behavioral3/files/0x0007000000016d07-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2328	Un_A.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2328	1872	Uninstall.exe	31
PID 1872 wrote to memory of 2328	1872	Uninstall.exe	31
PID 1872 wrote to memory of 2328	1872	Uninstall.exe	31
PID 1872 wrote to memory of 2328	1872	Uninstall.exe	31

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Ruckus Software\Putty Session Launcher\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Ruckus Software\Putty Session Launcher\Uninstall.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Ruckus Software\Putty Session Launcher\
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
52KB

MD5
cfb9ef7e192e3f1705a5a832f4fc1a26

SHA1
008168a8f2afdc32fde7ec269c2a5e5f2521885f

SHA256
bd832d0ae523c497ca494beca588075c830b875bb404c41971b3157fa5e5c407

SHA512
4d026f3e96ebd6db7310d03525ca65e093329bcd2d3ffd8cce216dbc43b16b3e3586dcb487e8ed58f92cff6f2028d191a287d198e0ef500d14c3518fea1f122d

Download Submit