2c73f3896a5ae4d8cecf3bd7ec831bccf23c3ae1049826dfd863f5c40a7961d1

Analysis

max time kernel
115s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$EXEDIR/uninstaller.exe
Size

540KB
MD5

6b7d21427c411fdafc9ae6f9468fe071
SHA1

4f601452d9b3decd932022e06a061edc1825ca81
SHA256

7810f63499c20c9036762e3ac4cd9be6d12ba879d039c56e1b1920ff857318a8
SHA512

5fa0d89d90cf46b8e43dcc879e8986143307ffd2ed24b628610de92b754d96bb36a2a7fe8a45dbdbcb52f81af52ef4c3b68d1ee3c65663063172dcc79ec21d83
SSDEEP

6144:BzZZ6UjD5SQziFm++W1wdis69qC5FiPB6ES0ckEnUsMIiCAMHPTOkHCdXOpWJ1dc:BzZwUjD5STFm++c9deML5Lj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1580	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
1580	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1580	4800	uninstaller.exe	86
PID 4800 wrote to memory of 1580	4800	uninstaller.exe	86
PID 4800 wrote to memory of 1580	4800	uninstaller.exe	86

C:\Users\Admin\AppData\Local\Temp\$EXEDIR\uninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\$EXEDIR\uninstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$EXEDIR\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa7B99.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
540KB

MD5
6b7d21427c411fdafc9ae6f9468fe071

SHA1
4f601452d9b3decd932022e06a061edc1825ca81

SHA256
7810f63499c20c9036762e3ac4cd9be6d12ba879d039c56e1b1920ff857318a8

SHA512
5fa0d89d90cf46b8e43dcc879e8986143307ffd2ed24b628610de92b754d96bb36a2a7fe8a45dbdbcb52f81af52ef4c3b68d1ee3c65663063172dcc79ec21d83

Download Submit