cab5b50e25d5e7a038c4d0b5b5dc229a75db8e00d08a8549c9b42be89fe2b1c4

Analysis

max time kernel
140s
max time network
145s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-08-2024 12:55

Target

env/Scripts/dist/WinRAR/Uninstall.exe
Size

429KB
MD5

62c61b5bc915f81c8038aa83ed1a3b01
SHA1

d6e611c6bbc3f878e551d12c876b597cb88c2dbc
SHA256

a4ed7c4c337c1068cfc4298b8c5e166a66a6f6697352b1f3df0b9c9b1428f353
SHA512

919b4294152403a3be25127fb078a26e540ba5335454e29f865340fb6121c18078e0d1acb5f5d2deb8b8375932eb7d27f472060595020a258ae9639479fbfe53
SSDEEP

12288:xSXiav7Nwt8OVYPqo3YlgaAMTwBhvBJ/+7IISY1Ar8:AS4qiYlFAM0Bhvn/+h1A8

Score

4^/10

Executes dropped EXE 1 IoCs

Processes:

Uninstall.exe

pid process

2172 Uninstall.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2172	Uninstall.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Uninstall.execmd.exe

description	pid	process	target process
PID 4696 wrote to memory of 492	4696	Uninstall.exe	cmd.exe
PID 4696 wrote to memory of 492	4696	Uninstall.exe	cmd.exe
PID 492 wrote to memory of 2172	492	cmd.exe	Uninstall.exe
PID 492 wrote to memory of 2172	492	cmd.exe	Uninstall.exe

C:\Users\Admin\AppData\Local\Temp\env\Scripts\dist\WinRAR\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\env\Scripts\dist\WinRAR\Uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uninstall_Rar.Bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Users\Admin\AppData\Local\Temp\env\Scripts\dist\WinRAR\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\env\Scripts\dist\WinRAR\Uninstall.exe" /wait
    3⤵
    - Executes dropped EXE
    PID:2172

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\Uninstall_Rar.Bat

Filesize
1KB

MD5
1520b1a824b5cca2b96c732ed996e093

SHA1
ec5e5060ba1dcc590b169794aa2e6c2bb5539ce9

SHA256
8afdfd94bff8be7f167a8dbac3e6dad6d843110762cd618767ae8e1910d744cd

SHA512
c41478593ba6875ddcd65f320f5be81e5099dc3c1be69b17e9f0476408395b412a87f5cf6173959ea3c2ff06c984019cea875174d835baeaa06b1852c858ef97

Download Submit
C:\Users\Admin\AppData\Local\Temp\env\Scripts\dist\WinRAR\Uninstall.exe

Filesize
429KB

MD5
62c61b5bc915f81c8038aa83ed1a3b01

SHA1
d6e611c6bbc3f878e551d12c876b597cb88c2dbc

SHA256
a4ed7c4c337c1068cfc4298b8c5e166a66a6f6697352b1f3df0b9c9b1428f353

SHA512
919b4294152403a3be25127fb078a26e540ba5335454e29f865340fb6121c18078e0d1acb5f5d2deb8b8375932eb7d27f472060595020a258ae9639479fbfe53

Download Submit