Analysis
-
max time kernel
102s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 02:50
Static task
static1
Behavioral task
behavioral1
Sample
86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe
Resource
win10v2004-20241007-en
General
-
Target
86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe
-
Size
36KB
-
MD5
410245d37abb245ff6c44186c3d4b820
-
SHA1
7206c8c9e12c2e18251bc9088e3c29916c6bb987
-
SHA256
86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943
-
SHA512
2675691a364b441420a0c8a48b02c987c454337af613559a3955514383e28cd4d21c059cf620b6060ed67257830ec2cc2dc7e37deb9f21b41e779ea9ae96b333
-
SSDEEP
768:6/7HBXFw82t2C80lyaZ4s6hSRYYZjqzha:6/7HZFwzlyaZ6USI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe -
Executes dropped EXE 1 IoCs
pid Process 4252 cnwog.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cnwog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1720 wrote to memory of 4252 1720 86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe 85 PID 1720 wrote to memory of 4252 1720 86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe 85 PID 1720 wrote to memory of 4252 1720 86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe 85 PID 4252 wrote to memory of 2392 4252 cnwog.exe 86 PID 4252 wrote to memory of 2392 4252 cnwog.exe 86 PID 4252 wrote to memory of 2392 4252 cnwog.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe"C:\Users\Admin\AppData\Local\Temp\86492b0de19cc05641ae79b1eb6a255f1851743bf617b074961912d86414a943N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\cnwog.exe"C:\Users\Admin\AppData\Local\Temp\cnwog.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\cnwog.exe >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5449e26fccfca50b494f97ca2f6a81351
SHA1c19854eea28fe34cb8bed579182fe7426eb6e30b
SHA256e15b001aeb489cbc04ffa3ad4135ef161bf53e7e5001324f351cfd4964109096
SHA512c24fadda2d991a82b86fab7b0dd1296e02d46fee74a677e93c31564e3c2da2d6d4a21c6df9c697396f0ac9748a10839b7dd5953c3e8806811063e06e6d004356