4163bd79ef89a5aaeef30890b68854f09331e32c75db7f47544382b62aad185e

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dmd2/samples/d/mydll/build.bat
Size

116B
MD5

6604837c2ab2499076dbdd30c83a93a5
SHA1

b9765cc7c008bf714a8d105430b5b4b1b8171eb5
SHA256

be965e2ba7b6b863aaf1e69cf175302ebe8e486f6e45e1a6be216e99c43e1ec7
SHA512

4a1baa1c436e0bba5121d7b2cd09380139d2f0e7de9579beac271197d59b48e26058d765e0ed6ef6ad9496d92a0620c86ac32c2840033dfb0684991cc4206ce1

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lld-link.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 4884	1100	cmd.exe	89
PID 1100 wrote to memory of 4884	1100	cmd.exe	89
PID 1100 wrote to memory of 4884	1100	cmd.exe	89
PID 4884 wrote to memory of 4548	4884	dmd.exe	90
PID 4884 wrote to memory of 4548	4884	dmd.exe	90
PID 4884 wrote to memory of 4548	4884	dmd.exe	90
PID 1100 wrote to memory of 3368	1100	cmd.exe	91
PID 1100 wrote to memory of 3368	1100	cmd.exe	91
PID 1100 wrote to memory of 3368	1100	cmd.exe	91
PID 3368 wrote to memory of 3204	3368	dmd.exe	92
PID 3368 wrote to memory of 3204	3368	dmd.exe	92
PID 3368 wrote to memory of 3204	3368	dmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dmd2\samples\d\mydll\build.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\dmd.exe
  ..\..\..\windows\bin\dmd -ofmydll.dll -L/IMPLIB mydll.d dll.d mydll.def
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\lld-link.exe
    "C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\lld-link.exe" /NOLOGO "mydll.obj" /OUT:"mydll.dll" /DEFAULTLIB:phobos32mscoff /DEF:"mydll.def" /IMPLIB /SAFESEH:NO /LIBPATH:"C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\..\lib32mscoff\mingw"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4548
- C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\dmd.exe
  ..\..\..\windows\bin\dmd test.d mydll.lib
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\lld-link.exe
    "C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\lld-link.exe" /NOLOGO "test.obj" /DEFAULTLIB:"mydll.lib" /DEFAULTLIB:phobos32mscoff /SAFESEH:NO /LIBPATH:"C:\Users\Admin\AppData\Local\Temp\dmd2\windows\bin\..\lib32mscoff\mingw"
    3⤵
    PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dmd2\samples\d\mydll\mydll.obj

Filesize
1KB

MD5
81a33b6d0a97eae54691b258d3495f87

SHA1
97ee750b2b87fd5055f22cd17da072540cf36650

SHA256
e132785d43c6f59add29fd55c45c5eb93d78bec3721e5b44acb74d33f7fe02f2

SHA512
c2f4ec2f1c099d974f5fb666b7b0be317d262e155816717894b61ead8ce33936d0d42ac170052103f49c874099ef063590672b695598430335e7b01dcafacb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmd2\samples\d\mydll\test.obj

Filesize
990B

MD5
364a68dc3ffa7485ca705ea8b52da605

SHA1
2961e770ec53b03ff63b61b9d2cb2e2ae9f5f9c0

SHA256
156fc51dd5bc1e5005695609dc075da4f09c1a9005e6e1be4aaf953fcaeff2cc

SHA512
5eb03739f482f832b869d9146ab5f0808f211ecae5d34a20a0113ed3f9399c22acbc84e2a53557a2218897853ea82223eaa787ed7b6b57a2f1ea8b742c0a3246

Download Submit