c79f2f6cd70358a2df2382bcb191aa6f22ba0d17d547e1e2c4350d0546c9be24

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uninstall.exe
Size

93KB
MD5

09028d06b307f49555dffb76dc82c880
SHA1

8f187451912fa4b5e0e3de3406d1d426e48f3fc1
SHA256

0b0b36f894a702ac55405422733ccb22506c68e29848ae7eac9f0a4ce8cc597a
SHA512

505f537225eefd85f94c0807b7452c1df41c32f6d79203a2e9a5cc166385605176a68217808e505389e08fb8a61211728643ab4acea381e06dc23145c257c94f
SSDEEP

1536:zCaIoX1oYOcbTMV88TXJLE/oRdvislP2jLE+Db6FPhjtxQsOk63dcBuX6gSzR/7e:zCaZ2Yrb0VTXJY/oqsl6D0ZWX3we6Z9a

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	Au_.exe

Loads dropped DLL 3 IoCs

pid	Process
2700	Uninstall.exe
2768	Au_.exe
2768	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral17/files/0x0005000000019278-2.dat	nsis_installer_1
behavioral17/files/0x0005000000019278-2.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2768	2700	Uninstall.exe	30
PID 2700 wrote to memory of 2768	2700	Uninstall.exe	30
PID 2700 wrote to memory of 2768	2700	Uninstall.exe	30
PID 2700 wrote to memory of 2768	2700	Uninstall.exe	30

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstE44.tmp\ioSpecial.ini

Filesize
595B

MD5
922fa381169872ba4b9e706eb56b7e3b

SHA1
05d08fd35fc554e4c25f29bc795b2fe1c3bd9c72

SHA256
582c551cab3e6e14866bb8f1ba2f28769d162efbf057041143d7657f2ec31db2

SHA512
e249766395453ba325224cc025dfdc4c591f87e9bec91bf28caf33c9db89ebe252bd4652a1907ad92ef0065cc78963bbabc8d00e3fe88d63cbfe301228221568

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE44.tmp\ioSpecial.ini

Filesize
634B

MD5
01a9a4cb357bfe6e9d9366fe0fcb2601

SHA1
d6968d9f7299b571d71165680443fb2312217a57

SHA256
0972d6a03cc221816d09cde49c1a9cc476d5f2add69e028507b8f4f1366154e1

SHA512
f1569ca0d429377e542c8a3c534e47cbfced7d632de61bd5e031cad0d898b5b9a3a9332ac5aa25a16bd9ce0c8e82a59aab7bf26c8d21f86164bcf596fa26f0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE44.tmp\ioSpecial.ini

Filesize
237B

MD5
c501b5ed299349043148ce84b52c7a25

SHA1
64bcfa7b2c1faa7756be1b77386f9b81d965edb2

SHA256
7310fd05881df537d5968b5909e17fa2d6afe005561a2b40f10edd39e75c0b61

SHA512
2b3b5e6422fb836198fddf9b6cb2fdd2808eeb6a471beebe43d8b8f28eea7debaba5d6b66fb96305a28df1ad0dfd2ceaa01b324e9f6cb5ce520f23d02aee6f3e

Download Submit
\Users\Admin\AppData\Local\Temp\nstE44.tmp\InstallOptions.dll

Filesize
14KB

MD5
714e0ecd29f9ec555f350f38672726c7

SHA1
555b1492e782d7a30f280f2aecb64c642c1aaad3

SHA256
21fea4cf18de8e25d0ffa3375699150fcd04e6d470358696f2dffdd3fc09d7f3

SHA512
ced5814f25b688d1ede5a1395bcca69e1a0cba260104f156dc03de6ebb2015f6d832fed86ac234c36a10a75be33f489a63c8bd6111e3aaf4b078af1d94b00312

Download Submit
\Users\Admin\AppData\Local\Temp\nstE44.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
93KB

MD5
09028d06b307f49555dffb76dc82c880

SHA1
8f187451912fa4b5e0e3de3406d1d426e48f3fc1

SHA256
0b0b36f894a702ac55405422733ccb22506c68e29848ae7eac9f0a4ce8cc597a

SHA512
505f537225eefd85f94c0807b7452c1df41c32f6d79203a2e9a5cc166385605176a68217808e505389e08fb8a61211728643ab4acea381e06dc23145c257c94f

Download Submit