afe4c1ac48c58f0671f15c3741e7e822d4f84fb99d05e14117005cc80912bcf6

Analysis

max time kernel
143s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 14:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

149KB
MD5

7d0e1740584afdb1e99e6c9c19995598
SHA1

a3386ecdc55b829486eb6dffb906a2717137dda1
SHA256

40ff460e185c76f5ed7a9110b740aa000092cc5776cc76d823eb443680da0b96
SHA512

51c2d281d258424485ce24293d5769828e486c7c566a42fd2934825c1a8035922ac15c7b95bc28ae46b32e362120b2422eaa72d68352108ddf502be046741177
SSDEEP

3072:tYg4pumJGq4JXCgFytYp81Vq9/945QW2ZZMHKmk45MBpKPWA:tlg4JXjytk146FQlkoG0PWA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3256	Au_.exe

Loads dropped DLL 7 IoCs

pid	Process
3256	Au_.exe
3256	Au_.exe
3256	Au_.exe
3256	Au_.exe
3256	Au_.exe
3256	Au_.exe
3256	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral28/files/0x00070000000234e1-4.dat	nsis_installer_1
behavioral28/files/0x00070000000234e1-4.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 3256	3248	uninst.exe	84
PID 3248 wrote to memory of 3256	3248	uninst.exe	84
PID 3248 wrote to memory of 3256	3248	uninst.exe	84

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc9992.tmp\InstallOptions.dll

Filesize
14KB

MD5
eef9e469e8a30717974499f277d97e2a

SHA1
2d33c25984ebd9116beeb55cdde4c5c86c023e5d

SHA256
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078

SHA512
d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc9992.tmp\System.dll

Filesize
11KB

MD5
c6f5b9596db45ce43f14b64e0fbcf552

SHA1
665a2207a643726602dc3e845e39435868dddabc

SHA256
4b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0

SHA512
8faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc9992.tmp\UserInfo.dll

Filesize
4KB

MD5
66bb40a1defb0aef9865919689d4aa96

SHA1
90cc473004f4351f25d026d13b3f7cb19ee23908

SHA256
82772146a77ac3bf5e3564361ca0de0b612a44482de4cf418c3deaa3b2ae7f1a

SHA512
1f26650b7d0068b7e8ad1ac861e00bd184c8bf47363e4766b17a9aed5985f8a54efdde87b30cd9b649d6f5b8eb991ef9d06d4501eac264e1ff096506786133c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc9992.tmp\ioSpecial.ini

Filesize
642B

MD5
fc7ef3c22f6c6c0495b2574653a04551

SHA1
e7b44cf3d4908ae6221db7a38b355732a7bb6f2b

SHA256
8dd921585a3a8a17aaa2fa74ccad8f2bd68164647ff65b96813bde9389de9e8d

SHA512
4c72ad9209033b4801b9efcc40b7cd682fe73381e42d48f688abd737d0311e3334b75760fce5bb31a42aee947712c0e67aa1f646893d5b44aa8a18a79fc3adc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc9992.tmp\ioSpecial.ini

Filesize
681B

MD5
88471a16c77dad2001dad3bee50ab85f

SHA1
6366123aea8dad021c29cb6822b53b89ed4d4585

SHA256
6cac2dffe526423bb8d7ca3b728c99cf3237139d61d36653114ff0b58ef61fc7

SHA512
4a48f656f57e66fbc66b03405f36a4da46eaeddefb400d9e23950114ee72cbbcd305a280361be3781c3caace7cd8ed10802c5be1504fafdf6b2f9b164320a788

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc9992.tmp\ioSpecial.ini

Filesize
668B

MD5
cf8c80aa4d94e90639bbeef45126e876

SHA1
67abb15e830554b7d1c4a1406ade3af375950500

SHA256
a5c0ed2e7be4ff2e361a4ff7b06c502cf02dc1d0381de817dcd8186b29cf10c9

SHA512
1cc3a9fbba726ad426160d94fffb7e1e95e80dae9000f3671e125c61a0aa90e1107381a0b4e25668ec98c7a66f7daf5948e66355ea75be1c756f4fe8f28e5c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
149KB

MD5
7d0e1740584afdb1e99e6c9c19995598

SHA1
a3386ecdc55b829486eb6dffb906a2717137dda1

SHA256
40ff460e185c76f5ed7a9110b740aa000092cc5776cc76d823eb443680da0b96

SHA512
51c2d281d258424485ce24293d5769828e486c7c566a42fd2934825c1a8035922ac15c7b95bc28ae46b32e362120b2422eaa72d68352108ddf502be046741177

Download Submit