Analysis Overview
SHA256
d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc
Threat Level: Shows suspicious behavior
The file d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 04:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 04:54
Reported
2024-06-12 04:57
Platform
win7-20240221-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cnwog.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2192 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe | C:\Users\Admin\AppData\Local\Temp\cnwog.exe |
| PID 2192 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe | C:\Users\Admin\AppData\Local\Temp\cnwog.exe |
| PID 2192 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe | C:\Users\Admin\AppData\Local\Temp\cnwog.exe |
| PID 2192 wrote to memory of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe | C:\Users\Admin\AppData\Local\Temp\cnwog.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe
"C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe"
C:\Users\Admin\AppData\Local\Temp\cnwog.exe
"C:\Users\Admin\AppData\Local\Temp\cnwog.exe"
Network
Files
memory/2192-0-0x0000000000090000-0x0000000000093000-memory.dmp
\Users\Admin\AppData\Local\Temp\cnwog.exe
| MD5 | 668c687c9f4ed82fd0fab32baa6e09ef |
| SHA1 | f26e29099f33180aa923951968c130719ef36810 |
| SHA256 | 672fe0045c0c4954ae935f7504c6a156ec1ac51162233f4bf03168225541ce5d |
| SHA512 | bef76851a502290e78097ec6e1cb8c28e244101ea42b00e3218edde867f40be7800812c43390ce7080f6c7898569ccc9a13ff2f12bdf78f798c25a3de605e67c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 04:54
Reported
2024-06-12 04:57
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
57s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cnwog.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 3364 | N/A | C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe | C:\Users\Admin\AppData\Local\Temp\cnwog.exe |
| PID 2520 wrote to memory of 3364 | N/A | C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe | C:\Users\Admin\AppData\Local\Temp\cnwog.exe |
| PID 2520 wrote to memory of 3364 | N/A | C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe | C:\Users\Admin\AppData\Local\Temp\cnwog.exe |
| PID 3364 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\cnwog.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3364 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\cnwog.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3364 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\cnwog.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe
"C:\Users\Admin\AppData\Local\Temp\d85cc9daba2c1b5a439e8df523a56ebcef2eb5fdabd94485707b3903c4c8f4cc.exe"
C:\Users\Admin\AppData\Local\Temp\cnwog.exe
"C:\Users\Admin\AppData\Local\Temp\cnwog.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\cnwog.exe >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2520-1-0x0000000000760000-0x0000000000763000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cnwog.exe
| MD5 | 668c687c9f4ed82fd0fab32baa6e09ef |
| SHA1 | f26e29099f33180aa923951968c130719ef36810 |
| SHA256 | 672fe0045c0c4954ae935f7504c6a156ec1ac51162233f4bf03168225541ce5d |
| SHA512 | bef76851a502290e78097ec6e1cb8c28e244101ea42b00e3218edde867f40be7800812c43390ce7080f6c7898569ccc9a13ff2f12bdf78f798c25a3de605e67c |