579cfa65a3b0756e7d98cdd894d6d8f3d1b85b37e3b0cee020a5864b0939945e

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1096cb933ae98d14338ce6d690901100N.exe
Size

3.7MB
MD5

1096cb933ae98d14338ce6d690901100
SHA1

18fe2c03340227277a2212348cbf8a80be1890cf
SHA256

579cfa65a3b0756e7d98cdd894d6d8f3d1b85b37e3b0cee020a5864b0939945e
SHA512

03e4c9e03e0a56e08840f0357408770d1bc25d752ca85549e45a8f3303c929e7f27ab116ff39f5dead7f4cb75baf5445f1bf41ddcc914369c1926070657eccbb
SSDEEP

49152:J+NrGqlp6mpunjhy/tzEx4mXGeCKHaSk8M3qN/J50T4CY/GK37BTiLR+pUv/OZTV:SCmQnjhMZEnhHFbMQ/cTOlc+F+w02E0B

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1400	salus_install.exe

Loads dropped DLL 10 IoCs

pid	Process
1972	1096cb933ae98d14338ce6d690901100N.exe
1400	salus_install.exe
1400	salus_install.exe
1400	salus_install.exe
1400	salus_install.exe
1400	salus_install.exe
1400	salus_install.exe
1400	salus_install.exe
1400	salus_install.exe
1400	salus_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1096cb933ae98d14338ce6d690901100N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salus_install.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002341e-9.dat	nsis_installer_1
behavioral2/files/0x000700000002341e-9.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1400	1972	1096cb933ae98d14338ce6d690901100N.exe	86
PID 1972 wrote to memory of 1400	1972	1096cb933ae98d14338ce6d690901100N.exe	86
PID 1972 wrote to memory of 1400	1972	1096cb933ae98d14338ce6d690901100N.exe	86

C:\Users\Admin\AppData\Local\Temp\1096cb933ae98d14338ce6d690901100N.exe
"C:\Users\Admin\AppData\Local\Temp\1096cb933ae98d14338ce6d690901100N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\nsb6459.tmp\salus_install.exe
  "C:\Users\Admin\AppData\Local\Temp\nsb6459.tmp\salus_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb6459.tmp\DcryptDll.dll

Filesize
14KB

MD5
904beebec2790ee2ca0c90fc448ac7e0

SHA1
40fabf1eb0a3b7168351c4514c5288216cb1566d

SHA256
f730d9385bf72eac5d579bcf1f7e4330f1d239ca1054d4ead48e9e363d9f4222

SHA512
8bdbbaaf73e396cf9fd9866b3e824b7e70c59a2bdefdb3236387e60d0e645d011265fe79fb193f6c0d6abe2e9c01260720c71cd8f068fcc4624760511c54efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6459.tmp\salus_install.exe

Filesize
3.6MB

MD5
6ee42b29400d6c33168976f1c3a0dcad

SHA1
9bdf2eba31c19174446e25d8f4b10ed31d82f67c

SHA256
dc7095a09b019afa129e53ab2001aadb68aac044a97df3b3e097f4ab72baa689

SHA512
ed1add30e54d262120963d21ae34dc174da6dc6f39cafade93bdfc3373a5134f13e263636af6bbee3882ecce78badccd8aaabcef1d09fbb6d5ca3f87c9cfeac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6459.tmp\salus_install.log

Filesize
507B

MD5
b3bc71d409c916860802a1df714b5203

SHA1
5ecd3d40ecf9e2e5cd1eb2d4103f4c997096fd58

SHA256
90dfad6b3820a2d1768debf2b7e922ece59d355e624e7b3a4a5371b837216430

SHA512
1f935d9ae5cc2d10fd7a6fbe5407c0cbfbf68b664025be558d1e8a82f1e7411f4f2abeb6348fc7236d435d607f321ee93bfbe9a6399f878df73ae9ff5e7a1f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd6851.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd6851.tmp\base64.dll

Filesize
89KB

MD5
d26fead25df9b2dcd8f64d98428ee382

SHA1
ed3b3c504fbc262dea43678a6466cdb15210ac1b

SHA256
bdd79a8634f8e11c026471fa0682804d1e5edb63fe37363cd9c22f941feb7118

SHA512
371dd5de41757f29e0f97f4c8c6e9f2628e78cf2f004e82e7e6454815a5b8ccabfc0535cdfc9d0927ce08938793e0ed71b46400c4d93d691caf468fd91ab7aad

Download Submit
memory/1400-21-0x00000000022B0000-0x00000000022CB000-memory.dmp

Filesize
108KB

Download