Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 04:54
Static task
static1
Behavioral task
behavioral1
Sample
d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe
Resource
win10v2004-20240508-en
General
-
Target
d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe
-
Size
66KB
-
MD5
9fb2158d827aac2f08636b38086dc450
-
SHA1
95f86fa9b8682214db744d80c095f086c55ad251
-
SHA256
d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc
-
SHA512
d855e55543cb7ab70ac398fd8f42b43717472c777fc4e2641212453df06f5333db587739baece90b4738f4b7f63f509c2f6304cd96011371ae9585442b807384
-
SSDEEP
768:6B7HBXFw82t2C80lyaZ4jX05Rfw/MKPsED3VK2+ZtyOjgO4r9vFAg2rqs4mkesFF:u7HZFwzlyaZTQkKYTjipvF2TZ0Ff/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2504 cnwog.exe -
Loads dropped DLL 1 IoCs
pid Process 2192 d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2504 2192 d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe 28 PID 2192 wrote to memory of 2504 2192 d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe 28 PID 2192 wrote to memory of 2504 2192 d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe 28 PID 2192 wrote to memory of 2504 2192 d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe"C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\cnwog.exe"C:\Users\Admin\AppData\Local\Temp\cnwog.exe"2⤵
- Executes dropped EXE
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5668c687c9f4ed82fd0fab32baa6e09ef
SHA1f26e29099f33180aa923951968c130719ef36810
SHA256672fe0045c0c4954ae935f7504c6a156ec1ac51162233f4bf03168225541ce5d
SHA512bef76851a502290e78097ec6e1cb8c28e244101ea42b00e3218edde867f40be7800812c43390ce7080f6c7898569ccc9a13ff2f12bdf78f798c25a3de605e67c