ac546143819aa20f9cb1bf8bd9405ee3d8de167f47bb48a970d98878f1179f2d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 00:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

nl/uninstall.exe
Size

39KB
MD5

2085bc9fb2f8bde44375fa20622c249f
SHA1

539e87673707b09224582dd5aa920fbe8ba6dfa6
SHA256

79353004cd19ee6e8856ffd813582709dd878a34e624ad12d01d252d3617b1d9
SHA512

b8cedaa3d5d1a4b07b179d5f74666e3caded9e1762c1a0799a7fcc3f6708fdd1d39d23c1593948bb9f09a3b5db3ca994f6f012477e2f24647f9ec41e34ba664e
SSDEEP

768:LH3wplCzpl1QYc6ZOZcBMMGpUvsVYZwuUy0D3MFBOV1mJLQJRnsnwbVQP:LXwjCzX139sZDM4y0DhmJpnwxQP

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2132	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
2132	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2172	uninstall.exe
2132	Au_.exe
2132	Au_.exe
2132	Au_.exe
2132	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral31/files/0x000500000001a4b3-5.dat	nsis_installer_1
behavioral31/files/0x000500000001a4b3-5.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2132	Au_.exe
2132	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2132	2172	uninstall.exe	30
PID 2172 wrote to memory of 2132	2172	uninstall.exe	30
PID 2172 wrote to memory of 2132	2172	uninstall.exe	30
PID 2172 wrote to memory of 2132	2172	uninstall.exe	30

C:\Users\Admin\AppData\Local\Temp\nl\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\nl\uninstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\nl\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
39KB

MD5
2085bc9fb2f8bde44375fa20622c249f

SHA1
539e87673707b09224582dd5aa920fbe8ba6dfa6

SHA256
79353004cd19ee6e8856ffd813582709dd878a34e624ad12d01d252d3617b1d9

SHA512
b8cedaa3d5d1a4b07b179d5f74666e3caded9e1762c1a0799a7fcc3f6708fdd1d39d23c1593948bb9f09a3b5db3ca994f6f012477e2f24647f9ec41e34ba664e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjCA14.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nsjCA14.tmp\UserInfo.dll

Filesize
4KB

MD5
b59fbdc4abbbf4911d7d9516603f303e

SHA1
d00ef992008d1a4e6661134b02314674ace3d7a2

SHA256
9c139d709d7657679a2c77f1eb3fd3f1b471a36d16757c5c20e803d2b7d2a3d7

SHA512
bdcbbd0beaff597f24c0fde34f9bd4300c15ed55ef9c47d6bf7a2816554ce7dbd184f4a156f657c65b8579775f482e3fb12122d97b286b4139f84de6fb709b48

Download Submit
memory/2132-24-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download