97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3.exe
Size

53KB
MD5

65230e591e75bf72db3e896881719d5c
SHA1

c50d78cc51d6134f0e8ec1c1d85edc0446e5dc3d
SHA256

97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3
SHA512

937b202125e03ccb7c767201a6131382af250d01a1a67f5a66b3f377f3f0c85df91f660126c6c3f8ded0c0a5b2a677e4f80354d515706444a421ed065690360e
SSDEEP

768:MApQr0fvdFJI341GxusOy9Rp1pLeAxoeC48PqK1OtaP6cCFzENREMZ7Zbj:MAaMJlBsh7pWezEPJB+Olbj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3.exe

Executes dropped EXE 1 IoCs

pid	Process
1964	sal.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 1964	4532	97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3.exe	90
PID 4532 wrote to memory of 1964	4532	97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3.exe	90
PID 4532 wrote to memory of 1964	4532	97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3.exe	90

C:\Users\Admin\AppData\Local\Temp\97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3.exe
"C:\Users\Admin\AppData\Local\Temp\97b5cf1d1feedee5a7585e6ad00cf5b9eafc9258f3b5ba57a044f66103671ed3.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4532
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sal.exe

Filesize
53KB

MD5
76c28dd46a44d1142c97b4d46f645648

SHA1
81cef814e58bc93d9db780420dce7b0f4597da28

SHA256
bffdc9850df478212fc49851db8481fc80b60c72f2be71a184e27544754af683

SHA512
7f0ed280620d8dd4dd2641f8692f0db7278bd71ebd06c3e0585b8cd0be0a2268619e219c5ba753d1f90a9801e8d94a67fbe9e1af7693beffdfdc87bea30772da

Download Submit
memory/1964-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4532-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4532-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download