1bf03b0e61b5b32d2e83fa8316f5332454063ae81abf6c3dacb8c508732eddb3

Analysis

max time kernel
101s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/Estlcam/V12/Uninstall.exe
Size

74KB
MD5

56ca631ceb19ffc891ae137605b956ea
SHA1

fa8731296382aaed991a2ebdcd7f4c62ebb81a83
SHA256

48add90be9e7444d733d9694099856300dc9f54be5d3f02cc8b3121c8716357a
SHA512

4c2e5132e7805deae3687495eabc14aa32a97750021c13fffc6afc36df35de7faff54ff138e718d32d2e95236243acd2e6be741183b6dbf3ac6c5d711c66c843
SSDEEP

1536:n/T2X/jN2vxZz0DTHUpou0gbwdLeAyNsnk/y0xE+1W:nbG7N2kDTHUpou0hFeAHgy0PW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	Un_A.exe

Loads dropped DLL 1 IoCs

pid	Process
436	Uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2308	Un_A.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 2308	436	Uninstall.exe	29
PID 436 wrote to memory of 2308	436	Uninstall.exe	29
PID 436 wrote to memory of 2308	436	Uninstall.exe	29
PID 436 wrote to memory of 2308	436	Uninstall.exe	29

C:\Users\Admin\AppData\Local\Temp\$APPDATA\Estlcam\V12\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Estlcam\V12\Uninstall.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$APPDATA\Estlcam\V12\
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

Filesize
74KB

MD5
56ca631ceb19ffc891ae137605b956ea

SHA1
fa8731296382aaed991a2ebdcd7f4c62ebb81a83

SHA256
48add90be9e7444d733d9694099856300dc9f54be5d3f02cc8b3121c8716357a

SHA512
4c2e5132e7805deae3687495eabc14aa32a97750021c13fffc6afc36df35de7faff54ff138e718d32d2e95236243acd2e6be741183b6dbf3ac6c5d711c66c843

Download Submit