66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 00:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f.exe
Size

54KB
MD5

308f87500a861ab368efbd68eccac76f
SHA1

54f5922d0843f124e04ec12a5f80366bd19a6821
SHA256

66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f
SHA512

8cd7417c2a9977fc0fab9b4b677536f4f9806f436e471782847e0b2b8bed03497d603741b12bde2c7fd98da26f4db6ea209ac3ad89c2ccff201841e19a46e6c3
SSDEEP

768:MApQr0DWvdFJI34HGxusOy9Rp1pLeAxoeC48PqK1OtaP6cCFzENREMZ7v/I9:MAaJJlTsh7pWezEPJB+OjI9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	sal.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 2296	3372	66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f.exe	91
PID 3372 wrote to memory of 2296	3372	66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f.exe	91
PID 3372 wrote to memory of 2296	3372	66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f.exe	91

C:\Users\Admin\AppData\Local\Temp\66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f.exe
"C:\Users\Admin\AppData\Local\Temp\66fbf094867a5c3910d6e244405d137ad2b535e64bdbe3050488843e4334a18f.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3372
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sal.exe

Filesize
54KB

MD5
c07e9cf2c4def46a8309e010fd894fdc

SHA1
228242b463cda6555c1a7c663ecdeaf2495cb20f

SHA256
1910dcaffc93709dd4dae72f58573cb5fcc52cd79ca471c0a314a51bf316f943

SHA512
e33dcf51449c0d2c086754cbbeafdd1ce0d5f1d386b350c594006da6d85656c77a706a3e2bdf8af6fbdce48c99a1915d673a508e5e6e05f05ddab280dcf13963

Download Submit
memory/2296-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3372-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3372-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download