7e7c00740baa58af22ef6f825d86344732464a4e325b5eb6f93f33898de079fa

Analysis

max time kernel
988s
max time network
989s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe
Size

224KB
MD5

27536ce5b9f559b94c8821634640dd30
SHA1

2b3582cf5a7fc058e18b1da3491db589b84c28be
SHA256

6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a
SHA512

ea26dfa07c9de1ae89a333cc729d753fa758713ba5371d75f3c42a89dabb1c61861d2f9ca88d35cb686848dad4611c8203e0201c347eb674bf74ec3d51215a13
SSDEEP

6144:uJ9y0noQa1cxp/UWD9xgYxY68hX7qowFnwmWV+:n0nuOp8J2Y68hL6D

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	wincl.exe

Loads dropped DLL 2 IoCs

pid	Process
2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe
2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\wincl = "C:\\Users\\Admin\\AppData\\Roaming\\WinCL\\wincl.exe"	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wincl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe
2852	wincl.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2852	2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe	31
PID 2984 wrote to memory of 2852	2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe	31
PID 2984 wrote to memory of 2852	2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe	31
PID 2984 wrote to memory of 2852	2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe	31
PID 2984 wrote to memory of 2592	2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe	32
PID 2984 wrote to memory of 2592	2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe	32
PID 2984 wrote to memory of 2592	2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe	32
PID 2984 wrote to memory of 2592	2984	6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe	32

C:\Users\Admin\AppData\Local\Temp\6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe
"C:\Users\Admin\AppData\Local\Temp\6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Roaming\WinCL\wincl.exe
  "C:\Users\Admin\AppData\Roaming\WinCL\wincl.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\1.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.bat

Filesize
179B

MD5
f8c463b9c58951bd0240be0a77be1295

SHA1
2a6e53b1b50cfbd28ec56bb18ae5e4420679d914

SHA256
2a69c21119af2f34bd446c72876f88b910e9279b7c1c22b1b35183ab326981ae

SHA512
e0271361276c2a4c05d2f1c663f81c2d754cd979bcec025aa618cfb7d371110e48e4ea3f7db10dc67f192d3f21a077e36f5cee9819f8e5097cff244ef0112267

Download Submit
\Users\Admin\AppData\Roaming\WinCL\wincl.exe

Filesize
224KB

MD5
27536ce5b9f559b94c8821634640dd30

SHA1
2b3582cf5a7fc058e18b1da3491db589b84c28be

SHA256
6916a006c429a3b3a76dfa8c162ddab178b5a20763493506deeb9447875d039a

SHA512
ea26dfa07c9de1ae89a333cc729d753fa758713ba5371d75f3c42a89dabb1c61861d2f9ca88d35cb686848dad4611c8203e0201c347eb674bf74ec3d51215a13

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads