209bc82f50d5c7f4b8f75057b2793d433b04f7761bd32b2e04969017b0722ceb

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

327KB
MD5

f8e51b09aea1acb19bc5fd1f6aa34907
SHA1

241e10a41f215b179f7ccb25a2dc822b6d118dc1
SHA256

6f4915a3017fc12182e514be8600c9b51c6bfc87de110201ccb94058db7fdc6c
SHA512

cdf8bfa7a074e202957982c6ec9c59df0012c6ca69927a75e26857bab4594d7025649be923d6ccd26ddb76aed60d54447cd281cdc46520fcdbbc36ea437c1405
SSDEEP

3072:AhT2137DYmJEt/FnsIkUM3iE9S4OKAk0zSbVuTS5siApDUc++towaYjtsn/7tREj:AhR7VRzqAfigAcqtRE435bH6Qr2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3036	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2096	Uninstall.exe
3036	Au_.exe
3036	Au_.exe
3036	Au_.exe
3036	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral19/files/0x000500000001961d-2.dat	nsis_installer_1
behavioral19/files/0x000500000001961d-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 3036	2096	Uninstall.exe	31
PID 2096 wrote to memory of 3036	2096	Uninstall.exe	31
PID 2096 wrote to memory of 3036	2096	Uninstall.exe	31
PID 2096 wrote to memory of 3036	2096	Uninstall.exe	31
PID 2096 wrote to memory of 3036	2096	Uninstall.exe	31
PID 2096 wrote to memory of 3036	2096	Uninstall.exe	31
PID 2096 wrote to memory of 3036	2096	Uninstall.exe	31

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdD05A.tmp\ioSpecial.ini

Filesize
619B

MD5
71c9f3e30756661432e2b775af20996c

SHA1
78ea24f6547067931125abde3b6eed462150e8eb

SHA256
95a40a848175474e2cbc9e73c451cd92642ebd3e6bf2050a7eeb9d8f6ce6f4ac

SHA512
302e0c6435adfe63d172e76324f5827cd1a9d4d2946b5828a53177261440f2cec99406b9c9aece990cfe833246f6873e6a196ffc7ac3aa4fc26536361715c100

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD05A.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
327KB

MD5
f8e51b09aea1acb19bc5fd1f6aa34907

SHA1
241e10a41f215b179f7ccb25a2dc822b6d118dc1

SHA256
6f4915a3017fc12182e514be8600c9b51c6bfc87de110201ccb94058db7fdc6c

SHA512
cdf8bfa7a074e202957982c6ec9c59df0012c6ca69927a75e26857bab4594d7025649be923d6ccd26ddb76aed60d54447cd281cdc46520fcdbbc36ea437c1405

Download Submit