Malware Analysis Report

2025-05-06 00:30

Sample ID 241109-z8vfjssfmj
Target 4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN
SHA256 4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7d
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7d

Threat Level: Shows suspicious behavior

The file 4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:23

Reported

2024-11-09 21:25

Platform

win7-20241023-en

Max time kernel

16s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\sal.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\sal.exe C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\sal.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe

"C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe"

C:\windows\SysWOW64\sal.exe

"C:\windows\system32\sal.exe"

Network

N/A

Files

memory/2536-0-0x0000000000400000-0x0000000000409000-memory.dmp

\Windows\SysWOW64\sal.exe

MD5 101b4f8e46fea56bcb540cd3ac92c360
SHA1 4b19811e4e08043afdc95293a16911157b50a7b0
SHA256 3a8f7cc53316a6515dea5bdf7ccb14b5f0a61498d61e719416f7b8fd339ebe84
SHA512 312f7e17f6c0dd50da864b03f5c358f805d9858dd6d941a1d32aea794763e6dbdb7b83de52ce20392bc8d0b90661947144ac34c4784423a84400eb481ea17569

memory/2684-11-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2536-12-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2536-9-0x0000000000510000-0x0000000000519000-memory.dmp

memory/2684-14-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:23

Reported

2024-11-09 21:25

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\sal.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\sal.exe C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\SysWOW64\sal.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe

"C:\Users\Admin\AppData\Local\Temp\4e6207b84226161f0b0d39de2833c17bab24e916c1129b3fd8362e92ec5f4f7dN.exe"

C:\windows\SysWOW64\sal.exe

"C:\windows\system32\sal.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2896-0-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\SysWOW64\sal.exe

MD5 101b4f8e46fea56bcb540cd3ac92c360
SHA1 4b19811e4e08043afdc95293a16911157b50a7b0
SHA256 3a8f7cc53316a6515dea5bdf7ccb14b5f0a61498d61e719416f7b8fd339ebe84
SHA512 312f7e17f6c0dd50da864b03f5c358f805d9858dd6d941a1d32aea794763e6dbdb7b83de52ce20392bc8d0b90661947144ac34c4784423a84400eb481ea17569

memory/2896-9-0x0000000000400000-0x0000000000409000-memory.dmp

memory/208-10-0x0000000000400000-0x0000000000409000-memory.dmp