1a4ab48b0c383f135de4a04de9d17f8f4443ff66334e94a27de1bdd45a4f8763

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

49KB
MD5

b93b7d94c134eb04301f9662e01f70be
SHA1

af502c6ad4bda1cfa59240db043a1e09d623dbaf
SHA256

11076c8d2fd0d97e774797da2b2973f1c8a98cf317f247ff0ebdddd36669c055
SHA512

141e57502398064d60fc99cbf2e805b1897bfbdb88964afd4ded1aa075f9a779536c23c175ef240c7753ac28b7c49328d83f5dcd67a2d83c2736b5a73ed59763
SSDEEP

768:uh03BWfzcJpdd4jU3eRo8rwV0GfL7rtU7UMt3MBJjwWQDkXq0wx:uh03grsyj5Rk0gtUABJ/Q+wx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3856	A~NSISu_.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A~NSISu_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral30/files/0x00080000000234af-4.dat	nsis_installer_1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 3856	4920	uninst.exe	84
PID 4920 wrote to memory of 3856	4920	uninst.exe	84
PID 4920 wrote to memory of 3856	4920	uninst.exe	84

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe
  "C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

Filesize
49KB

MD5
b93b7d94c134eb04301f9662e01f70be

SHA1
af502c6ad4bda1cfa59240db043a1e09d623dbaf

SHA256
11076c8d2fd0d97e774797da2b2973f1c8a98cf317f247ff0ebdddd36669c055

SHA512
141e57502398064d60fc99cbf2e805b1897bfbdb88964afd4ded1aa075f9a779536c23c175ef240c7753ac28b7c49328d83f5dcd67a2d83c2736b5a73ed59763

Download Submit