Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 07:04

General

  • Target

    Uninstall.exe

  • Size

    88KB

  • MD5

    2d06f4000af9632594d69f771b24cc99

  • SHA1

    dceaddf53206b8168386971ea0c0e2d3dfa1a4a7

  • SHA256

    b89c51188eaabe830f78c8ae021f50b4a2962360d7bdd260e9b967ad91945dd0

  • SHA512

    3c451cc8f72303920097235c5fb42229194450b95fbf57d8d391ee3412a77374c5d3cd53138335b50250e33a1c7c4fd200378dade7954b2500445e4b7631a95e

  • SSDEEP

    1536:8pgpHzb9dZVX9fHMvG0D3XJZ5abZyNTXpUnax++HE63ttNESPA6C/0qC:KgXdZt9P6D3XJ3aELpIcE6rF60qC

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2320

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsyD7D9.tmp\ioSpecial.ini

          Filesize

          568B

          MD5

          63b6303269be2584b5d1572d8e270538

          SHA1

          02c3f5dc91df27abdc99d4c405cdfde6740dfea3

          SHA256

          84a5d6d9ed4269597c96de5817f06fcaea923200e46fcf34a66e307b58dadc8e

          SHA512

          53b685d9ca7fb8568b8f98944f90bd8c1560f7bd2f4ae4c9b7b777f243209e7c2fb4358be2608ac68900e6449b98923edd349a8f352c5ef6e36b28c946ba6ac0

        • C:\Users\Admin\AppData\Local\Temp\nsyD7D9.tmp\ioSpecial.ini

          Filesize

          581B

          MD5

          b2cd0f194de2e0892b9535ff8b41340e

          SHA1

          889e61a18acef323e3e799c7d9f839809c3f6465

          SHA256

          7bd73f2a4adb49c836878add9cae0002ec4bd8f95db9e8db019e0b2ac47622ba

          SHA512

          751e2de68cb9971b6f1211d15a98576ce5f17a0c3a78d26f860825d530dafc28c8738b84c3fa79666be358dde8217b12a2b1e9e25da0c92be53510d21d449fbb

        • \Users\Admin\AppData\Local\Temp\nsyD7D9.tmp\InstallOptions.dll

          Filesize

          14KB

          MD5

          eef9e469e8a30717974499f277d97e2a

          SHA1

          2d33c25984ebd9116beeb55cdde4c5c86c023e5d

          SHA256

          1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078

          SHA512

          d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48

        • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

          Filesize

          88KB

          MD5

          2d06f4000af9632594d69f771b24cc99

          SHA1

          dceaddf53206b8168386971ea0c0e2d3dfa1a4a7

          SHA256

          b89c51188eaabe830f78c8ae021f50b4a2962360d7bdd260e9b967ad91945dd0

          SHA512

          3c451cc8f72303920097235c5fb42229194450b95fbf57d8d391ee3412a77374c5d3cd53138335b50250e33a1c7c4fd200378dade7954b2500445e4b7631a95e