Overview
overview
10Static
static
3Scans46.scr
windows7-x64
10Scans46.scr
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 15:59
Static task
static1
Behavioral task
behavioral1
Sample
Scans46.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Scans46.scr
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
Uninstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Uninstall.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
General
-
Target
Uninstall.exe
-
Size
57KB
-
MD5
3db1d34674bdfab493aca0b6380d3639
-
SHA1
05a2b02b653cd9efd98f1e276a266efaca29c5ae
-
SHA256
426e613848dfa42b08e66aaa03a7c490a8832fc113f610d77cb29a87b7a5ea2e
-
SHA512
d459cd9655cd5056b2700da36a4eb1738c7c2b961de4bc8542c479d46952c096e9a3d21263b24da87a8409eed889018b94e1238f6d938b7355e56ed8eab8af23
-
SSDEEP
1536:aU+dcy3fxBk9UmZHs/hc0gdLeAyNxdDEaQttySC:aNzPHk9Mpc0ceAYjme
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Un_A.exepid process 2896 Un_A.exe -
Loads dropped DLL 2 IoCs
Processes:
Uninstall.exeUn_A.exepid process 2648 Uninstall.exe 2896 Un_A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Un_A.exepid process 2896 Un_A.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Uninstall.exedescription pid process target process PID 2648 wrote to memory of 2896 2648 Uninstall.exe Un_A.exe PID 2648 wrote to memory of 2896 2648 Uninstall.exe Un_A.exe PID 2648 wrote to memory of 2896 2648 Uninstall.exe Un_A.exe PID 2648 wrote to memory of 2896 2648 Uninstall.exe Un_A.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsj9A3F.tmp\LangDLL.dllFilesize
5KB
MD5ea60c7bd5edd6048601729bd31362c16
SHA16e6919d969eb61a141595014395b6c3f44139073
SHA2564e72c8b4d36f128b25281440e59e39af7ec2080d02e024f35ac413d769d91f39
SHA512f9dc35220697153bb06e3a06caf645079881cb75aed008dbe5381ecaf3442d5be03500b36bbca8b3d114845fac3d667ddf4063c16bc35d29bbea862930939993
-
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exeFilesize
57KB
MD53db1d34674bdfab493aca0b6380d3639
SHA105a2b02b653cd9efd98f1e276a266efaca29c5ae
SHA256426e613848dfa42b08e66aaa03a7c490a8832fc113f610d77cb29a87b7a5ea2e
SHA512d459cd9655cd5056b2700da36a4eb1738c7c2b961de4bc8542c479d46952c096e9a3d21263b24da87a8409eed889018b94e1238f6d938b7355e56ed8eab8af23