654fbd3d31dc845859f9c861bc9ec8e706095c2dac169a09ed15826caac710a4

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/06/2023, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Order-PO # 6330001438 - AL SAHOO.exe
Size

788KB
MD5

a5738b38954652be0305feb0f9a3f7a6
SHA1

0ea9f45bea777717364c4190d40947407791135d
SHA256

0ba6fc11a90f8a2e25dd33dbd2ad766eadc5895e21d1b115b42dfbf3ee3e1328
SHA512

2cc48b0a6c4eecc75797b7c3d5736e1a5dc65bac7f40fbdb091c935f3c18ce5e95840ba0a74e28fff9a8a7b2f2f2d0738576b892c999ee09afbfef64d2b8b607
SSDEEP

24576:W2N8jiZ4zypIPVJTDEvjnK0/yrjl4qlQ2UIXQ:W2N8jiZ4zypIPVJTDETK0GTQ2UIXQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\International\Geo\Nation	New Order-PO # 6330001438 - AL SAHOO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 592	2040	New Order-PO # 6330001438 - AL SAHOO.exe	28

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe
592	New Order-PO # 6330001438 - AL SAHOO.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	New Order-PO # 6330001438 - AL SAHOO.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 592	2040	New Order-PO # 6330001438 - AL SAHOO.exe	28
PID 2040 wrote to memory of 592	2040	New Order-PO # 6330001438 - AL SAHOO.exe	28
PID 2040 wrote to memory of 592	2040	New Order-PO # 6330001438 - AL SAHOO.exe	28
PID 2040 wrote to memory of 592	2040	New Order-PO # 6330001438 - AL SAHOO.exe	28
PID 2040 wrote to memory of 592	2040	New Order-PO # 6330001438 - AL SAHOO.exe	28
PID 2040 wrote to memory of 592	2040	New Order-PO # 6330001438 - AL SAHOO.exe	28
PID 2040 wrote to memory of 592	2040	New Order-PO # 6330001438 - AL SAHOO.exe	28

C:\Users\Admin\AppData\Local\Temp\New Order-PO # 6330001438 - AL SAHOO.exe
"C:\Users\Admin\AppData\Local\Temp\New Order-PO # 6330001438 - AL SAHOO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\New Order-PO # 6330001438 - AL SAHOO.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order-PO # 6330001438 - AL SAHOO.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/592-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/592-65-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/592-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/592-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/592-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-57-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2040-60-0x0000000000AD0000-0x0000000000B08000-memory.dmp

Filesize
224KB

Download
memory/2040-59-0x0000000005800000-0x0000000005870000-memory.dmp

Filesize
448KB

Download
memory/2040-58-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2040-54-0x0000000001150000-0x000000000121A000-memory.dmp

Filesize
808KB

Download
memory/2040-56-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2040-55-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download