e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe
Size

64KB
MD5

809fa576c7bdf2c6fbafce08b3df578e
SHA1

b2f1b5dee3669e2df3ae1f2a9de2b34b3d3166d8
SHA256

e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb
SHA512

953a0ab2944310f61e140e509d68a44907ca42995ac82cdcb1dbd30a9fde59b60e5ed5fbab4d8496e31599fd9c7523177b670d276dc6eafc4c2ec84d65457212
SSDEEP

768:MApQr0DHvdFJI34nGxusOy9Rp1pLeAxoeC48PqK1OtaP6cCFzENREMZ7As7TyR:MAaAJlzsh7pWezEPJB+O/yR

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	sal.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe
2532	e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sal.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2984	2532	e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe	30
PID 2532 wrote to memory of 2984	2532	e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe	30
PID 2532 wrote to memory of 2984	2532	e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe	30
PID 2532 wrote to memory of 2984	2532	e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe	30

C:\Users\Admin\AppData\Local\Temp\e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe
"C:\Users\Admin\AppData\Local\Temp\e22145268fac529a3546fecee89ec8661222498da85b3a5db570b98c68a8dafb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sal.exe

Filesize
64KB

MD5
ee78243f72873ebc0ca9f9e59fac2676

SHA1
a6b316ec831b26ec53e2d45b08fff9a474de8610

SHA256
7981ccfb1c49ee82b979fbbe23339faa484e6b115ab0e59ce6ac2a1c058ade66

SHA512
cf42476d5b3491cd6ec81287d18bc7086ba3573df2d08a20135551794cc32cd269582664c0917c5fae404a504096d4668ab3e4924febc5ac0c55490527999a14

Download Submit
memory/2532-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2532-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2984-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2984-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download