0aff087928d14356155c8106b1942a5938c54f9341368cdaf77bed71f0656ca3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Charow.exe
Size

140.1MB
MD5

635241963c80f1b340c65dfd306f554e
SHA1

859bab3fbcc146b573f20d9a42104fa15cd1a1f8
SHA256

50136550410d93d341dc6fadc1e895c8d661f46c11f4dae4aabcd9c553399f3b
SHA512

56ddb69e1d6f0d4309911c1549c45a11f7b6afda4529e266d8ea3620041742f381edb6e5acac031cf1cdd57b1c7b5c2877751bd3e5d19bd357ecfef7b829b70d
SSDEEP

1572864:42Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:/aodJFek8+k

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Charow.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Charow.exe

Loads dropped DLL 1 IoCs

pid	Process
1228	Charow.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ipinfo.io
23	ipinfo.io
2	ipinfo.io
6	ipinfo.io
16	ipinfo.io
17	ipinfo.io
19	ipinfo.io
20	ipinfo.io

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4596	Charow.exe
4596	Charow.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe
Token: SeShutdownPrivilege	1228	Charow.exe
Token: SeCreatePagefilePrivilege	1228	Charow.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1228	Charow.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 4148	1228	Charow.exe	83
PID 1228 wrote to memory of 1216	1228	Charow.exe	84
PID 1228 wrote to memory of 1216	1228	Charow.exe	84
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85
PID 1228 wrote to memory of 3372	1228	Charow.exe	85

C:\Users\Admin\AppData\Local\Temp\Charow.exe
"C:\Users\Admin\AppData\Local\Temp\Charow.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\Charow.exe
  "C:\Users\Admin\AppData\Local\Temp\Charow.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Charow" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1828,i,1649055707127811610,18230555927582101206,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\Charow.exe
  "C:\Users\Admin\AppData\Local\Temp\Charow.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Charow" --mojo-platform-channel-handle=2100 --field-trial-handle=1828,i,1649055707127811610,18230555927582101206,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\Charow.exe
  "C:\Users\Admin\AppData\Local\Temp\Charow.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Charow" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2356 --field-trial-handle=1828,i,1649055707127811610,18230555927582101206,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3372
- C:\Users\Admin\AppData\Local\Temp\Charow.exe
  "C:\Users\Admin\AppData\Local\Temp\Charow.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Charow" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2664 --field-trial-handle=1828,i,1649055707127811610,18230555927582101206,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40399874-c98a-4346-a8be-3344d9adf0f3.tmp.node

Filesize
642KB

MD5
7e83729e3fb724a15e69e85660dca443

SHA1
1d35585d2813c6e051840edcb17da5223877597b

SHA256
8409ee5a2cb80c310128e62221d17a19e9f562ba808a96995e8892295dadeef4

SHA512
befb0cd52308d54ff5b6fb43e629de02ec05054b6b4e594f904486d8c97f65a39d30415373f635f71de61f4d43b77428a74288f92c79b36f54dce179841cbafb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3372-12-0x00007FFF07AB0000-0x00007FFF07AB1000-memory.dmp

Filesize
4KB

Download
memory/3372-11-0x00007FFF06FC0000-0x00007FFF06FC1000-memory.dmp

Filesize
4KB

Download
memory/4148-6-0x00007FFF06F80000-0x00007FFF06F81000-memory.dmp

Filesize
4KB

Download
memory/4596-65-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download
memory/4596-63-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download
memory/4596-64-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download
memory/4596-69-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download
memory/4596-71-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download
memory/4596-75-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download
memory/4596-74-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download
memory/4596-73-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download
memory/4596-72-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download
memory/4596-70-0x000001FBD3810000-0x000001FBD3811000-memory.dmp

Filesize
4KB

Download