1173af60b8b0b350632ded58fd89429fd9457840f418ffa214f57487768ab19a

Analysis

max time kernel
213s
max time network
281s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12/10/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

50KB
MD5

b87a591ae4ee7e64c0bddd5867a79009
SHA1

fd249bf71bdf4e999ae60ffb267f6b8c055e58f0
SHA256

778e7de3d32f4af915b5a85db7c1a5da1be748ddc810eca93f34d066070ba02a
SHA512

cd87e3cad3adfc2a78cb6e6bd16c50903b0b54324dd400ff7b686e5d5520721208e0b580e21265d219f7ce77bcefb5e7a05b7b70cfa1b7dfa82f3e1ce5fb1196
SSDEEP

1536:iQNRwF/6HWFDw2ShOp0DiJkuytDq+HMVKNo:JNRCywDw1DiJkuytDrbW

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2116	Un_A.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	Un_A.exe

Loads dropped DLL 1 IoCs

pid	Process
2116	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 2116	4520	Uninstall.exe	77
PID 4520 wrote to memory of 2116	4520	Uninstall.exe	77
PID 4520 wrote to memory of 2116	4520	Uninstall.exe	77

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg6FA3.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
50KB

MD5
b87a591ae4ee7e64c0bddd5867a79009

SHA1
fd249bf71bdf4e999ae60ffb267f6b8c055e58f0

SHA256
778e7de3d32f4af915b5a85db7c1a5da1be748ddc810eca93f34d066070ba02a

SHA512
cd87e3cad3adfc2a78cb6e6bd16c50903b0b54324dd400ff7b686e5d5520721208e0b580e21265d219f7ce77bcefb5e7a05b7b70cfa1b7dfa82f3e1ce5fb1196

Download Submit