474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 21:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab.exe
Size

32KB
MD5

8a2ed7769124cc04cf1ead53a4fc46ec
SHA1

7540c0bd8037c66e214741eded9a67b23e2a29fc
SHA256

474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab
SHA512

d45e315b67ef0228080f7d6fb0b17f227fc554615b6cc1bb7797e62d43165a0e3c6ad5778d17cf9f59e7f96a5a3ae2cd8cef4dbc8f6da963d92036a80c6ed24f
SSDEEP

192:KlApk98m4e0/IDJh/5ZQcvoyne4t/PQ3Pw1C0SluWbiWBNEckcVhJriE/JC:MApc8m4e0GvQak4JI341C0abnk6hJPQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab.exe

Executes dropped EXE 1 IoCs

pid	Process
4880	sal.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4880	2212	474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab.exe	81
PID 2212 wrote to memory of 4880	2212	474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab.exe	81
PID 2212 wrote to memory of 4880	2212	474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab.exe	81

C:\Users\Admin\AppData\Local\Temp\474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab.exe
"C:\Users\Admin\AppData\Local\Temp\474a4131fe553df43d9929e91717e6cffac16e586179c2b79a5de869c008bcab.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sal.exe

Filesize
32KB

MD5
dff2fadde56ce0dd62a55e0025279d9b

SHA1
0d24ca238e4515549a748740e3c96c60d82369cc

SHA256
322d63cf869b6eab5ceaa7431ab7269bc434ecfac4d692dfde376e073c2741ee

SHA512
2124ea50bc04faf1a408a9b8d3a5888a9337412322f4987e58668e897e7ae68cb59bfb4fdeaf2cab2cc3c5d115d507c8306bf322059418bc3e3c897f157de30b

Download Submit
memory/2212-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2212-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4880-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4880-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download