Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31/05/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe
Resource
win10v2004-20240426-en
General
-
Target
61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe
-
Size
28KB
-
MD5
a405f10b52cb4cee0abf0881105e7c2a
-
SHA1
2cf8def7897c7ddae510e82954860edb5364be7e
-
SHA256
61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8
-
SHA512
6224f9661d7fc1645cb6b73985a6bb1cb3366fd143b1f6d9bfaf5f360df82e0dfa90e0d227244c26b30082d622ab9c0c3c3884a6bd44767d5075b601302182f8
-
SSDEEP
768:6B7HBXFw82t2C80lyaZ4jX05RfX5XciJr48V:u7HZFwzlyaZTSi+8V
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2996 cnwog.exe -
Loads dropped DLL 1 IoCs
pid Process 2916 61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2996 2916 61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe 28 PID 2916 wrote to memory of 2996 2916 61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe 28 PID 2916 wrote to memory of 2996 2916 61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe 28 PID 2916 wrote to memory of 2996 2916 61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe"C:\Users\Admin\AppData\Local\Temp\61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\cnwog.exe"C:\Users\Admin\AppData\Local\Temp\cnwog.exe"2⤵
- Executes dropped EXE
PID:2996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD58edbe090f494f1e96a9066039f930852
SHA1c223ff7250ca2b699696dd7ebdfaed5b08431c0d
SHA256dd4d14e4fd1bc38d358ee3f6b4632ef832870887299d6e1af48a1ddcf6345b89
SHA5126a18c7a8de7640def5cc5d9cc488a2ed29b9d0724eefcb79eca1e4f04084e61c75a84c082345b16d5a594d8ffc75069424a10a97baee6fa08a85dd28e0d32de4