e00333f436ec9bfcd58a493f7111c44b893a3d1b85555d5a10a16330beacf730

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

64KB
MD5

cfa78612e31dad11f97350e9c80b13fe
SHA1

77b78820edcc30b09fb24c617e7a9e9d7a8cf244
SHA256

7710b8889d3820c088187467c9853fd0049aef8747a0b18cde2e057bd0811d88
SHA512

8b36eae41b8e695ef91270e14d2b1a349627857d980fade158294ab04bf11b43253221693e542340f7110e8e9b378ebe439d0c8962e3a549cfd1e0b2649f8f65
SSDEEP

1536:UQpQ5EP0ijnRTXJcgM33S7GLeAyN/w04CYtz:UQIURTXJc7eANCIz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4424	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
4424	Au_.exe
4424	Au_.exe
4424	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral12/files/0x000700000002346a-4.dat	nsis_installer_1
behavioral12/files/0x000700000002346a-4.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4424	4704	Uninstall.exe	84
PID 4704 wrote to memory of 4424	4704	Uninstall.exe	84
PID 4704 wrote to memory of 4424	4704	Uninstall.exe	84

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nszC46B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC46B.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
64KB

MD5
cfa78612e31dad11f97350e9c80b13fe

SHA1
77b78820edcc30b09fb24c617e7a9e9d7a8cf244

SHA256
7710b8889d3820c088187467c9853fd0049aef8747a0b18cde2e057bd0811d88

SHA512
8b36eae41b8e695ef91270e14d2b1a349627857d980fade158294ab04bf11b43253221693e542340f7110e8e9b378ebe439d0c8962e3a549cfd1e0b2649f8f65

Download Submit