b5457332bb2f8d2d2658b2db158f0ed12af8e4502c76e0ac717f7313d13fd8ba

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$0/uninstall.exe
Size

82KB
MD5

c78dc19bab9bcb490d031ccca4bdf853
SHA1

f40960a41ff93fdcad2793f36fb5437db93b120c
SHA256

a743fab26fad94ba571933471af4685660a80c73ef4a86ea276aebcc197b2600
SHA512

da9f21b7eb01b3350614ee912f98389e209e0ce0afed08fdd13bea153f28510a2aeb468c10bf3317e0fe2716af9d67702996a8cbf18eb3ce1435be68c722abca
SSDEEP

1536:jEkjY1zy214Qay0DGkJ7qAELVigJxf7DcptJgNfKeQ2/DRkAi:AkjAJ4dDGkJ+AI0JXJGKeH/u

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2316	uninstall.exe
2736	Au_.exe
2736	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral7/files/0x0007000000015e4f-2.dat	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2736	2316	uninstall.exe	30
PID 2316 wrote to memory of 2736	2316	uninstall.exe	30
PID 2316 wrote to memory of 2736	2316	uninstall.exe	30
PID 2316 wrote to memory of 2736	2316	uninstall.exe	30

C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$0\uninstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$0\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd3FA0.tmp\ioSpecial.ini

Filesize
610B

MD5
14c575dce4cd7987199d385bc93eae0d

SHA1
280e4c6df5f52eed86fbd604e8e9b5339e62fa58

SHA256
53857dc450dbfb21819f3d3d89894b7b686721716d1664ac0b814913d8f42847

SHA512
c7b90837f5f494d4cfa7a02bb3eda872366f9a6021801b919717de274b2379d1f0283c71dd000732faa3aa84ada31a816ca4d6cb3b08687bb1a10ed82efcaf05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3FA0.tmp\ioSpecial.ini

Filesize
623B

MD5
dfb0bcd8f8414180615c3177ecaed4bc

SHA1
752ca8080bd370df9bebb5ea661ce1dad820b994

SHA256
113e9a8226b3dd66d37cfecab20a8978ff7a923ef5cfbae8ff980c37544d03e2

SHA512
ea77ba9d6138e4c4fec32e85fdbe5d22d91c901ea8739b6a8d3cc36b0117d4092f19eab94bc8e67815e63159b505ea90ab85d77d1a5f50ec3e7cdf018714539c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3FA0.tmp\InstallOptions.dll

Filesize
13KB

MD5
d765c492c21689e3d9d61634371fd861

SHA1
ac200933671ae52c9d5544d0e2e8e9144d286c83

SHA256
551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc

SHA512
9919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3FA0.tmp\System.dll

Filesize
10KB

MD5
fe24766ba314f620d57d0cf7339103c0

SHA1
8641545f03f03ff07485d6ec4d7b41cbb898c269

SHA256
802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

SHA512
60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
82KB

MD5
c78dc19bab9bcb490d031ccca4bdf853

SHA1
f40960a41ff93fdcad2793f36fb5437db93b120c

SHA256
a743fab26fad94ba571933471af4685660a80c73ef4a86ea276aebcc197b2600

SHA512
da9f21b7eb01b3350614ee912f98389e209e0ce0afed08fdd13bea153f28510a2aeb468c10bf3317e0fe2716af9d67702996a8cbf18eb3ce1435be68c722abca

Download Submit