a771a2b422b964399df75624d897bc2ff3b5bf99a9f661aed3c8232565ded1a2

Analysis

max time kernel
13s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-09-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malwarebytes Anti-Exploit/unins000.exe
Size

701KB
MD5

b7fe199c61755c2805a0b5aa6ad962b7
SHA1

3a910da724198ca9df76200e61b5c9548b710dd2
SHA256

c01894a246137a9af4b3b016139317bb964e635fd2009e9d8fa358425ab7e47d
SHA512

b8b7f1108c0a6993284c3050975c3e23d531cf3e75f0a02bf57e41f6b760e6752e20bc5f3e8e295a3cf981e0dacb05276f035b8a02a5510503ff23df74e93d19
SSDEEP

12288:6TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+1Iq5MRxyF7:SPcYn5c/rPx37/zHBA6pFptZ1CEQqMRe

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4160	_iu14D2N.tmp

Executes dropped EXE 1 IoCs

pid	Process
4160	_iu14D2N.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_iu14D2N.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4160	_iu14D2N.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4160	4528	unins000.exe	79
PID 4528 wrote to memory of 4160	4528	unins000.exe	79
PID 4528 wrote to memory of 4160	4528	unins000.exe	79

C:\Users\Admin\AppData\Local\Temp\Malwarebytes Anti-Exploit\unins000.exe
"C:\Users\Admin\AppData\Local\Temp\Malwarebytes Anti-Exploit\unins000.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
  "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Users\Admin\AppData\Local\Temp\Malwarebytes Anti-Exploit\unins000.exe" /FIRSTPHASEWND=$701B4
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
701KB

MD5
b7fe199c61755c2805a0b5aa6ad962b7

SHA1
3a910da724198ca9df76200e61b5c9548b710dd2

SHA256
c01894a246137a9af4b3b016139317bb964e635fd2009e9d8fa358425ab7e47d

SHA512
b8b7f1108c0a6993284c3050975c3e23d531cf3e75f0a02bf57e41f6b760e6752e20bc5f3e8e295a3cf981e0dacb05276f035b8a02a5510503ff23df74e93d19

Download Submit
memory/4160-6-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4160-13-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4160-12-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4160-16-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4528-0-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4528-11-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download