a14123f4907aff417a57d7aa0a54f489b738c6b4aed1b1656db71bdbb336e794

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd31eaf21124c3f1128bc62b851b7400N.exe
Size

39KB
MD5

fd31eaf21124c3f1128bc62b851b7400
SHA1

2dd88c5c2b77758ff6b9d495f0d17dd38a98d89e
SHA256

a14123f4907aff417a57d7aa0a54f489b738c6b4aed1b1656db71bdbb336e794
SHA512

bfe4d37f071fdcec0fecd4af34cb55288efcc3e45edb4be637d684398fc19a544760b4b9cc612979c349a26e20c18286fbd64aabcd1b26ae0386d6c987ba3993
SSDEEP

384:MApc8m4e0LvQac4JI341CNabnkIU0Sq0yDAU:MApQr0LvddJI34nTkIU0Eyn

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1840	sal.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	fd31eaf21124c3f1128bc62b851b7400N.exe
2368	fd31eaf21124c3f1128bc62b851b7400N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	fd31eaf21124c3f1128bc62b851b7400N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd31eaf21124c3f1128bc62b851b7400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sal.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1840	2368	fd31eaf21124c3f1128bc62b851b7400N.exe	30
PID 2368 wrote to memory of 1840	2368	fd31eaf21124c3f1128bc62b851b7400N.exe	30
PID 2368 wrote to memory of 1840	2368	fd31eaf21124c3f1128bc62b851b7400N.exe	30
PID 2368 wrote to memory of 1840	2368	fd31eaf21124c3f1128bc62b851b7400N.exe	30

C:\Users\Admin\AppData\Local\Temp\fd31eaf21124c3f1128bc62b851b7400N.exe
"C:\Users\Admin\AppData\Local\Temp\fd31eaf21124c3f1128bc62b851b7400N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sal.exe

Filesize
39KB

MD5
bc9937c3862acc948bf237086858e23c

SHA1
00eda705fd71e4976fb3da9dcc66cc9eb77ae387

SHA256
f4d92080fb1da4eed01e3ade9f7fe507f75bc65ca780d37a873f6c36f9d36925

SHA512
1f4536859a052fbf4f6c2c3087a2833886664e54ddfa7b97491ef4801dfb9009295aa48a3b2b859166743ed7175fa29e96d94348ca5ae9ef584c9d2eca5dda4d

Download Submit
memory/1840-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1840-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2368-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2368-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download