2b0a81c38f8a50530de18c0ff5f207739262155a4a309eac3d10f24e5079e7d1

Analysis

max time kernel
425s
max time network
427s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninstall.exe
Size

259KB
MD5

22a26bb892e35810581882bcfc52c652
SHA1

eb734ca419687009c75229213ae285649a3c5921
SHA256

7723d04405e97cefd0e220133fbdb07acfb3bcb11e2607dc71482d555744ac8b
SHA512

61d0c5f55a13041e201818ba7cfa6319cbfed42f4d186b8b729e71ebf4388e59a7eda67ecf09e6c4de1a12d1cab30b21ce8f7b76d807cb1988eb455ea8c04082
SSDEEP

6144:rJ9ECqBWtxiRuQOWF0HWR5WA1MsaAPXO4CnssN0Ffb69d3J6kY62nOf:rvsRfF7vzfb69j6kY62C

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4800	Un_A.exe

Executes dropped EXE 1 IoCs

pid	Process
4800	Un_A.exe

Loads dropped DLL 3 IoCs

pid	Process
4800	Un_A.exe
4800	Un_A.exe
4800	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4800	5088	uninstall.exe	86
PID 5088 wrote to memory of 4800	5088	uninstall.exe	86
PID 5088 wrote to memory of 4800	5088	uninstall.exe	86
PID 4800 wrote to memory of 1916	4800	Un_A.exe	100
PID 4800 wrote to memory of 1916	4800	Un_A.exe	100
PID 4800 wrote to memory of 1916	4800	Un_A.exe	100

C:\Users\Admin\AppData\Local\Temp\uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4800
- - \??\c:\Windows\SysWOW64\schtasks.exe
    c:\Windows\System32\schtasks.exe /Delete /TN "Albion Data Client" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst904B.tmp\LangDLL.dll

Filesize
8KB

MD5
e5240dcd169abe69a7332d01106e1d84

SHA1
2ca68892501102586f6ab4eb99744d7f6138c166

SHA256
96c40847d52270061c25743bc9ec4843be1991f3ac36c2d1b78ec04a04437ea4

SHA512
519479d1c6bfd4fcb11e0802f9cf5eb7b324577514a986f0fdf07d33ff6a275dc5ac41654aed818d1c30e0bdda543297f4b7886442cbc93066a808cafbaf8a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst904B.tmp\System.dll

Filesize
29KB

MD5
26c8a92678f1b970ac2a700bb844c309

SHA1
c821a5980c31b0b35f1505cde836d6769f45e3a3

SHA256
2a7b5d1cab96a5280b0694d0ed54510129626a1ba36a51bd34d546972b7d18b8

SHA512
fba6e371853fd6c27097eb7cce7ffc59d71e4f0a9b5e55de06472d094b70c44a409bd82f39d9a27a814e826ab8468c59e947401a3c3ead1f057cbac236588860

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst904B.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst904B.tmp\nsDialogs.dll

Filesize
14KB

MD5
8f45e78d9d02ca8a9f9c274a8bfe2a57

SHA1
9b3838e1d2d4fbc1c84e1252747e96aa1b223d83

SHA256
78f9594721361fd3415b8c5194f9c9b87c580d6a70ddb95f2c4743c61ce68ebe

SHA512
125f1bcf833e0c233ebee552c164d9726769f06e5163467888abea08048fdae60a94b903ef97ba82ca9cf684f3c027d9605d54e9efe794df3e452f9b20e4ca96

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
259KB

MD5
22a26bb892e35810581882bcfc52c652

SHA1
eb734ca419687009c75229213ae285649a3c5921

SHA256
7723d04405e97cefd0e220133fbdb07acfb3bcb11e2607dc71482d555744ac8b

SHA512
61d0c5f55a13041e201818ba7cfa6319cbfed42f4d186b8b729e71ebf4388e59a7eda67ecf09e6c4de1a12d1cab30b21ce8f7b76d807cb1988eb455ea8c04082

Download Submit
memory/4800-23-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4800-25-0x0000000074910000-0x000000007491F000-memory.dmp

Filesize
60KB

Download
memory/4800-24-0x00000000749C0000-0x00000000749CC000-memory.dmp

Filesize
48KB

Download
memory/4800-36-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5088-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download