Analysis

  • max time kernel
    116s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 00:25

General

  • Target

    Uninstall.exe

  • Size

    40KB

  • MD5

    4d781f6e8dfedee3cf2bda540655a70d

  • SHA1

    5aef00094b15790491f22da963070841dfddec5b

  • SHA256

    2781156cc6ceb1ab85ec1243cba9d5bb1d71ce385b5ea33c353fb29a57587327

  • SHA512

    ce75a3631ba8dac98e57badc6d8c04b2a7fe8a16fc081a4b686fcde80314bac9bd2e698989bf3e25ff45b8b1d646514379b0033b88d236cf4ce384cf1a2387bb

  • SSDEEP

    768:jgUpAudwtjpQaCyMRiNH/buv1dTm61pF/O71mJDFwPiq7bnaF9hv:sUiudwBp3CyM8HsWmJRUiq7zaFz

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

    Filesize

    40KB

    MD5

    4d781f6e8dfedee3cf2bda540655a70d

    SHA1

    5aef00094b15790491f22da963070841dfddec5b

    SHA256

    2781156cc6ceb1ab85ec1243cba9d5bb1d71ce385b5ea33c353fb29a57587327

    SHA512

    ce75a3631ba8dac98e57badc6d8c04b2a7fe8a16fc081a4b686fcde80314bac9bd2e698989bf3e25ff45b8b1d646514379b0033b88d236cf4ce384cf1a2387bb