c1bc3e7da891c24ffc613ba7b6901374b40fa08f3c8d84a62ab0852dda3f35c4

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026ff611abd1524c4f7ac4db88518b7d.exe
Size

29KB
MD5

026ff611abd1524c4f7ac4db88518b7d
SHA1

e747466eafd4c3669b5eba0e368b9f76be0ef50f
SHA256

c1bc3e7da891c24ffc613ba7b6901374b40fa08f3c8d84a62ab0852dda3f35c4
SHA512

435c5a3f2584cca14ba6fc53b70affb5d01c06804d9d77672235d03c1ec854d148f023d7b9dd5308ab36334b8669d281552fe649d196a3a3a4d333648b57bbef
SSDEEP

384:eApc8m4e0GvQak4JI341C0abnLbYXlle2xEfvEu:eApQr0GvdFJI34qLHYX3e2x+D

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	026ff611abd1524c4f7ac4db88518b7d.exe

Executes dropped EXE 1 IoCs

pid	Process
528	sal.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	026ff611abd1524c4f7ac4db88518b7d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 528	4948	026ff611abd1524c4f7ac4db88518b7d.exe	86
PID 4948 wrote to memory of 528	4948	026ff611abd1524c4f7ac4db88518b7d.exe	86
PID 4948 wrote to memory of 528	4948	026ff611abd1524c4f7ac4db88518b7d.exe	86

C:\Users\Admin\AppData\Local\Temp\026ff611abd1524c4f7ac4db88518b7d.exe
"C:\Users\Admin\AppData\Local\Temp\026ff611abd1524c4f7ac4db88518b7d.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4948
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sal.exe

Filesize
29KB

MD5
d7422bc3adac76535067d935762cd275

SHA1
e4e727627a31415ea58e132d8ce8d73ce129a1cc

SHA256
ca6c02c5eccbe9e51a4839b7b71cb38c851b0c6a200e4e569f0c148f7f5eb8d4

SHA512
8bdebc3dbe4c2f442e505157c7738a49e8de1f262daaecd38f2a873d1365f0b85e4bd415a7e36ee59c95cc1581eb2a3fc17a02257519f5c397e352f6a6703f3c

Download Submit