ec1693018b38ac8f2be71eaea9cbdb6bcb8911de5e56f9f69d8e06f1fec995f4

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unukfree.exe
Size

104KB
MD5

36f2c316d28bb22b746cd26e3e66ea81
SHA1

74cb4e47caae20d2e192b028fc6e5147c6a6ab4d
SHA256

01d0b09052dadc41652ebde5ca5f1879860c4eaedb85a9b240397fbf9728ecca
SHA512

5a925756ef86a440291dd25700072346f5480b207ad138256036792aafe0351889d21ca883c7d0e6e9b6bd45a5887f3fa6d15e4cfea6665b1d38856102474fd3
SSDEEP

1536:eQpQ5EP0ijnRTXJ+YRN6QcI0oMUgco9HoDunLSg5LP+R0WWcqFmKEEwBI3:eQIURTXJ+qLMUgUipWWcqkKEN2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2236	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2304	unukfree.exe
2236	Au_.exe
2236	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unukfree.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral21/files/0x000500000001926b-2.dat	nsis_installer_1
behavioral21/files/0x000500000001926b-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2236	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2236	2304	unukfree.exe	30
PID 2304 wrote to memory of 2236	2304	unukfree.exe	30
PID 2304 wrote to memory of 2236	2304	unukfree.exe	30
PID 2304 wrote to memory of 2236	2304	unukfree.exe	30

C:\Users\Admin\AppData\Local\Temp\unukfree.exe
"C:\Users\Admin\AppData\Local\Temp\unukfree.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdCA91.tmp\ioSpecial.ini

Filesize
688B

MD5
a852f70e71d86b96b654586e8b21dcde

SHA1
0ef33656e648798aaebd57c59ecde53e8e1568c9

SHA256
268705abedeedbd4a336f7d409175810b878ba76a9a0568f3209c80b8cd3d5ad

SHA512
65c0e182dd137241df3ee2d9e3d833232a3213109edc11306d0224e97770e65ffe812623c9757068c8e55c4e429c67caf08f84a1ea08e361515ac0226c4918cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCA91.tmp\ioSpecial.ini

Filesize
727B

MD5
a7422c56ecd06aa3eeb17d8477859b10

SHA1
d1b83bc83b7d8a1bbfd1303845ded808d66f599c

SHA256
5ef8c1f7e567b3b3cf98eb86b9757eea0326c84205b9d405b2788bf29657b0ba

SHA512
700be1e3fe8b690d75ca3b6aeee5ca0097f66a8e7ffc10a9aea49b3b914a6b92131f8d5a74a1d444847b3f1ee73505037bbe70f32e00df8768430c7a069a43b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsdCA91.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nsdCA91.tmp\UAC.dll

Filesize
13KB

MD5
07841403d5371183c4eaa5cab50663fb

SHA1
b0cee6e01502fdd2ee775922051333d626c63906

SHA256
3a18cf504265ab2267e1545106217767877fa9db6e2b5dd0a3a761dead33a99b

SHA512
436c1932d4ff56a11673beac5416ac0f2c7e90e5b993b3b8c8f589069d655da40c3ed514b99291ddf06aad66b0a634896daac19adf459ff791dccf3234af0e05

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
104KB

MD5
36f2c316d28bb22b746cd26e3e66ea81

SHA1
74cb4e47caae20d2e192b028fc6e5147c6a6ab4d

SHA256
01d0b09052dadc41652ebde5ca5f1879860c4eaedb85a9b240397fbf9728ecca

SHA512
5a925756ef86a440291dd25700072346f5480b207ad138256036792aafe0351889d21ca883c7d0e6e9b6bd45a5887f3fa6d15e4cfea6665b1d38856102474fd3

Download Submit