086583686b2d70ff5a67cdd5c60de6770ca6cc1890f0ebe3df63173e32530477

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

88KB
MD5

dd37451855b1c957651e3d61375d6fee
SHA1

75557a1892a576cce122308879eb8c11cb91881a
SHA256

4a07e72720feddb54300bf7dc3d3d793870a7d6f960409132f302f3fbe54e995
SHA512

a16e6b50de39ad9111e1fa86c4fee8a0ff53951d63e5492be186cc2c8111f308fc6f4d9fb17d74eb6ba9c9209c39ffb77994c699a8b90cd0aa9a09031bc07a2b
SSDEEP

1536:3Tdm9B9lYypfMXvugHQ0D0VdQiNuQgmYRN5L9A5AuLwpPA5OZPAGTU:34lLpkXGED3iNuQxqZ9AEpPAcPAeU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Un_A.exe

pid process

3292 Un_A.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1320 3292 WerFault.exe Un_A.exe
1512 3292 WerFault.exe Un_A.exe

pid	process
3292	Un_A.exe

pid	pid_target	process	target process
1320	3292	WerFault.exe	Un_A.exe
1512	3292	WerFault.exe	Un_A.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

uninst.exeUn_A.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe

Modifies registry class 4 IoCs

Processes:

Un_A.exeuninst.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Un_A.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Un_A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	uninst.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	uninst.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

uninst.exe

description	pid	process	target process
PID 3192 wrote to memory of 3292	3192	uninst.exe	Un_A.exe
PID 3192 wrote to memory of 3292	3192	uninst.exe	Un_A.exe
PID 3192 wrote to memory of 3292	3192	uninst.exe	Un_A.exe

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1232
3⤵
- Program crash
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1232
3⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3292 -ip 3292
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3292 -ip 3292
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Filesize
88KB

MD5
dd37451855b1c957651e3d61375d6fee

SHA1
75557a1892a576cce122308879eb8c11cb91881a

SHA256
4a07e72720feddb54300bf7dc3d3d793870a7d6f960409132f302f3fbe54e995

SHA512
a16e6b50de39ad9111e1fa86c4fee8a0ff53951d63e5492be186cc2c8111f308fc6f4d9fb17d74eb6ba9c9209c39ffb77994c699a8b90cd0aa9a09031bc07a2b

Download Submit
memory/3192-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3192-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3292-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download