1a1636b5c9f7d8026ef4c41c7f1af957a7746370e962c4599a216e2b93c99db3

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

40KB
MD5

ad651966f1792c370887a6fe5c10e730
SHA1

9cdc8e57675b97b29fbb1496dbc325ca10a17562
SHA256

039d7061fdae17ad7f6ec882b3b7831f8baba1a8f179f4e023922fa0f4758e1b
SHA512

a7064640f660249fe5fa50768cf9f11e8ceb8b3ac27b49d68dfcb15e2e2c296596aa3221af382dde88fc45efc8504ca7fe94ac5f9211cb1181eb1aec2fedc3a1
SSDEEP

768:LMEFP4CyxRyQR4Dk1b+/JwwXVPYwitff/ff6FS6sekJhCEy8HSVm8sXwBtr:FPJc2WCMNv0kJe8HSVm8Gur

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
836	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2532	uninst.exe
836	Au_.exe
836	Au_.exe
836	Au_.exe
836	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral15/files/0x000500000001944e-2.dat	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
836	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 836	2532	uninst.exe	30
PID 2532 wrote to memory of 836	2532	uninst.exe	30
PID 2532 wrote to memory of 836	2532	uninst.exe	30
PID 2532 wrote to memory of 836	2532	uninst.exe	30
PID 2532 wrote to memory of 836	2532	uninst.exe	30
PID 2532 wrote to memory of 836	2532	uninst.exe	30
PID 2532 wrote to memory of 836	2532	uninst.exe	30

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso9B95.tmp\LangDLL.dll

Filesize
5KB

MD5
462dc0d8abebaa425c7808e696ad5a4d

SHA1
db041b23fa77e1658d6c113fa73f4692a9168979

SHA256
faf49e3e51562992570a1b468b18bd6c2c0f9fc2904e3136ca7aaf2a12ad9ac0

SHA512
d1b77873251fa438f8fbebcd94820ba18c236d7f2ac4be85ae503fe6cac90544f889ef4facbca6f8b09c99c7f610a2d0a8aaa88505fce6df1f9b7d8b5eba3f83

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
40KB

MD5
ad651966f1792c370887a6fe5c10e730

SHA1
9cdc8e57675b97b29fbb1496dbc325ca10a17562

SHA256
039d7061fdae17ad7f6ec882b3b7831f8baba1a8f179f4e023922fa0f4758e1b

SHA512
a7064640f660249fe5fa50768cf9f11e8ceb8b3ac27b49d68dfcb15e2e2c296596aa3221af382dde88fc45efc8504ca7fe94ac5f9211cb1181eb1aec2fedc3a1

Download Submit