4163bd79ef89a5aaeef30890b68854f09331e32c75db7f47544382b62aad185e

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dmd2/samples/d/mydll/build.bat
Size

116B
MD5

6604837c2ab2499076dbdd30c83a93a5
SHA1

b9765cc7c008bf714a8d105430b5b4b1b8171eb5
SHA256

be965e2ba7b6b863aaf1e69cf175302ebe8e486f6e45e1a6be216e99c43e1ec7
SHA512

4a1baa1c436e0bba5121d7b2cd09380139d2f0e7de9579beac271197d59b48e26058d765e0ed6ef6ad9496d92a0620c86ac32c2840033dfb0684991cc4206ce1

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
1520	dmd.exe
2704	dmd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1520	2180	cmd.exe	32
PID 2180 wrote to memory of 1520	2180	cmd.exe	32
PID 2180 wrote to memory of 1520	2180	cmd.exe	32
PID 2180 wrote to memory of 1520	2180	cmd.exe	32
PID 1520 wrote to memory of 2004	1520	dmd.exe	33
PID 1520 wrote to memory of 2004	1520	dmd.exe	33
PID 1520 wrote to memory of 2004	1520	dmd.exe	33
PID 1520 wrote to memory of 2004	1520	dmd.exe	33
PID 2180 wrote to memory of 2704	2180	cmd.exe	34
PID 2180 wrote to memory of 2704	2180	cmd.exe	34
PID 2180 wrote to memory of 2704	2180	cmd.exe	34
PID 2180 wrote to memory of 2704	2180	cmd.exe	34
PID 2704 wrote to memory of 2340	2704	dmd.exe	35
PID 2704 wrote to memory of 2340	2704	dmd.exe	35
PID 2704 wrote to memory of 2340	2704	dmd.exe	35
PID 2704 wrote to memory of 2340	2704	dmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dmd2\samples\d\mydll\build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\dmd.exe
  ..\..\..\windows\bin\dmd -ofmydll.dll -L/IMPLIB mydll.d dll.d mydll.def
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\lld-link.exe
    "C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\lld-link.exe" /NOLOGO "mydll.obj" /OUT:"mydll.dll" /DEFAULTLIB:phobos32mscoff /DEF:"mydll.def" /IMPLIB /SAFESEH:NO /LIBPATH:"C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\..\lib32mscoff\mingw"
    3⤵
    PID:2004
- C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\dmd.exe
  ..\..\..\windows\bin\dmd test.d mydll.lib
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\lld-link.exe
    "C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\lld-link.exe" /NOLOGO "test.obj" /DEFAULTLIB:"mydll.lib" /DEFAULTLIB:phobos32mscoff /SAFESEH:NO /LIBPATH:"C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\..\lib32mscoff\mingw"
    3⤵
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dmd2\samples\d\mydll\mydll.obj

Filesize
1KB

MD5
e3293528ad11ece27280112f71fdc032

SHA1
368a10f10621561af3d575b325b020bb03b5dc3b

SHA256
95c654c85534b9d9541f46c612a9f1624c7ca2c23c7d66b1b1a77cfa0f647d48

SHA512
dd13d090ea427b475376e279c05adc512493e7c9af86169f82508348edd6fe1267e6bd93e3458a09fa9b89668a8b95fe20357f963766bec9dff2b4d2fe5657c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmd2\samples\d\mydll\test.obj

Filesize
990B

MD5
fd9a545345275df98b5e1e4b28d8ac17

SHA1
037a9871e93e0ec3fe31fcae80b472246612741a

SHA256
0a10c6182e393e86d84dc8324fe7da80d2b2d22a4703666a7132d290f9adbe0a

SHA512
6fdbe0086e51446e6461818cdc704bbff4be259991ce30b6815d00fd3cfda8925b0e3cdf4b082a8e3f9b76ced4de80c4e095ec311141964f09f7ba0bac3ab4df

Download Submit