45d844a76da925ae4a554700e67c448cc9294a3e18e78b920b0a4e31f8667d3d

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

77KB
MD5

ff11f586d42a888469164063c399d917
SHA1

b3feded2344ea9a22035f628a441883c6216bf3e
SHA256

869c31354b5c3f1c7586fec5c51270a606ca5210d4ea9df4a078a1d7bc62112e
SHA512

573c35c9f066a2fbfba29d1cee5157b0d518d62210beb088d8c5380d43da4ee749a215ff76531e9ff59161a6449bdb44e3e0ee2ec4b18e03e0d36cbb131cbc86
SSDEEP

1536:7iZU91Rzv4f/+LHgmpoM4sXJKTmdxQi5jaQkaB72/v97+N:7iezvrL9oMXJKatjIg639KN

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1052	Au_.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	Uninstall.exe
1052	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral13/files/0x0005000000019624-2.dat	nsis_installer_1
behavioral13/files/0x0005000000019624-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1052	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1052	2468	Uninstall.exe	31
PID 2468 wrote to memory of 1052	2468	Uninstall.exe	31
PID 2468 wrote to memory of 1052	2468	Uninstall.exe	31
PID 2468 wrote to memory of 1052	2468	Uninstall.exe	31

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjE4E4.tmp\ioSpecial.ini

Filesize
589B

MD5
e1e594566f7c584a0e010a3ae80b4098

SHA1
1732634235a741d2f467130e8af9d1cb66111a62

SHA256
7c6d4b8455e6d9113c09d70f506b4b01ab952432d22cc95ccf43bc766092204d

SHA512
2e4765208348d626691637e687a1bf03dc670eccd3d86d333846194f9962fe03ddbc016ba60009417ec35ef8fe9c1add6f0aee324aa30ef97f185653079c6f15

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE4E4.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
77KB

MD5
ff11f586d42a888469164063c399d917

SHA1
b3feded2344ea9a22035f628a441883c6216bf3e

SHA256
869c31354b5c3f1c7586fec5c51270a606ca5210d4ea9df4a078a1d7bc62112e

SHA512
573c35c9f066a2fbfba29d1cee5157b0d518d62210beb088d8c5380d43da4ee749a215ff76531e9ff59161a6449bdb44e3e0ee2ec4b18e03e0d36cbb131cbc86

Download Submit