33bf6d1ad3109235696c6e9c59e5400ee93283edfb81589352d082e594bccec0

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cold_Turkey_Micromanager.exe
Size

6.3MB
MD5

5d5d790ad27f9531181800c9ab4253c5
SHA1

82de2c7d1ba1061ff4e5e481423cddb725d691ec
SHA256

f371f2a9549804666784573815963fddf1dc559b871200a19969260e0a54da65
SHA512

86763f56127710d42248b0247c093c0f93c8ddd8df2a10ccb9d2163eafef0abe4585f1bcd6c95f6c50659ec486bce48d8382a84ce3f109a781cbf6608be5f831
SSDEEP

98304:3Si57xh1vfGOzztcF3a9HWMBlLky0Yf0YCUxAcHt/5VAl4BolHs4HXro:x7xh1vOOuF3a92MBpkzQLAcd5yl//s

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2316	Cold_Turkey_Micromanager.tmp

Loads dropped DLL 1 IoCs

pid	Process
2384	Cold_Turkey_Micromanager.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cold_Turkey_Micromanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cold_Turkey_Micromanager.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2316	2384	Cold_Turkey_Micromanager.exe	31
PID 2384 wrote to memory of 2316	2384	Cold_Turkey_Micromanager.exe	31
PID 2384 wrote to memory of 2316	2384	Cold_Turkey_Micromanager.exe	31
PID 2384 wrote to memory of 2316	2384	Cold_Turkey_Micromanager.exe	31
PID 2384 wrote to memory of 2316	2384	Cold_Turkey_Micromanager.exe	31
PID 2384 wrote to memory of 2316	2384	Cold_Turkey_Micromanager.exe	31
PID 2384 wrote to memory of 2316	2384	Cold_Turkey_Micromanager.exe	31

C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Micromanager.exe
"C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Micromanager.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\is-9E53D.tmp\Cold_Turkey_Micromanager.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9E53D.tmp\Cold_Turkey_Micromanager.tmp" /SL5="$4014E,5563790,1362944,C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Micromanager.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-9E53D.tmp\Cold_Turkey_Micromanager.tmp

Filesize
3.4MB

MD5
d7afc237aaaf88d587f5bf71086171c1

SHA1
6aacf872cb63890ae3d4d8aafbec3b3f8a7a96ea

SHA256
431fe13352f26b23665c8dbc722ebe5e5fce55feb22d358fb5b7607e8f770bff

SHA512
1de42244ab842f9302c3d21f0c8dbb187b10fd8bc4f0fd5265f3830f67bbc3d44d1cf68d555a3c69fb6603a3c783117b4a41031dfffde92374ef941196d23827

Download Submit
memory/2316-9-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/2316-11-0x0000000000400000-0x000000000077C000-memory.dmp

Filesize
3.5MB

Download
memory/2384-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2384-0-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2384-10-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download