9842bab615c26a378b51a464bd2269f4cfab0190d8c4815c4c9d1227536c07c4

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

61KB
MD5

8e546ed8df25ae2dcd9ad6849757684d
SHA1

1641fb8b6b208e8d677210a63315f5d48b9867f5
SHA256

f37191b22289a4a2993f76c45047a75134dcd6c6811dd51d347720bf4f6ac180
SHA512

27c3b17ec0ff0777939d24ceb599f8db60ead250d777befd5dc00da2925413cb84bf7bfcf4a34199e2da4773fd2ec65b69318342e517de91b33b1f329094ac96
SSDEEP

1536:sUeHiWRgkkjH8nyWmJ5gdLeAyNtrUlMRQTZU:sd/vyWmJ5ceAUUiO6

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4420	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
4420	Au_.exe

Loads dropped DLL 23 IoCs

pid	Process
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe
4420	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral12/files/0x0007000000023435-3.dat	nsis_installer_1
behavioral12/files/0x0007000000023435-3.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 4420	3820	Uninstall.exe	82
PID 3820 wrote to memory of 4420	3820	Uninstall.exe	82
PID 3820 wrote to memory of 4420	3820	Uninstall.exe	82

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsk9FCC.tmp\System.dll

Filesize
10KB

MD5
0bbcbaee7b703ebd55cd8658a0e8dcd3

SHA1
6ed448b8b67cea36eb45bfbc67fed9a6da9623e4

SHA256
e67277ecc4f6c7beb3c7e586ce508677269db056c7541eacfecf6c719f559da6

SHA512
604c524bd00313f6411cc9878d5c9a1db77588049feeb5bb02c971df44f8becbd18d251cc20e551b878173eb2a78be61f31352769597c6334cffc0bc2326b008

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9FCC.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9FCC.tmp\nsDialogs.dll

Filesize
8KB

MD5
9119c6371994557db43f61887dbec301

SHA1
f43aa3a2547c61a0f9d6f7e975da0a475f973c28

SHA256
562e24d6cb190f12ca6f4b2943874fd6a4e434a7fcb6efefc18af66c37aa1acd

SHA512
efe8fe0ad174edf0301fccbffb820064f0e6dbbda20d4b2107cc937f10ab40d0e5f98c9e91023823f7c50d7e551ba63ffd7953d9e312ff827b4471e3e39c593a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
61KB

MD5
8e546ed8df25ae2dcd9ad6849757684d

SHA1
1641fb8b6b208e8d677210a63315f5d48b9867f5

SHA256
f37191b22289a4a2993f76c45047a75134dcd6c6811dd51d347720bf4f6ac180

SHA512
27c3b17ec0ff0777939d24ceb599f8db60ead250d777befd5dc00da2925413cb84bf7bfcf4a34199e2da4773fd2ec65b69318342e517de91b33b1f329094ac96

Download Submit