ed0891a28ab97cc57a8dd1499509c5f3e777c878fb2aaac35f717114d1a5ed83

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CultOfTheLambv1.2.3.29724TRAINER.exe
Size

6.6MB
MD5

cdd1ecac95b07c3ef96b4092ffb027e0
SHA1

131210d199c45299c9da4da681620340bc3ccf36
SHA256

ed0891a28ab97cc57a8dd1499509c5f3e777c878fb2aaac35f717114d1a5ed83
SHA512

75b824cc205f59a2bc24b8c7fca5ef079bea9068444a0c47609da27cbc9c99feaf1d7a911027671bf65c5ee102afd8252979c1ea08716efb803123fd24a95c0e
SSDEEP

98304:YEPbtDCFar2HpmrJpra7mijgrp5Bkf/j+c+snkhEkkPOY9LIpzs8CLbkNG:YWFCk2HQDrgjgrO3nkhSm44Ct

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1828	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe

Loads dropped DLL 3 IoCs

pid	Process
2388	CultOfTheLambv1.2.3.29724TRAINER.exe
1828	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe

Drops file in System32 directory 55 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\LPK.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\USP10.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\imm32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\Xinput9_1_0.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\msvcrt.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\DEVOBJ.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-synch-l1-2-0.DLL	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\CLBCatQ.DLL	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\USER32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\NSI.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\MSCTF.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\GDI32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\hhctrl.ocx	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\iertutil.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\advapi32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\SHLWAPI.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\imagehlp.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\CRYPTBASE.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\RPCRT4.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\GLU32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\DDRAW.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\KERNELBASE.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\version.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\normaliz.DLL	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\kernel32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\ws2_32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\uxtheme.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\ole32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\CFGMGR32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\DUser.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\oleaut32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\shell32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\Dbghelp.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\msimg32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\SYSTEM32\sechost.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\DCIMAN32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\psapi.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\bcrypt.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\shfolder.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\comdlg32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\wsock32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\DUI70.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\opengl32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\propsys.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\dwmapi.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\SETUPAPI.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\wininet.dll	CultOfTheLambv1.2.3.29724TRAINER.exe
File opened for modification	C:\Windows\system32\profapi.dll	CultOfTheLambv1.2.3.29724TRAINER.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll	CultOfTheLambv1.2.3.29724TRAINER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CultOfTheLambv1.2.3.29724TRAINER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CultOfTheLambv1.2.3.29724TRAINER.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe
2764	CultOfTheLambv1.2.3.29724TRAINER.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	CultOfTheLambv1.2.3.29724TRAINER.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeTcbPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeTcbPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeLoadDriverPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeCreateGlobalPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeLockMemoryPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: 33	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeSecurityPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeTakeOwnershipPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeManageVolumePrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeBackupPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeCreatePagefilePrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeShutdownPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeRestorePrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: 33	2764	CultOfTheLambv1.2.3.29724TRAINER.exe
Token: SeIncBasePriorityPrivilege	2764	CultOfTheLambv1.2.3.29724TRAINER.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	CultOfTheLambv1.2.3.29724TRAINER.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1828	2388	CultOfTheLambv1.2.3.29724TRAINER.exe	29
PID 2388 wrote to memory of 1828	2388	CultOfTheLambv1.2.3.29724TRAINER.exe	29
PID 2388 wrote to memory of 1828	2388	CultOfTheLambv1.2.3.29724TRAINER.exe	29
PID 2388 wrote to memory of 1828	2388	CultOfTheLambv1.2.3.29724TRAINER.exe	29
PID 1828 wrote to memory of 2764	1828	CultOfTheLambv1.2.3.29724TRAINER.exe	30
PID 1828 wrote to memory of 2764	1828	CultOfTheLambv1.2.3.29724TRAINER.exe	30
PID 1828 wrote to memory of 2764	1828	CultOfTheLambv1.2.3.29724TRAINER.exe	30
PID 1828 wrote to memory of 2764	1828	CultOfTheLambv1.2.3.29724TRAINER.exe	30

C:\Users\Admin\AppData\Local\Temp\CultOfTheLambv1.2.3.29724TRAINER.exe
"C:\Users\Admin\AppData\Local\Temp\CultOfTheLambv1.2.3.29724TRAINER.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\CultOfTheLambv1.2.3.29724TRAINER.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\CultOfTheLambv1.2.3.29724TRAINER.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\extracted\CultOfTheLambv1.2.3.29724TRAINER.exe
    C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\extracted\CultOfTheLambv1.2.3.29724TRAINER.exe "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\CET_Archive.dat

Filesize
6.2MB

MD5
4ba0c8e8f5af907d2afd921c6c0b4480

SHA1
3f20eb8aaeeda30c8bedcf789174e3232ac7b42a

SHA256
85513142cb75309f75ec194fe30d5bf2c08391c115d37b00d033ee700c375107

SHA512
0bb745c0bc42d77e407f2a7361d70a4cb54b104844e76654080eb232f0fe06a7baf5c6e47cf670a069d4114cce3871bfff0bfa9fcfeff4dec324616c65df0971

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
371KB

MD5
a1ec0a8d90baed76bd54abf43b194905

SHA1
52bafd2cb104a15fc5f9974ae133f28614219432

SHA256
c80ebf52cc737e5122daa309b715beda99c9a4e681ba307e3a7584bfa9397259

SHA512
73b6d4ea8520873d3b4f7df7b3d01132b2090c453af7e90e713d6251d9a91ad2346a4f36e16c650e393c91824723bca156121f3e45832349201dc9393d8eab10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\extracted\defines.lua

Filesize
11KB

MD5
50ddb39ece0aabd0e709adfc15f93ce2

SHA1
56398bc80ff7235fd429b0ba557e0681fbdab7a6

SHA256
30b816a90abbe520bcb6606d022f3c870a72ad05a94522ff64b8395bfc088e67

SHA512
36fabd7f88f8895f2561d5983a6243781ddefea711d9905a0870daa24f95928ea4af72258e7c842f9c4df9dd2553ef9b67a4f5cdc1f3a75e54cd38070465c66c

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\CultOfTheLambv1.2.3.29724TRAINER.exe

Filesize
189KB

MD5
a65c29111a4cf5a7fdd5a9d79f77bcab

SHA1
c0c59b1f792c975558c33a3b7cf0d94adc636660

SHA256
dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af

SHA512
b37ef3351e8f46f7183550254acce99b54e0199fc37a02cca78b471dc2d8b697769afdaf7e6cfe89422cfed65a8dcc6d158ef52aba5b0ac9350ea05607fefd7f

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\extracted\CultOfTheLambv1.2.3.29724TRAINER.exe

Filesize
14.7MB

MD5
2fa10b5caa1f049be305f85cb1369ae9

SHA1
fb308a30cae0eb9208c78132a2f94ba2fda4f89b

SHA256
88f0c0c2c77a55aa04936262f2823e6a022a66816605852cbe701ec07f215b9c

SHA512
4e17aa456b98130a0423c2b8c8797277fa167a84e9ab45b2cad97b4486e1169de785235ca3480ccdeedaa05744dfecdf734c4e1fa3ac906b57c133bdee1ebed2

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET3ABF.tmp\extracted\lua53-64.dll

Filesize
528KB

MD5
b7c9f1e7e640f1a034be84af86970d45

SHA1
f795dc3d781b9578a96c92658b9f95806fc9bdde

SHA256
6d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff

SHA512
da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3

Download Submit