086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

88KB
MD5

dd37451855b1c957651e3d61375d6fee
SHA1

75557a1892a576cce122308879eb8c11cb91881a
SHA256

4a07e72720feddb54300bf7dc3d3d793870a7d6f960409132f302f3fbe54e995
SHA512

a16e6b50de39ad9111e1fa86c4fee8a0ff53951d63e5492be186cc2c8111f308fc6f4d9fb17d74eb6ba9c9209c39ffb77994c699a8b90cd0aa9a09031bc07a2b
SSDEEP

1536:3Tdm9B9lYypfMXvugHQ0D0VdQiNuQgmYRN5L9A5AuLwpPA5OZPAGTU:34lLpkXGED3iNuQxqZ9AEpPAcPAeU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3292	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1320	3292	WerFault.exe	92
1512	3292	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Un_A.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Un_A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	uninst.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	uninst.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3292	3192	uninst.exe	92
PID 3192 wrote to memory of 3292	3192	uninst.exe	92
PID 3192 wrote to memory of 3292	3192	uninst.exe	92

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1232
    3⤵
    - Program crash
    PID:1320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1232
    3⤵
    - Program crash
    PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3292 -ip 3292
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3292 -ip 3292
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
88KB

MD5
dd37451855b1c957651e3d61375d6fee

SHA1
75557a1892a576cce122308879eb8c11cb91881a

SHA256
4a07e72720feddb54300bf7dc3d3d793870a7d6f960409132f302f3fbe54e995

SHA512
a16e6b50de39ad9111e1fa86c4fee8a0ff53951d63e5492be186cc2c8111f308fc6f4d9fb17d74eb6ba9c9209c39ffb77994c699a8b90cd0aa9a09031bc07a2b

Download Submit
memory/3192-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3192-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3292-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download