c41899315b2f3dad512ed1f58746e59fdb2f9717badcf7b2c861c1248d945991

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cl.exe
Size

236KB
MD5

748ec019c171f22b8384195742967c51
SHA1

e3fefcbd3c432ac85d046a7ab27d2b0114ae658a
SHA256

b082e82311a6e8416b1823122959ea368316a936aa6ca667c032d300f76effaf
SHA512

a2bbef3dacdac5d5cf65f71f97c663b8731e2f2dbd9d923076e3551b68fce33157b961bd4709bfd6ccb1c5c807c453a8bae209538093dfe4c0662fb7e074ddc3
SSDEEP

6144:6741oQa1cxp/UWD9xgYxY68hX7Ph0ht7LRhU/a:v1uOp8J2Y68hLPhZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	wincl.exe

Loads dropped DLL 2 IoCs

pid	Process
1320	cl.exe
1320	cl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wincl = "C:\\Users\\Admin\\AppData\\Roaming\\WinCL\\wincl.exe"	cl.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wincl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1320	cl.exe
2796	wincl.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2796	1320	cl.exe	30
PID 1320 wrote to memory of 2796	1320	cl.exe	30
PID 1320 wrote to memory of 2796	1320	cl.exe	30
PID 1320 wrote to memory of 2796	1320	cl.exe	30
PID 1320 wrote to memory of 2548	1320	cl.exe	31
PID 1320 wrote to memory of 2548	1320	cl.exe	31
PID 1320 wrote to memory of 2548	1320	cl.exe	31
PID 1320 wrote to memory of 2548	1320	cl.exe	31

C:\Users\Admin\AppData\Local\Temp\cl.exe
"C:\Users\Admin\AppData\Local\Temp\cl.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Roaming\WinCL\wincl.exe
  "C:\Users\Admin\AppData\Roaming\WinCL\wincl.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\1.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.bat

Filesize
167B

MD5
43cc03e4b5ddb283fa10abfc8d09e5a7

SHA1
acb4ac7841a8fd9f1ec0321d47ece0217198d6c7

SHA256
24bb870ceb6fdcaffea19dcc11bc0b08b79115ee14478f54fd72ffde75b37033

SHA512
dee8f946d12655a9eef3226a8e1d3ff0eff4e8e96d0cf6c1fdc08e140f1e04f87c610979cc729de6aeac9bd667f08faf06a46308eb0bb3b40b74d271315d23e0

Download Submit
\Users\Admin\AppData\Roaming\WinCL\wincl.exe

Filesize
236KB

MD5
748ec019c171f22b8384195742967c51

SHA1
e3fefcbd3c432ac85d046a7ab27d2b0114ae658a

SHA256
b082e82311a6e8416b1823122959ea368316a936aa6ca667c032d300f76effaf

SHA512
a2bbef3dacdac5d5cf65f71f97c663b8731e2f2dbd9d923076e3551b68fce33157b961bd4709bfd6ccb1c5c807c453a8bae209538093dfe4c0662fb7e074ddc3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads