2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497

Resubmissions

01-12-2024 00:29

241201-as8kssvmek 7

01-12-2024 00:19

30-11-2024 15:39

30-11-2024 15:34

07-10-2024 06:29

Analysis

max time kernel
149s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-11-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uninst.exe
Size

416KB
MD5

5b3a0aabf9dfda83b5fafe646a056a63
SHA1

8d48747e1922d6c670a901ab0771b1cb57117ae4
SHA256

343e0dec2324709cbe89630f9c604310e8edbe422e220dcf5fee93ce0dea8f36
SHA512

5425b8791c54a20e765205a312d0acc8c862bb2807664b52ff47f0716e27be8799df7964b5c61bae50a6ec83144a004dfc05bfeb41cfe8e148cb0c181ceb8d77
SSDEEP

12288:1mJ5sHn/ztd4T/QW0lUCMNpnio+WQgsLQVNf3+olbPY:1mJ5sHn/5de/ZmIP+FgQURuolbY

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4444	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
4444	Au_.exe
4444	Au_.exe
4444	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 4444	4040	uninst.exe	77
PID 4040 wrote to memory of 4444	4040	uninst.exe	77
PID 4040 wrote to memory of 4444	4040	uninst.exe	77

C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsk60A0.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk60A0.tmp\nsSkinEngine.dll

Filesize
519KB

MD5
eab7fd287509faec84e23cbdc1a709a8

SHA1
b6d659af538f7d57bd679e8c7626d470392c4429

SHA256
9702f538888f45fca67a1e2c2d7aa46fe42010c1aed5b0f34a51f989347ed9f0

SHA512
701f089f55bba49e0a9ba906fafce581693ccc99d445265ec1ea3794a4b5044f1011d90a9214c60dc0ed6be48f4fc4e9882ba07136268f7ebb0156e0b206d15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
416KB

MD5
5b3a0aabf9dfda83b5fafe646a056a63

SHA1
8d48747e1922d6c670a901ab0771b1cb57117ae4

SHA256
343e0dec2324709cbe89630f9c604310e8edbe422e220dcf5fee93ce0dea8f36

SHA512
5425b8791c54a20e765205a312d0acc8c862bb2807664b52ff47f0716e27be8799df7964b5c61bae50a6ec83144a004dfc05bfeb41cfe8e148cb0c181ceb8d77

Download Submit
memory/4444-37-0x0000000002350000-0x00000000023D7000-memory.dmp

Filesize
540KB

Download