Overview

overview

7

Static

static

3

b3f090f4cf...0N.exe

windows7-x64

7

b3f090f4cf...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    100s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/08/2024, 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3f090f4cfd0bfd5ca11ed91117057d0N.exe

  • Size

    38KB

  • MD5

    b3f090f4cfd0bfd5ca11ed91117057d0

  • SHA1

    7f1e34267cb5faa43cbe6ebb8ee69901abaa2ae7

  • SHA256

    d89e5d86393a9badba76b5e703eb17f324a787ecabcf83838ec0780013c4c567

  • SHA512

    d9313b811487eef8c3438a2d85e49953d46a6b2c495ed15ce8f487e39c5788645abb81f5e908dd521033ca7776d31f508b85245b99d0497b3e0c4be2295756f0

  • SSDEEP

    384:MApc8m4e0LvQac4JI341CNabnkIU0Sq0yDAtc:MApQr0LvddJI34nTkIU0EyCc

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3f090f4cfd0bfd5ca11ed91117057d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\b3f090f4cfd0bfd5ca11ed91117057d0N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\windows\SysWOW64\sal.exe
      "C:\windows\system32\sal.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\sal.exe
    Filesize

    38KB

    MD5

    d56c91078d457a4e347c518ce8143149

    SHA1

    6d8a927c1b0b1fc9e8eff7fd573e2100f6aedf95

    SHA256

    48270db6657e665de3925722374b09737d0fb49138713c292668a535bc8f8110

    SHA512

    546108af75d75eabf06bce7108df3257b1dc2a71e01ee9e88a80b30f2446e74c0cad7c5486318bdd9740ddea883ced00c8b171d3f04736d9030a30a93cd461be

    Download Submit

  • memory/2344-0-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2344-9-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2708-10-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download