daaeb23a712ae1d0d724600818c56c0d22508a38b0b3b1553b56cca10dad9874

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X1000_uninst.exe
Size

171KB
MD5

a133c8e70f0a3d71b5ecf14bd8ae8826
SHA1

2fa2ed11633733c1c177a0b16b054aa1df941e5c
SHA256

6a4baa98a11f85914a54703a79a94c719be3262f9ae64129cf08a5805623c77a
SHA512

843079ee7b11869319a689072101811dd53e53e430c89e8a9543b4023aaf3ef552201fea3c96f8c8527c6a7f388976380dbcc71e955a83c92a8164bb50ce061b
SSDEEP

3072:YgXdZt9P6D3XJZ/KIN4QBWaNYtGuJaodwnpBvsvdNpgEFJpmE4xDtaCq:Ye34v/KINFBJNYtGucoOLv8pgimE4vjq

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	X1000_uninst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	X1000_uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral11/files/0x0005000000019c5f-2.dat	nsis_installer_1
behavioral11/files/0x0005000000019c5f-2.dat	nsis_installer_2

Kills process with taskkill 4 IoCs

evasion

pid	Process
2800	taskkill.exe
2696	taskkill.exe
2576	taskkill.exe
1908	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2704	2368	X1000_uninst.exe	30
PID 2368 wrote to memory of 2704	2368	X1000_uninst.exe	30
PID 2368 wrote to memory of 2704	2368	X1000_uninst.exe	30
PID 2368 wrote to memory of 2704	2368	X1000_uninst.exe	30
PID 2704 wrote to memory of 2800	2704	Au_.exe	31
PID 2704 wrote to memory of 2800	2704	Au_.exe	31
PID 2704 wrote to memory of 2800	2704	Au_.exe	31
PID 2704 wrote to memory of 2800	2704	Au_.exe	31
PID 2704 wrote to memory of 2696	2704	Au_.exe	34
PID 2704 wrote to memory of 2696	2704	Au_.exe	34
PID 2704 wrote to memory of 2696	2704	Au_.exe	34
PID 2704 wrote to memory of 2696	2704	Au_.exe	34
PID 2704 wrote to memory of 2576	2704	Au_.exe	36
PID 2704 wrote to memory of 2576	2704	Au_.exe	36
PID 2704 wrote to memory of 2576	2704	Au_.exe	36
PID 2704 wrote to memory of 2576	2704	Au_.exe	36
PID 2704 wrote to memory of 1908	2704	Au_.exe	38
PID 2704 wrote to memory of 1908	2704	Au_.exe	38
PID 2704 wrote to memory of 1908	2704	Au_.exe	38
PID 2704 wrote to memory of 1908	2704	Au_.exe	38

C:\Users\Admin\AppData\Local\Temp\X1000_uninst.exe
"C:\Users\Admin\AppData\Local\Temp\X1000_uninst.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM AppGuard.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM ctrlservice.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM videoserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM httpd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
171KB

MD5
a133c8e70f0a3d71b5ecf14bd8ae8826

SHA1
2fa2ed11633733c1c177a0b16b054aa1df941e5c

SHA256
6a4baa98a11f85914a54703a79a94c719be3262f9ae64129cf08a5805623c77a

SHA512
843079ee7b11869319a689072101811dd53e53e430c89e8a9543b4023aaf3ef552201fea3c96f8c8527c6a7f388976380dbcc71e955a83c92a8164bb50ce061b

Download Submit