4ac656e49c04e50f3ddcf806d8564d444c922d95af39cebc446548ce437acc20

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20/08/2024, 04:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Uninstall wolskill.exe
Size

147KB
MD5

89d4122eaa695789e076f0bc0367db96
SHA1

cee343a5c87ab2135864119c9fb16683487b1692
SHA256

1b61fecd41b81a4a33a68f5747e6abed2a4a449e54019e52ac80ca280ada2669
SHA512

905ba6daaa51fc19b373fe110bdc0b85b4b85ce663896ce3263970e6bfb1761a87cdd3b170804824d70f02f61f75b770a616f083ab5646695999100f6828a747
SSDEEP

3072:Aa77v0JhE4Dy6LtauF1p3l/b5VbdGWeH9PDsZ/Bw2tvhOEA1RJCir86SrSrvZwam:Aw4JQ6xjFlNLwH9PwZ/W2t0EyL+ewam

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	Un_A.exe

Loads dropped DLL 9 IoCs

pid	Process
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall wolskill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe
1984	Un_A.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 1984	3992	Uninstall wolskill.exe	81
PID 3992 wrote to memory of 1984	3992	Uninstall wolskill.exe	81
PID 3992 wrote to memory of 1984	3992	Uninstall wolskill.exe	81

C:\Users\Admin\AppData\Local\Temp\Uninstall wolskill.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall wolskill.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
147KB

MD5
89d4122eaa695789e076f0bc0367db96

SHA1
cee343a5c87ab2135864119c9fb16683487b1692

SHA256
1b61fecd41b81a4a33a68f5747e6abed2a4a449e54019e52ac80ca280ada2669

SHA512
905ba6daaa51fc19b373fe110bdc0b85b4b85ce663896ce3263970e6bfb1761a87cdd3b170804824d70f02f61f75b770a616f083ab5646695999100f6828a747

Download Submit