2d823521cedf5a958f682bfe30dc6b066f813f6f53d5311d814fce946f0f58a5

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PROGRAMFILES/OptBP/DotNET/$PROGRAMFILES/OptBP/uninstall.exe
Size

72KB
MD5

37bc8ebe79273cfca07ecd620d4a2ce2
SHA1

19a62855f0b41d2fbec89b65c9c3c71a754c1a66
SHA256

12dc9d067751d1e20762cd216f5ec13f115349d2164cdc9b27b5522f8c7a8688
SHA512

8f1db3514bc8a8386ac773afe52ca3b3dd9368a23132389be8f6b9cc9f1b454d5c702d3e369b22ad37142c42bd37f41b470f7ec00ac522c226a70edcd3808ee9
SSDEEP

1536:r/T2X/jN2vxZz0DTHUpou1gSLiAvNYta/qo:rbG7N2kDTHUpou13iAya/qo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	Un_A.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	Un_A.exe
2760	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2760	Un_A.exe
2760	Un_A.exe
2760	Un_A.exe
2760	Un_A.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 2760	4260	uninstall.exe	88
PID 4260 wrote to memory of 2760	4260	uninstall.exe	88
PID 4260 wrote to memory of 2760	4260	uninstall.exe	88

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\OptBP\DotNET\$PROGRAMFILES\OptBP\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\OptBP\DotNET\$PROGRAMFILES\OptBP\uninstall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\OptBP\DotNET\$PROGRAMFILES\OptBP\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoB6DD.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB6DD.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
72KB

MD5
37bc8ebe79273cfca07ecd620d4a2ce2

SHA1
19a62855f0b41d2fbec89b65c9c3c71a754c1a66

SHA256
12dc9d067751d1e20762cd216f5ec13f115349d2164cdc9b27b5522f8c7a8688

SHA512
8f1db3514bc8a8386ac773afe52ca3b3dd9368a23132389be8f6b9cc9f1b454d5c702d3e369b22ad37142c42bd37f41b470f7ec00ac522c226a70edcd3808ee9

Download Submit