Overview

overview

7

Static

static

3

083e6b4395...18.exe

windows7-x64

7

083e6b4395...18.exe

windows10-2004-x64

7

$PLUGINSDI...in.dll

windows7-x64

3

$PLUGINSDI...in.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

CyoHash.dll

windows7-x64

3

CyoHash.dll

windows10-2004-x64

3

Uninstall.exe

windows7-x64

7

Uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    46s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uninstall.exe

  • Size

    61KB

  • MD5

    8e546ed8df25ae2dcd9ad6849757684d

  • SHA1

    1641fb8b6b208e8d677210a63315f5d48b9867f5

  • SHA256

    f37191b22289a4a2993f76c45047a75134dcd6c6811dd51d347720bf4f6ac180

  • SHA512

    27c3b17ec0ff0777939d24ceb599f8db60ead250d777befd5dc00da2925413cb84bf7bfcf4a34199e2da4773fd2ec65b69318342e517de91b33b1f329094ac96

  • SSDEEP

    1536:sUeHiWRgkkjH8nyWmJ5gdLeAyNtrUlMRQTZU:sd/vyWmJ5ceAUUiO6

Score
7/10
discovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nszCDBD.tmp\modern-wizard.bmp
    Filesize

    25KB

    MD5

    cbe40fd2b1ec96daedc65da172d90022

    SHA1

    366c216220aa4329dff6c485fd0e9b0f4f0a7944

    SHA256

    3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

    SHA512

    62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nszCDBD.tmp\System.dll
    Filesize

    10KB

    MD5

    0bbcbaee7b703ebd55cd8658a0e8dcd3

    SHA1

    6ed448b8b67cea36eb45bfbc67fed9a6da9623e4

    SHA256

    e67277ecc4f6c7beb3c7e586ce508677269db056c7541eacfecf6c719f559da6

    SHA512

    604c524bd00313f6411cc9878d5c9a1db77588049feeb5bb02c971df44f8becbd18d251cc20e551b878173eb2a78be61f31352769597c6334cffc0bc2326b008

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nszCDBD.tmp\nsDialogs.dll
    Filesize

    8KB

    MD5

    9119c6371994557db43f61887dbec301

    SHA1

    f43aa3a2547c61a0f9d6f7e975da0a475f973c28

    SHA256

    562e24d6cb190f12ca6f4b2943874fd6a4e434a7fcb6efefc18af66c37aa1acd

    SHA512

    efe8fe0ad174edf0301fccbffb820064f0e6dbbda20d4b2107cc937f10ab40d0e5f98c9e91023823f7c50d7e551ba63ffd7953d9e312ff827b4471e3e39c593a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    61KB

    MD5

    8e546ed8df25ae2dcd9ad6849757684d

    SHA1

    1641fb8b6b208e8d677210a63315f5d48b9867f5

    SHA256

    f37191b22289a4a2993f76c45047a75134dcd6c6811dd51d347720bf4f6ac180

    SHA512

    27c3b17ec0ff0777939d24ceb599f8db60ead250d777befd5dc00da2925413cb84bf7bfcf4a34199e2da4773fd2ec65b69318342e517de91b33b1f329094ac96

    Download Submit