Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 21:02
Static task
static1
Behavioral task
behavioral1
Sample
Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe
Resource
win10v2004-20240730-en
General
-
Target
Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe
-
Size
6.6MB
-
MD5
cdd1ecac95b07c3ef96b4092ffb027e0
-
SHA1
131210d199c45299c9da4da681620340bc3ccf36
-
SHA256
ed0891a28ab97cc57a8dd1499509c5f3e777c878fb2aaac35f717114d1a5ed83
-
SHA512
75b824cc205f59a2bc24b8c7fca5ef079bea9068444a0c47609da27cbc9c99feaf1d7a911027671bf65c5ee102afd8252979c1ea08716efb803123fd24a95c0e
-
SSDEEP
98304:YEPbtDCFar2HpmrJpra7mijgrp5Bkf/j+c+snkhEkkPOY9LIpzs8CLbkNG:YWFCk2HQDrgjgrO3nkhSm44Ct
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 768 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe -
Loads dropped DLL 1 IoCs
pid Process 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe -
Drops file in System32 directory 53 IoCs
description ioc Process File opened for modification C:\Windows\System32\KERNELBASE.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\RPCRT4.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\win32u.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\shcore.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\Dbghelp.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\ntdll.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\msimg32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\CoreMessaging.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\combase.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\gdi32full.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\sechost.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\ole32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\system32\explorerframe.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\profapi.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\imm32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\GLU32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\wintypes.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\comdlg32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\shell32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\ws2_32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\bcryptPrimitives.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\cfgmgr32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\psapi.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\wininet.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\kernel.appcore.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\clbcatq.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\TextShaping.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\msvcrt.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\imagehlp.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\wsock32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\opengl32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\ucrtbase.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\shlwapi.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\system32\shfolder.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\bcrypt.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\KERNEL32.DLL Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\msvcp_win.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\user32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\version.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\MSCTF.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\advapi32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\windows.storage.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\Xinput1_4.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\CoreUIComponents.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\oleaut32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\System32\GDI32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\uxtheme.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\Wldp.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\DEVOBJ.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\inputhost.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe File opened for modification C:\Windows\SYSTEM32\ntmarta.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeTcbPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeTcbPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeLoadDriverPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeCreateGlobalPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeLockMemoryPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: 33 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeSecurityPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeTakeOwnershipPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeManageVolumePrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeBackupPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeCreatePagefilePrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeShutdownPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeRestorePrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: 33 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe Token: SeIncBasePriorityPrivilege 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1732 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1388 wrote to memory of 768 1388 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 84 PID 1388 wrote to memory of 768 1388 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 84 PID 1388 wrote to memory of 768 1388 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 84 PID 768 wrote to memory of 1732 768 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 87 PID 768 wrote to memory of 1732 768 Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe"C:\Users\Admin\AppData\Local\Temp\Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET5DDF.tmp\Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET5DDF.tmp\Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET5DDF.tmp\extracted\Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET5DDF.tmp\extracted\Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET5DDF.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1732
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD54ba0c8e8f5af907d2afd921c6c0b4480
SHA13f20eb8aaeeda30c8bedcf789174e3232ac7b42a
SHA25685513142cb75309f75ec194fe30d5bf2c08391c115d37b00d033ee700c375107
SHA5120bb745c0bc42d77e407f2a7361d70a4cb54b104844e76654080eb232f0fe06a7baf5c6e47cf670a069d4114cce3871bfff0bfa9fcfeff4dec324616c65df0971
-
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET5DDF.tmp\Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe
Filesize189KB
MD5a65c29111a4cf5a7fdd5a9d79f77bcab
SHA1c0c59b1f792c975558c33a3b7cf0d94adc636660
SHA256dab3003436b6861ae220cc5fdcb97970fc05afdf114c2f91e46eed627ce3d6af
SHA512b37ef3351e8f46f7183550254acce99b54e0199fc37a02cca78b471dc2d8b697769afdaf7e6cfe89422cfed65a8dcc6d158ef52aba5b0ac9350ea05607fefd7f
-
Filesize
371KB
MD5a1ec0a8d90baed76bd54abf43b194905
SHA152bafd2cb104a15fc5f9974ae133f28614219432
SHA256c80ebf52cc737e5122daa309b715beda99c9a4e681ba307e3a7584bfa9397259
SHA51273b6d4ea8520873d3b4f7df7b3d01132b2090c453af7e90e713d6251d9a91ad2346a4f36e16c650e393c91824723bca156121f3e45832349201dc9393d8eab10
-
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET5DDF.tmp\extracted\Cult Of The Lamb v1.2.3.297 +24 TRAINER.exe
Filesize14.7MB
MD52fa10b5caa1f049be305f85cb1369ae9
SHA1fb308a30cae0eb9208c78132a2f94ba2fda4f89b
SHA25688f0c0c2c77a55aa04936262f2823e6a022a66816605852cbe701ec07f215b9c
SHA5124e17aa456b98130a0423c2b8c8797277fa167a84e9ab45b2cad97b4486e1169de785235ca3480ccdeedaa05744dfecdf734c4e1fa3ac906b57c133bdee1ebed2
-
Filesize
11KB
MD550ddb39ece0aabd0e709adfc15f93ce2
SHA156398bc80ff7235fd429b0ba557e0681fbdab7a6
SHA25630b816a90abbe520bcb6606d022f3c870a72ad05a94522ff64b8395bfc088e67
SHA51236fabd7f88f8895f2561d5983a6243781ddefea711d9905a0870daa24f95928ea4af72258e7c842f9c4df9dd2553ef9b67a4f5cdc1f3a75e54cd38070465c66c
-
Filesize
528KB
MD5b7c9f1e7e640f1a034be84af86970d45
SHA1f795dc3d781b9578a96c92658b9f95806fc9bdde
SHA2566d0a06b90213f082cb98950890518c0f08b9fc16dbfab34d400267cb6cdadeff
SHA512da63992b68f1112c0d6b33e6004f38e85b3c3e251e0d5457cd63804a49c5aa05aa23249e0614dacad4fec28ca6efdb5ddee06da5bfbfa07e21942976201079f3