Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 20:55
Static task
static1
Behavioral task
behavioral1
Sample
Charow.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Charow.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Charow.exe
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
Charow.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
Charow.exe
Resource
win10v2004-20240508-en
General
-
Target
Charow.exe
-
Size
140.1MB
-
MD5
635241963c80f1b340c65dfd306f554e
-
SHA1
859bab3fbcc146b573f20d9a42104fa15cd1a1f8
-
SHA256
50136550410d93d341dc6fadc1e895c8d661f46c11f4dae4aabcd9c553399f3b
-
SHA512
56ddb69e1d6f0d4309911c1549c45a11f7b6afda4529e266d8ea3620041742f381edb6e5acac031cf1cdd57b1c7b5c2877751bd3e5d19bd357ecfef7b829b70d
-
SSDEEP
1572864:42Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:/aodJFek8+k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Charow.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Charow.exe -
Loads dropped DLL 1 IoCs
pid Process 1228 Charow.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ipinfo.io 23 ipinfo.io 2 ipinfo.io 6 ipinfo.io 16 ipinfo.io 17 ipinfo.io 19 ipinfo.io 20 ipinfo.io -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4596 Charow.exe 4596 Charow.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe Token: SeShutdownPrivilege 1228 Charow.exe Token: SeCreatePagefilePrivilege 1228 Charow.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1228 Charow.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 4148 1228 Charow.exe 83 PID 1228 wrote to memory of 1216 1228 Charow.exe 84 PID 1228 wrote to memory of 1216 1228 Charow.exe 84 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85 PID 1228 wrote to memory of 3372 1228 Charow.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Charow.exe"C:\Users\Admin\AppData\Local\Temp\Charow.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\Charow.exe"C:\Users\Admin\AppData\Local\Temp\Charow.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Charow" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1828,i,1649055707127811610,18230555927582101206,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:4148
-
-
C:\Users\Admin\AppData\Local\Temp\Charow.exe"C:\Users\Admin\AppData\Local\Temp\Charow.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Charow" --mojo-platform-channel-handle=2100 --field-trial-handle=1828,i,1649055707127811610,18230555927582101206,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:1216
-
-
C:\Users\Admin\AppData\Local\Temp\Charow.exe"C:\Users\Admin\AppData\Local\Temp\Charow.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Charow" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2356 --field-trial-handle=1828,i,1649055707127811610,18230555927582101206,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:12⤵
- Checks computer location settings
PID:3372
-
-
C:\Users\Admin\AppData\Local\Temp\Charow.exe"C:\Users\Admin\AppData\Local\Temp\Charow.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Charow" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2664 --field-trial-handle=1828,i,1649055707127811610,18230555927582101206,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
642KB
MD57e83729e3fb724a15e69e85660dca443
SHA11d35585d2813c6e051840edcb17da5223877597b
SHA2568409ee5a2cb80c310128e62221d17a19e9f562ba808a96995e8892295dadeef4
SHA512befb0cd52308d54ff5b6fb43e629de02ec05054b6b4e594f904486d8c97f65a39d30415373f635f71de61f4d43b77428a74288f92c79b36f54dce179841cbafb
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84