Overview

overview

7

Static

static

3

c851916dee...0N.exe

windows7-x64

7

c851916dee...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c851916dee0779c97075f9476f18b120N.exe

  • Size

    57KB

  • MD5

    c851916dee0779c97075f9476f18b120

  • SHA1

    123b633ae4c3245d03a5f56999fa201e93cc51cf

  • SHA256

    deb3a053ca5bba8f15993b23010a4b01c57b7c99a61b2391bb5c63c49cf98903

  • SHA512

    ed0ecabd76e8cbb63123f3980959d09dbfbfd705434fe176c254812d9d8d22511f86ebbc611d783181d3f3fd75894f6f9da6ac00254497ba726160f63d45c807

  • SSDEEP

    768:MApQr0DWvdFJI34HGxusOy9Rp1pLeAxoeC48PqK1OtaP6cCFzENREMZ7vVq:MAaJJlTsh7pWezEPJB+O4

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c851916dee0779c97075f9476f18b120N.exe
    "C:\Users\Admin\AppData\Local\Temp\c851916dee0779c97075f9476f18b120N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\windows\SysWOW64\sal.exe
      "C:\windows\system32\sal.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\sal.exe
    Filesize

    57KB

    MD5

    4ec0addc88a58f285abca91836671990

    SHA1

    a6041ab5086ba49eae738702ca9e69c9af650fcf

    SHA256

    fd2daa02c4533c6edb32a7d25ca5dcada4fee08a912e32e49bd5a3262e2194c5

    SHA512

    0af650c3e268397fc11ea5a3400fa1bf6dd7905af9a32ef83bd8dd1ba94cbde324bd6121b344df03a6b30e75d3b9efcf3da330ca47f8bff9404e0c224c547638

    Download Submit

  • memory/4456-10-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4568-0-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4568-8-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download