Analysis

  • max time kernel
    51s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 04:54

General

  • Target

    d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe

  • Size

    66KB

  • MD5

    9fb2158d827aac2f08636b38086dc450

  • SHA1

    95f86fa9b8682214db744d80c095f086c55ad251

  • SHA256

    d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc

  • SHA512

    d855e55543cb7ab70ac398fd8f42b43717472c777fc4e2641212453df06f5333db587739baece90b4738f4b7f63f509c2f6304cd96011371ae9585442b807384

  • SSDEEP

    768:6B7HBXFw82t2C80lyaZ4jX05Rfw/MKPsED3VK2+ZtyOjgO4r9vFAg2rqs4mkesFF:u7HZFwzlyaZTQkKYTjipvF2TZ0Ff/

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe
    "C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\cnwog.exe
      "C:\Users\Admin\AppData\Local\Temp\cnwog.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\cnwog.exe >> NUL
        3⤵
          PID:2884

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\cnwog.exe

            Filesize

            66KB

            MD5

            668c687c9f4ed82fd0fab32baa6e09ef

            SHA1

            f26e29099f33180aa923951968c130719ef36810

            SHA256

            672fe0045c0c4954ae935f7504c6a156ec1ac51162233f4bf03168225541ce5d

            SHA512

            bef76851a502290e78097ec6e1cb8c28e244101ea42b00e3218edde867f40be7800812c43390ce7080f6c7898569ccc9a13ff2f12bdf78f798c25a3de605e67c

          • memory/2520-1-0x0000000000760000-0x0000000000763000-memory.dmp

            Filesize

            12KB