5253f2c8d135059bdb3a0bdbda5cfd00ddc0d46fe8da549e368c41d4881221da

Analysis

max time kernel
21s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 16:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9027d5829452fb52cfe4f98efdd57bc0N.exe
Size

59KB
MD5

9027d5829452fb52cfe4f98efdd57bc0
SHA1

12e7bccf838c2283db6808b87896c023af165017
SHA256

5253f2c8d135059bdb3a0bdbda5cfd00ddc0d46fe8da549e368c41d4881221da
SHA512

ae015d5b856b035971d90e56e56e02fa35384543756269a17cb52d4a9982a0a56853f8c6adedab60640c2d9013484e442d04de64a869b16bbc16847615a28151
SSDEEP

768:MApQr0DHvdFJI34nGxusOy9Rp1pLeAxoeC48PqK1OtaP6cCFzENREMZ7As2:MAaAJlzsh7pWezEPJB+OO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1800	sal.exe

Loads dropped DLL 2 IoCs

pid	Process
1940	9027d5829452fb52cfe4f98efdd57bc0N.exe
1940	9027d5829452fb52cfe4f98efdd57bc0N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	9027d5829452fb52cfe4f98efdd57bc0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9027d5829452fb52cfe4f98efdd57bc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sal.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1800	1940	9027d5829452fb52cfe4f98efdd57bc0N.exe	30
PID 1940 wrote to memory of 1800	1940	9027d5829452fb52cfe4f98efdd57bc0N.exe	30
PID 1940 wrote to memory of 1800	1940	9027d5829452fb52cfe4f98efdd57bc0N.exe	30
PID 1940 wrote to memory of 1800	1940	9027d5829452fb52cfe4f98efdd57bc0N.exe	30

C:\Users\Admin\AppData\Local\Temp\9027d5829452fb52cfe4f98efdd57bc0N.exe
"C:\Users\Admin\AppData\Local\Temp\9027d5829452fb52cfe4f98efdd57bc0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sal.exe

Filesize
59KB

MD5
a4e4a16c03c26443c1347ee20f6d3a5d

SHA1
2cf3330c0f699525af47d5ab20eeb9454b0e2fff

SHA256
7b1de91f62f67467604c14be8f5c021207f5d670936fd766e4f382626ef532ec

SHA512
3774281aa64c168ccce9f0dccf8beb44fb5af0702497786ccb6b6f61b8f636e2f0a57bcd4290dee4a77bfebb0785f9f58a1ce1401a120a969dafe1fea01567cb

Download Submit
memory/1800-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1800-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1940-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1940-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download