Analysis
-
max time kernel
141s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 18:10
Static task
static1
Behavioral task
behavioral1
Sample
Cold_Turkey_Installer.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Cold_Turkey_Installer.exe
Resource
win10v2004-20241007-en
General
-
Target
Cold_Turkey_Installer.exe
-
Size
7.5MB
-
MD5
eaa0f3ddd71db24c3a64ecf58e40da52
-
SHA1
eacdae7c9af8ff3be6be93e83a8dbf1a101b823a
-
SHA256
23a32b9db00c74b0440132fd6dfd0a2b5f9f522b13f59b491c4bbf98070cddf2
-
SHA512
8a401d476cfb55798d18677023b067cd6a6c642476bd7c496a3b8641794e0e71436f48944f79381b4eaed29c4bfc12d8a1aa706c58826bcbdcf2048011b2b166
-
SSDEEP
196608:4o+vdaNLCT/KooJh54K+SSz2G/yQ6Owc0DTmpciZ:4plaNLc/KtJhCK1qKQTw7m9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3940 Cold_Turkey_Installer.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cold_Turkey_Installer.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cold_Turkey_Installer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1984 wrote to memory of 3940 1984 Cold_Turkey_Installer.exe 86 PID 1984 wrote to memory of 3940 1984 Cold_Turkey_Installer.exe 86 PID 1984 wrote to memory of 3940 1984 Cold_Turkey_Installer.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Installer.exe"C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Installer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\is-9CDO3.tmp\Cold_Turkey_Installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-9CDO3.tmp\Cold_Turkey_Installer.tmp" /SL5="$80298,6950134,837632,C:\Users\Admin\AppData\Local\Temp\Cold_Turkey_Installer.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD503840135bb43e6c3de3bee0724c3c187
SHA1d2aab16c47eaf3b004671d3df045a284f1692280
SHA25670b5fac312a869659bd0ef69a7df1ab46ad7f19f340eb659e57ca71a579da02a
SHA51231ef538dc407aa5df2d303a77b4a56850a420e866befd58b63d5ec480027ffae14922731c97d20b1bef91c0e17f2ec148d798d318b01344cb59deb497b735e3a