c0cd9a7f2987c7eca65906f7f210c53f88055822a95f7833333d3c8a3c3c43fa

Analysis

max time kernel
1343s
max time network
1163s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-uk
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-uklocale:uk-uaos:windows10-ltsc 2021-x64systemwindows
submitted
21-11-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

57KB
MD5

881bdc10831f28c0bce53acf1ef5f73c
SHA1

18bf74f2307549bf56f87b2d7f916bfa591ae529
SHA256

9af958b415f2d359ba086e20b3572762ca900112b6b8ed7bb423c980757ed592
SHA512

db820f224c7a5af4c01da783210ce017a3a92a20c1844d2c9327e2a1c5e11a3406b0a3c235b0c88dd4ba9f2fad954f6584de6f03857ed515e27cd631b60edb34
SSDEEP

1536:ZCxKWquTniCtK2SkJsqAELVig92w6Sdtcg:ZUjqKPakJrAI0bw6Sdtcg

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4064	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
4064	Au_.exe

Loads dropped DLL 1 IoCs

pid	Process
4064	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral18/files/0x00280000000450c9-1.dat	nsis_installer_1

Modifies registry class 55 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.7z\shell\open\command	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.7z\shell	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell\open\command	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{23170F69-40C1-278A-1000-000100020000}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.bz2	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.tar\shell	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.rar\shell\open\command	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.bz2\shell\open\command	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell\open	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.rar\shell\open\command	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.rar\shell	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.bz2\shell\open	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.bzip2	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tar\shell	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{23170F69-40C1-278A-1000-000100020000}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell\open	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.bzip2\shell\open\command	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tar\shell\open	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.tgz	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.7z	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.bzip2\shell	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open\command	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.gz	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tar\shell\open\command	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.7z\shell\open	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.7z\shell\open	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.gz\shell\open\command	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.gz\shell\open	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.tgz\shell	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.rar\shell\open	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.rar	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.tar\shell\open	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.rar\shell	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.tar\shell\open\command	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.7z\shell\open\command	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bz2\shell	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell\open\command	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.gz\shell	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell\open\command	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell\open	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.bz2\shell	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.rar\shell\open	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.tar	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.tgz\shell\open\command	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.tgz\shell\open	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.7z\shell	Au_.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\7-Zip.bzip2\shell\open	Au_.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.bzip2\shell	Au_.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 4064	3232	Uninstall.exe	82
PID 3232 wrote to memory of 4064	3232	Uninstall.exe	82
PID 3232 wrote to memory of 4064	3232	Uninstall.exe	82
PID 4064 wrote to memory of 4516	4064	Au_.exe	88
PID 4064 wrote to memory of 4516	4064	Au_.exe	88
PID 4064 wrote to memory of 4516	4064	Au_.exe	88

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /u /s "C:\Users\Admin\AppData\Local\Temp\7-zip.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg642A.tmp\InstallOptions.dll

Filesize
12KB

MD5
99bc22826a0568dce241be3a4ffd0c0d

SHA1
62e4662250abdf10d23a61076fd7cbd00a5c5b6f

SHA256
120e4fac0538b7e7b75934706668063a4e7785d0405dca43fde36d55f6d968de

SHA512
35b016b6e2dc850e5432becd57f35faf73b180c0a6f822a406cf9d5439a87126c41c49aac025cdeecd38bbd01705ddbd8c217cb33134e978ecc9624053b52be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg642A.tmp\ioSpecial.ini

Filesize
494B

MD5
8612982994cc4520cffada8e90cbc3c9

SHA1
4ff69379ee2f8cb4220cdc60fd48c80bc8b6130a

SHA256
eec15a76eba66443e113567952e2396bdd498f15a08355f5f1892299df914868

SHA512
c03d84f08fe00978238a84af3f765d3a310a2faa5ef237fd3471d376ef750656048dac700cc58e79c24362960d5dc51bb5bdbd7c52c32fd32b7eebb01279bee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
57KB

MD5
881bdc10831f28c0bce53acf1ef5f73c

SHA1
18bf74f2307549bf56f87b2d7f916bfa591ae529

SHA256
9af958b415f2d359ba086e20b3572762ca900112b6b8ed7bb423c980757ed592

SHA512
db820f224c7a5af4c01da783210ce017a3a92a20c1844d2c9327e2a1c5e11a3406b0a3c235b0c88dd4ba9f2fad954f6584de6f03857ed515e27cd631b60edb34

Download Submit