a4985c3ed38fbde6db4e8707e6b176f8e1c1c7598a3ba213561e6cd8521b0001

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninstal.exe
Size

22KB
MD5

ab1518bab8cfc29403b09435657ad525
SHA1

39a5082a4abb81e4d0159838babafc6fb7ec9bf9
SHA256

dd8b69c21759814a785af9d513c80b962ece939ca374a814b6799c6c69c8d602
SHA512

1e2687232386bb4078a2a6942f0116b4ffb32d4c394967c081c8d51898fdd6ccf38e1c7c89583f0cf2b046b89562ea06fe2bb567481a531df7763d4d194c282e
SSDEEP

384:qxAj9COVTmig03CVbQL2KW+NOnQfbVV52YB/e1ipQJlEoN64JEMqxc2BJRns3uk0:q2jIOVaiwbQJvNvBvV5e1IQj7N6EEMqL

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2176	A~NSISu_.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	A~NSISu_.exe

Loads dropped DLL 4 IoCs

pid	Process
1984	uninstal.exe
2176	A~NSISu_.exe
2176	A~NSISu_.exe
2176	A~NSISu_.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral13/memory/1984-0-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral13/files/0x00060000000175f7-4.dat	upx
behavioral13/memory/1984-10-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral13/memory/2176-15-0x0000000048000000-0x0000000048089000-memory.dmp	upx
behavioral13/memory/2176-16-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral13/memory/2176-17-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral13/memory/2176-19-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A~NSISu_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2176	A~NSISu_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2176	1984	uninstal.exe	30
PID 1984 wrote to memory of 2176	1984	uninstal.exe	30
PID 1984 wrote to memory of 2176	1984	uninstal.exe	30
PID 1984 wrote to memory of 2176	1984	uninstal.exe	30
PID 1984 wrote to memory of 2176	1984	uninstal.exe	30
PID 1984 wrote to memory of 2176	1984	uninstal.exe	30
PID 1984 wrote to memory of 2176	1984	uninstal.exe	30

C:\Users\Admin\AppData\Local\Temp\uninstal.exe
"C:\Users\Admin\AppData\Local\Temp\uninstal.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe
  "C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

Filesize
22KB

MD5
ab1518bab8cfc29403b09435657ad525

SHA1
39a5082a4abb81e4d0159838babafc6fb7ec9bf9

SHA256
dd8b69c21759814a785af9d513c80b962ece939ca374a814b6799c6c69c8d602

SHA512
1e2687232386bb4078a2a6942f0116b4ffb32d4c394967c081c8d51898fdd6ccf38e1c7c89583f0cf2b046b89562ea06fe2bb567481a531df7763d4d194c282e

Download Submit
memory/1984-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1984-1-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/1984-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2176-15-0x0000000048000000-0x0000000048089000-memory.dmp

Filesize
548KB

Download
memory/2176-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2176-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2176-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download