6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe
Size

54KB
MD5

5fa136d5e2fed5a5f8851bb33b0343d5
SHA1

76e54b91c33515801756c8c451dadcc54ade3a5a
SHA256

6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53
SHA512

dcb6104a7156c74a00b947826fa3e04864f2596146a51753a4d412d2afde7cef67c95f1cb1b2df4608ddd0710b336b541b2d4831b5fef9c8d917b93bad80f55b
SSDEEP

768:MApQr0fvdFJI341GxusOy9Rp1pLeAxoeC48PqK1OtaP6cCFzENREMZ7ZbP:MAaMJlBsh7pWezEPJB+OlbP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2900	sal.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe
2860	6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2900	2860	6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe	28
PID 2860 wrote to memory of 2900	2860	6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe	28
PID 2860 wrote to memory of 2900	2860	6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe	28
PID 2860 wrote to memory of 2900	2860	6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe	28

C:\Users\Admin\AppData\Local\Temp\6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe
"C:\Users\Admin\AppData\Local\Temp\6c5d597a76b444803a67d906e4ee8741881b646ea66bacf08cfb003104e11d53.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sal.exe

Filesize
54KB

MD5
bdbbce26626a1e62ca93b47476c14a57

SHA1
2e2a4b0e75978ddc65191ef14307af7996cece6e

SHA256
0308d1a90f781191534276d9461d2c541bf1b3ec9734e50a62bca46dea03219d

SHA512
b2227d3569d64731632617552e0242d87e85b515a1ec2e4995dc85b9f583b4915744a9a0c1009b540cc42039d91a7f6a885e8d0d09ee5cc625deeb963163d4d1

Download Submit
memory/2860-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2860-4-0x0000000002620000-0x0000000002629000-memory.dmp

Filesize
36KB

Download
memory/2860-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2900-14-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2900-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download