Overview

overview

10

Static

static

6

D02D012970...94.exe

windows7-x64

1

DBm0yQwt.exe.ViR.exe

windows7-x64

10

ca6ec46ee9...52.apk

windows7-x64

3

calc.exe

windows7-x64

7

ccc71c83c8...B3.exe

windows7-x64

7

ccc71c83c8...68.exe

windows7-x64

7

cd2d085998...-0.dll

windows7-x64

8

cdffb7e75b...ss.exe

windows7-x64

3

cf7382c25a...c9.exe

windows7-x64

6

cgi19-alpt...e_.exe

windows7-x64

7

chrst.exe

windows7-x64

3

ci05l2a.exe

windows7-x64

cl.exe

windows7-x64

7

clean.exe

windows7-x64

3

coinvault.exe

windows7-x64

9

com_loader.exe

windows7-x64

3

csrss.ex_.exe

windows7-x64

6

d.exe

windows7-x64

3

d0a5cfec8e...B3.exe

windows7-x64

7

d0a5cfec8e...A6.exe

windows7-x64

7

d2164cdbc9...FB.exe

windows7-x64

3

d2164cdbc9...08.exe

windows7-x64

7

d4439055d2..._1.dll

windows7-x64

3

d54d2a216e...96.exe

windows7-x64

7

d5f29750a8...c5.apk

windows7-x64

3

d6c32b0146...4d.zip

windows7-x64

9

d889734783...48.exe

windows7-x64

daaa72f48b...2d.exe

windows7-x64

9

ddbf1840bf...e2.exe

windows7-x64

10

de882c049b..._3.dll

windows7-x64

3

decrypt.exe

windows7-x64

3

decrypted.ex_.exe

windows7-x64

6

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/11/2024, 03:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cl.exe

  • Size

    236KB

  • MD5

    748ec019c171f22b8384195742967c51

  • SHA1

    e3fefcbd3c432ac85d046a7ab27d2b0114ae658a

  • SHA256

    b082e82311a6e8416b1823122959ea368316a936aa6ca667c032d300f76effaf

  • SHA512

    a2bbef3dacdac5d5cf65f71f97c663b8731e2f2dbd9d923076e3551b68fce33157b961bd4709bfd6ccb1c5c807c453a8bae209538093dfe4c0662fb7e074ddc3

  • SSDEEP

    6144:6741oQa1cxp/UWD9xgYxY68hX7Ph0ht7LRhU/a:v1uOp8J2Y68hLPhZ

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cl.exe
    "C:\Users\Admin\AppData\Local\Temp\cl.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Users\Admin\AppData\Roaming\WinCL\wincl.exe
      "C:\Users\Admin\AppData\Roaming\WinCL\wincl.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2796
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Roaming\1.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2548

Network

  • flag-us
    DNS
    blockchain.info
    wincl.exe
    Remote address:
    8.8.8.8:53
    Request
    blockchain.info
    IN A
    Response
    blockchain.info
    IN A
    104.16.236.243
    blockchain.info
    IN A
    104.16.237.243
  • 104.16.236.243:443
    blockchain.info
    tls
    wincl.exe
    396 B
     219 B
     5
    5
  • 104.16.236.243:443
    blockchain.info
    tls
    wincl.exe
    358 B
     219 B
     5
    5
  • 104.16.236.243:443
    blockchain.info
    tls
    wincl.exe
    288 B
     219 B
     5
    5
  • 104.16.236.243:443
    blockchain.info
    wincl.exe
    190 B
     92 B
     4
    2
  • 8.8.8.8:53
    blockchain.info
    dns
    wincl.exe
    61 B
     93 B
     1
    1

    DNS Request

    blockchain.info

    DNS Response

    104.16.236.243
    104.16.237.243

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1.bat
    Filesize

    167B

    MD5

    43cc03e4b5ddb283fa10abfc8d09e5a7

    SHA1

    acb4ac7841a8fd9f1ec0321d47ece0217198d6c7

    SHA256

    24bb870ceb6fdcaffea19dcc11bc0b08b79115ee14478f54fd72ffde75b37033

    SHA512

    dee8f946d12655a9eef3226a8e1d3ff0eff4e8e96d0cf6c1fdc08e140f1e04f87c610979cc729de6aeac9bd667f08faf06a46308eb0bb3b40b74d271315d23e0

    Download Submit

  • \Users\Admin\AppData\Roaming\WinCL\wincl.exe
    Filesize

    236KB

    MD5

    748ec019c171f22b8384195742967c51

    SHA1

    e3fefcbd3c432ac85d046a7ab27d2b0114ae658a

    SHA256

    b082e82311a6e8416b1823122959ea368316a936aa6ca667c032d300f76effaf

    SHA512

    a2bbef3dacdac5d5cf65f71f97c663b8731e2f2dbd9d923076e3551b68fce33157b961bd4709bfd6ccb1c5c807c453a8bae209538093dfe4c0662fb7e074ddc3

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.