Analysis

  • max time kernel
    209s
  • max time network
    285s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/11/2024, 10:46

General

  • Target

    Uninstall.exe

  • Size

    82KB

  • MD5

    36fa034cda60273c9741364387ad84e1

  • SHA1

    a772b823b150b57826ab1ada00fbca4021d52499

  • SHA256

    88e2b9e458da15730c4ea538127b2f7dea75e511e9418f458ab93c8a4b9b8a86

  • SHA512

    8b8db29532b5193831e27fbd2d83b388678241209bf74b0e0448f53ecfc74a482fd7bd837d4a3a219ee446d5b4c6ae1c42dbfa861b9a6dab46a578f1fc18d9b4

  • SSDEEP

    1536:6pgpHzb9dZVX9fHMvG0D3XJtgLLiK/YjiHLCAyN/t65aVxw6jSJAlfQ1ef2X:4gXdZt9P6D3XJtkhCAUcaVC6jSUfQ1e2

Score
7/10

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1452

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsv8790.tmp\KillProc.dll

          Filesize

          24KB

          MD5

          6c2b245e89428fb917a5805815a4054e

          SHA1

          5bcd987700dd761f02d2d1d024b8f20077985051

          SHA256

          0558bbdfe61eefb680e8560a7d4b174447a9516098f9cd8b4c84bf1552cee5c5

          SHA512

          ecb3fb77532d6ffa1ca08df05a6a86b18138356e63cb40edf68f97fc7fdf2e781a4ebeb1efdb9f13f947304312dd19ef5c4a78ddc60843f5f726cde69b2c57d4

        • C:\Users\Admin\AppData\Local\Temp\nsv8790.tmp\System.dll

          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

          Filesize

          82KB

          MD5

          36fa034cda60273c9741364387ad84e1

          SHA1

          a772b823b150b57826ab1ada00fbca4021d52499

          SHA256

          88e2b9e458da15730c4ea538127b2f7dea75e511e9418f458ab93c8a4b9b8a86

          SHA512

          8b8db29532b5193831e27fbd2d83b388678241209bf74b0e0448f53ecfc74a482fd7bd837d4a3a219ee446d5b4c6ae1c42dbfa861b9a6dab46a578f1fc18d9b4

        • memory/1452-12-0x00000000040A0000-0x00000000040B4000-memory.dmp

          Filesize

          80KB

        • memory/1452-19-0x00000000040A0000-0x00000000040B4000-memory.dmp

          Filesize

          80KB