167b7192937b39e657def16ffb0fdbbab326f007747505d5c8785811d6b03ab8

Analysis

max time kernel
194s
max time network
262s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03/09/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

162KB
MD5

8714e02ab8492fa906242a4aac7b6f12
SHA1

70a660aa2a693f7fddc51edf0673c5e8a978dc6d
SHA256

063cde0afeb24ad52bc95f162167375305fa6ba843283b5fdc86e3da81939b79
SHA512

de260607ab21c5a1307e466950f5436756c1e171a853d2261c22e3f753e063eebffb338ff9d8a1cd9e52259324925b729c1cd3cf7965813e6a35a43196957748
SSDEEP

3072:1IS23BZO7kF1g+d2uumUvobAEoTG4X2EO9H311wz0mQZgwMSR:SS2PzdimUwIO9HLmigtSR

Score

8^/10

discovery persistence

Malware Config

Signatures

Uses Session Manager for persistence 2 TTPs 1 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 6100750074006f0063006800650063006b0020006100750074006f00630068006b0020002a0000000000	defraggler64.exe

Executes dropped EXE 1 IoCs

pid	Process
3676	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
3676	Au_.exe
3676	Au_.exe
3676	Au_.exe
3676	Au_.exe
3676	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 3676	4144	uninst.exe	73
PID 4144 wrote to memory of 3676	4144	uninst.exe	73
PID 4144 wrote to memory of 3676	4144	uninst.exe	73
PID 3676 wrote to memory of 1372	3676	Au_.exe	74
PID 3676 wrote to memory of 1372	3676	Au_.exe	74

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\defraggler64.exe
    C:\Users\Admin\AppData\Local\Temp\defraggler64.exe -hostCleanup
    3⤵
    - Uses Session Manager for persistence
    PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Au_.exe

Filesize
162KB

MD5
8714e02ab8492fa906242a4aac7b6f12

SHA1
70a660aa2a693f7fddc51edf0673c5e8a978dc6d

SHA256
063cde0afeb24ad52bc95f162167375305fa6ba843283b5fdc86e3da81939b79

SHA512
de260607ab21c5a1307e466950f5436756c1e171a853d2261c22e3f753e063eebffb338ff9d8a1cd9e52259324925b729c1cd3cf7965813e6a35a43196957748

Download Submit
\Users\Admin\AppData\Local\Temp\nsl63AD.tmp\LangDLL.dll

Filesize
5KB

MD5
47352ef3e79fa0f07ec3b96df9249d05

SHA1
ca445110f0097aa9b856aed9fd4955215534cf9a

SHA256
d36d90f370080609b1615f30b3d075a584bd0de6740da01fb61bbebc4eaf575d

SHA512
949774824bc08bf50df2e20711822505192d0180b12aa618e5c458fbc6187070757c6cb94974c3ea367095207070c1fcbf62599cda570a5291a69fdb4a1af607

Download Submit
\Users\Admin\AppData\Local\Temp\nsl63AD.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsl63AD.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads