d520316b0a826549ea56d37c6518ce869426b19e69541acbff157803c88a58c7

Analysis

max time kernel
136s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

66KB
MD5

9f6929b916db53a60f8abe4e4aa3616d
SHA1

6769fd166236150dc42f963c59836ba157c3c267
SHA256

50df1a1be3b535ab32f21542dba5dabd753347a742687fc7aaad9819b22fc8a3
SHA512

d778c073418879459f8b0ee69b131aaa5a43d1a05e73740ed3113d42d89d87ba908e1ebbbd030e7fe1d14c9a1a7f17d61f97e75ac536fef05f8b7a2a50cb68e8
SSDEEP

1536:9e0DnjRrJav2FnUIRr2vMYBJ5qAELVigm9YixHMbl0+v/5Qmdm:fD11a8YBJoAI0mpwOm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3036	A~NSISu_.exe

Loads dropped DLL 1 IoCs

pid	Process
3036	A~NSISu_.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A~NSISu_.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral14/files/0x000a000000023459-3.dat	nsis_installer_1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3036	3680	Uninstall.exe	84
PID 3680 wrote to memory of 3036	3680	Uninstall.exe	84
PID 3680 wrote to memory of 3036	3680	Uninstall.exe	84

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe
  "C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

Filesize
66KB

MD5
9f6929b916db53a60f8abe4e4aa3616d

SHA1
6769fd166236150dc42f963c59836ba157c3c267

SHA256
50df1a1be3b535ab32f21542dba5dabd753347a742687fc7aaad9819b22fc8a3

SHA512
d778c073418879459f8b0ee69b131aaa5a43d1a05e73740ed3113d42d89d87ba908e1ebbbd030e7fe1d14c9a1a7f17d61f97e75ac536fef05f8b7a2a50cb68e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh8C62.tmp\InstallOptions.dll

Filesize
12KB

MD5
4c7d97d0786ff08b20d0e8315b5fc3cb

SHA1
bb6f475e867b2bf55e4cd214bd4ef68e26d70f6c

SHA256
75e20f4c5eb00e9e5cb610273023e9d2c36392fa3b664c264b736c7cc2d1ac84

SHA512
f37093fd5cdda74d8f7376c60a05b442f884e9d370347c7c39d84eca88f23fbea6221da2e57197acd78c817a74703c49fb28b89d41c3e34817cc9301b0b6485a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh8C62.tmp\ioSpecial.ini

Filesize
637B

MD5
e705be1f449a3e3480e35ba7a3c800e7

SHA1
a6b12eb2a4337e3dbda61999dd8c10cb9302fec8

SHA256
f5c80b2e87d2e145931eba862caaa493cd8005b20d4f1d4a40a2e018bdd54488

SHA512
c2584e941c568fb2ef692575b227aab6f866fd6869159eb5dcd3bf9b7c3486b8acd473bc349f9ece56d279318a81fc37f79f1021bf562efa1195633ec90dd04c

Download Submit