Analysis
-
max time kernel
51s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 04:54
Static task
static1
Behavioral task
behavioral1
Sample
d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe
Resource
win10v2004-20240508-en
General
-
Target
d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe
-
Size
66KB
-
MD5
9fb2158d827aac2f08636b38086dc450
-
SHA1
95f86fa9b8682214db744d80c095f086c55ad251
-
SHA256
d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc
-
SHA512
d855e55543cb7ab70ac398fd8f42b43717472c777fc4e2641212453df06f5333db587739baece90b4738f4b7f63f509c2f6304cd96011371ae9585442b807384
-
SSDEEP
768:6B7HBXFw82t2C80lyaZ4jX05Rfw/MKPsED3VK2+ZtyOjgO4r9vFAg2rqs4mkesFF:u7HZFwzlyaZTQkKYTjipvF2TZ0Ff/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe -
Executes dropped EXE 1 IoCs
pid Process 3364 cnwog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2520 wrote to memory of 3364 2520 d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe 82 PID 2520 wrote to memory of 3364 2520 d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe 82 PID 2520 wrote to memory of 3364 2520 d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe 82 PID 3364 wrote to memory of 2884 3364 cnwog.exe 83 PID 3364 wrote to memory of 2884 3364 cnwog.exe 83 PID 3364 wrote to memory of 2884 3364 cnwog.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe"C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\cnwog.exe"C:\Users\Admin\AppData\Local\Temp\cnwog.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\cnwog.exe >> NUL3⤵PID:2884
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5668c687c9f4ed82fd0fab32baa6e09ef
SHA1f26e29099f33180aa923951968c130719ef36810
SHA256672fe0045c0c4954ae935f7504c6a156ec1ac51162233f4bf03168225541ce5d
SHA512bef76851a502290e78097ec6e1cb8c28e244101ea42b00e3218edde867f40be7800812c43390ce7080f6c7898569ccc9a13ff2f12bdf78f798c25a3de605e67c