183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe
Size

370KB
MD5

25bc76ada2165bf55992d80bd59d3506
SHA1

6608b17fda82608a9440631ff66e2c0df4488d8c
SHA256

183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75
SHA512

c76077780a6285172bd6b9526ce322a0a828f7e4190170b8cd38056287c241e99128ced0c5d91d000ab773445f12ae452964b594e887f7f842a6c716c480e095
SSDEEP

6144:CuJkl8DV12C28tLN2/FkCOfHVm0fMaHftvCGCBhDOHjTPmXHk62pd:CzGL2C2aZ2/F1WHHUaveOHjTp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	touwr.exe

Executes dropped EXE 2 IoCs

pid	Process
1128	touwr.exe
2224	cooho.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe
2224	cooho.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1128	2108	183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe	90
PID 2108 wrote to memory of 1128	2108	183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe	90
PID 2108 wrote to memory of 1128	2108	183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe	90
PID 2108 wrote to memory of 3632	2108	183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe	91
PID 2108 wrote to memory of 3632	2108	183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe	91
PID 2108 wrote to memory of 3632	2108	183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe	91
PID 1128 wrote to memory of 2224	1128	touwr.exe	101
PID 1128 wrote to memory of 2224	1128	touwr.exe	101
PID 1128 wrote to memory of 2224	1128	touwr.exe	101

C:\Users\Admin\AppData\Local\Temp\183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe
"C:\Users\Admin\AppData\Local\Temp\183d55a82eaaaa5429ac2cde29425bdf7c13b35c7d6b46505694bcd1c2e54f75.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\touwr.exe
  "C:\Users\Admin\AppData\Local\Temp\touwr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\cooho.exe
    "C:\Users\Admin\AppData\Local\Temp\cooho.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8276f13d55a92a310aaa82b55ed2cbd1

SHA1
766d30ecf8af8a0d5a9c69b32155c2d6a811536f

SHA256
671a9ee8fa976fce3ff820bf47b3956d2bd7652acb696adedf1300373e26cc0c

SHA512
a9310fd30cb8b86d671d10b00793286efe3d5def9765e2523288f6d6838c80b241271ea327fcc8f6e6e38d206d9f6204b1ca4d634ace56bb53a212a8a56ad510

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooho.exe

Filesize
303KB

MD5
665b1ad69d712104c43d26809c052c9d

SHA1
11d99ad30eb420b6a3deb7f5ca9db83947489c4f

SHA256
12eab9dd0386ca682516cb219ad3c7b18ac40083b5ee0b49edc9e1733c46f8eb

SHA512
d6e7f729f375787e865a6860baa22e2fcb205824279bcb2c74efc80124d072e51b50fa485584d1a1d36cfa52d1860ab9d8e188dd52d8e1f113d47ddbd282a29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d749a5d5d80d18e1fb9c8bc564fd9f75

SHA1
b964d806046f1784bb250496f760e48eba5fe9c8

SHA256
53e73f529006b35185ad10463f1758e814f63db40e93cd69404a1d23c7617988

SHA512
fe4e346457cefc9740ac935db4c98758506bbc72b5d4c44411817b2f22f5d52d39ac2ac3c027178f23c9e3e1a161aa5aa40f02f20c83fe6c9312eeabbe149d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\touwr.exe

Filesize
370KB

MD5
07cddcbe132d9418471b2e34c45c3513

SHA1
fb126b82a1cf09721a788c78576b2c7b067e44e5

SHA256
17428695f08446ef67c20ddcf02472c98ce7fd32b438cd09e01403d1c29f9ca4

SHA512
932deec9a6232b7f359b3556c9a5c3c790556f3b7e70a8e38f9f72125fedce9d179f3d660d722861793920b12179fbf4c3031cbb67c0b979f7a37f6a05ad6a2f

Download Submit