1b96a4797bf3cbb800bfb2ca3331522aec66d92bd0a01402ca5c42616f7c1e2b

Analysis

max time kernel
100s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

53KB
MD5

dc93577e1a6fb4dbfb7526c42e12b83b
SHA1

5a3d7a8595775c7f596f5bbbd306138eb5294cec
SHA256

0c4dfaaffafb113796c001c68e1499830b6e44ba516d0adaf1a69909fcbce918
SHA512

e83cea7c3d49ff7563c421475183d04b1288563b53e6c6984b78d9db71df593c7fad4176680826f740b57236f60ec7c2eacb960c3432aee89e70ac7cc9d92ef4
SSDEEP

1536:spgpHzb9dZVX9fHMvG0D3XJdgdLeAyN/0VgdU:6gXdZt9P6D3XJdceAQU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	Au_.exe

Loads dropped DLL 4 IoCs

pid	Process
1456	Uninstall.exe
2704	Au_.exe
2704	Au_.exe
2704	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral7/files/0x000500000001a09e-2.dat	nsis_installer_1
behavioral7/files/0x000500000001a09e-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2704	1456	Uninstall.exe	29
PID 1456 wrote to memory of 2704	1456	Uninstall.exe	29
PID 1456 wrote to memory of 2704	1456	Uninstall.exe	29
PID 1456 wrote to memory of 2704	1456	Uninstall.exe	29
PID 1456 wrote to memory of 2704	1456	Uninstall.exe	29
PID 1456 wrote to memory of 2704	1456	Uninstall.exe	29
PID 1456 wrote to memory of 2704	1456	Uninstall.exe	29

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
53KB

MD5
dc93577e1a6fb4dbfb7526c42e12b83b

SHA1
5a3d7a8595775c7f596f5bbbd306138eb5294cec

SHA256
0c4dfaaffafb113796c001c68e1499830b6e44ba516d0adaf1a69909fcbce918

SHA512
e83cea7c3d49ff7563c421475183d04b1288563b53e6c6984b78d9db71df593c7fad4176680826f740b57236f60ec7c2eacb960c3432aee89e70ac7cc9d92ef4

Download Submit