Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 23:36
Static task
static1
Behavioral task
behavioral1
Sample
7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe
Resource
win10v2004-20241007-en
General
-
Target
7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe
-
Size
62KB
-
MD5
a8454a718b777856d059a7c9854a6b30
-
SHA1
2a020330a2ddb8cf6c894326311890f2f1ef3742
-
SHA256
7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309
-
SHA512
ea116247f354fbeb828a98c7a15b9793dde8dc840cef1e8e9ca10100f8a9d5be7ac409cac74e4c12d1e4a18265c39891137e40faa4c2ee1359c96d4f45601860
-
SSDEEP
768:MApQr0DHvdFJI34nGxusOy9Rp1pLeAxoeC48PqK1OtaP6cCFzENREMZ7As7Tw:MAaAJlzsh7pWezEPJB+O/w
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2276 sal.exe -
Loads dropped DLL 2 IoCs
pid Process 2476 7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe 2476 7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\sal.exe 7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sal.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2276 2476 7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe 30 PID 2476 wrote to memory of 2276 2476 7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe 30 PID 2476 wrote to memory of 2276 2476 7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe 30 PID 2476 wrote to memory of 2276 2476 7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe"C:\Users\Admin\AppData\Local\Temp\7515aea1bfd02634aa7932372e7d42a91125a8e282fd1d844bfe08396b1d8309.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\windows\SysWOW64\sal.exe"C:\windows\system32\sal.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD562b0732e787e7c9dfa0b88bbfc43e009
SHA1987042197b1cbf5a6be75325cdd2ad46454bf35a
SHA2560f2b6a0aa48e48ba095ca76897877c212f5e5502ebcb2926201bcae7777b3eeb
SHA512c80dcb8b965aece77ea4a234d5444dd2e59859f7156218f1b4992d89140a517fa6272c652ab59aa5f6b540d3b6544466bf93e6c092c67bb53dc33b3c5e70c603