1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 19:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895.exe
Size

33KB
MD5

eb777fcc1f441512d72620d45e3256cd
SHA1

738738eb684a3eef4eb4cccfe8455ba21ae0efa4
SHA256

1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895
SHA512

f5d8f3d6201cdba8662056db1dba78314f18b72184d72f9fb4b5acd3122870bedae8dcae30ec7ed3ff9a95788c6a46317de7b73761d8afbf065429915565c717
SSDEEP

384:MApc8m4e0GvQak4JI341C0abnk6hJPawbZ7Z:MApQr0GvdFJI34qTk6hJPawhZ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895.exe

Executes dropped EXE 1 IoCs

pid	Process
4960	sal.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sal.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 4960	2384	1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895.exe	84
PID 2384 wrote to memory of 4960	2384	1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895.exe	84
PID 2384 wrote to memory of 4960	2384	1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895.exe	84

C:\Users\Admin\AppData\Local\Temp\1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895.exe
"C:\Users\Admin\AppData\Local\Temp\1be8a65fbebcab9598fc3e8cb14d14db65f15c0d3cb7181652c58e0d8eb7b895.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sal.exe

Filesize
33KB

MD5
39cc83a4dd370fe80140543c570119e7

SHA1
49e1ed14495807be672fdb3653754492afb71ccd

SHA256
2da5f289ef7343abfab4404ffd631a6551fbc7ae56637d2aad8547573cde0b1e

SHA512
12e12baecb51711d0d12bd147b2c88fe4fb04d0bcacf82196a8f8005745017929321efa9395d627bac938f16ecdf244574a19084eec1b9db8fe76df2be25a7ea

Download Submit
memory/2384-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2384-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4960-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download