f17789afaccd5810d16f934f44ee1142638440f011d1c94b0c8222ce83f71382

Analysis

max time kernel
92s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 22:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b2e92f449b8eedfedc2063674bbec50N.exe
Size

35KB
MD5

3b2e92f449b8eedfedc2063674bbec50
SHA1

c67ee50bffb269b576c379bc04bb58fecbf85ae0
SHA256

f17789afaccd5810d16f934f44ee1142638440f011d1c94b0c8222ce83f71382
SHA512

f36fb9ae650a2c4d3bb97cf2e724a387d83cd7bc8a3e9c09ae03859515a21b12a0548d52ed94155f9468ed653fd65199d7ea2e53944d1cddd97aa2e6d7583ef2
SSDEEP

384:MApc8m4e0GvQak4JI341C0abnk6hJPuM2rG79A:MApQr0GvdFJI34qTk6hJPfZm

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	3b2e92f449b8eedfedc2063674bbec50N.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	sal.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	3b2e92f449b8eedfedc2063674bbec50N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b2e92f449b8eedfedc2063674bbec50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sal.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4024	2928	3b2e92f449b8eedfedc2063674bbec50N.exe	85
PID 2928 wrote to memory of 4024	2928	3b2e92f449b8eedfedc2063674bbec50N.exe	85
PID 2928 wrote to memory of 4024	2928	3b2e92f449b8eedfedc2063674bbec50N.exe	85

C:\Users\Admin\AppData\Local\Temp\3b2e92f449b8eedfedc2063674bbec50N.exe
"C:\Users\Admin\AppData\Local\Temp\3b2e92f449b8eedfedc2063674bbec50N.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\sal.exe

Filesize
35KB

MD5
16b5a6438d3f2f3526c2a40eb4a0b3e3

SHA1
c8e88d70f3569d7c2578098a1c58ac8c2d58d911

SHA256
4cedf983ee76559c2645ef5919275c4fd5cfea6f6fd7c331a9c3a566105a9c2a

SHA512
9fa22e0821822d3181f2e48a39e68722a14eeafe8ce1b13f55434dc594375a8617f88166f6742c15f2b38781cbac947b9052c1f1552fc3af59c9771712ee2fa9

Download Submit
memory/2928-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2928-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4024-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download