Analysis
-
max time kernel
95s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe
Resource
win10v2004-20240426-en
General
-
Target
61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe
-
Size
28KB
-
MD5
a405f10b52cb4cee0abf0881105e7c2a
-
SHA1
2cf8def7897c7ddae510e82954860edb5364be7e
-
SHA256
61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8
-
SHA512
6224f9661d7fc1645cb6b73985a6bb1cb3366fd143b1f6d9bfaf5f360df82e0dfa90e0d227244c26b30082d622ab9c0c3c3884a6bd44767d5075b601302182f8
-
SSDEEP
768:6B7HBXFw82t2C80lyaZ4jX05RfX5XciJr48V:u7HZFwzlyaZTSi+8V
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe -
Executes dropped EXE 1 IoCs
pid Process 1932 cnwog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 540 wrote to memory of 1932 540 61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe 83 PID 540 wrote to memory of 1932 540 61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe 83 PID 540 wrote to memory of 1932 540 61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe 83 PID 1932 wrote to memory of 3704 1932 cnwog.exe 84 PID 1932 wrote to memory of 3704 1932 cnwog.exe 84 PID 1932 wrote to memory of 3704 1932 cnwog.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe"C:\Users\Admin\AppData\Local\Temp\61f5ac682eb499a71e5721f65b972288a27055785ff4bc440adc43ea4d95bbc8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\cnwog.exe"C:\Users\Admin\AppData\Local\Temp\cnwog.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\cnwog.exe >> NUL3⤵PID:3704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD58edbe090f494f1e96a9066039f930852
SHA1c223ff7250ca2b699696dd7ebdfaed5b08431c0d
SHA256dd4d14e4fd1bc38d358ee3f6b4632ef832870887299d6e1af48a1ddcf6345b89
SHA5126a18c7a8de7640def5cc5d9cc488a2ed29b9d0724eefcb79eca1e4f04084e61c75a84c082345b16d5a594d8ffc75069424a10a97baee6fa08a85dd28e0d32de4