73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3

General

Target

73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe
Size

139KB
MD5

64e3b91e8bead6f24e9b82ddc03e5fd0
SHA1

4ebde9a4ff2e48a118d5e3e75b8901422ea85567
SHA256

73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3
SHA512

0888718dc2c303d2f91a92231759895a823e2427ca902bbd47738ce303f55a6c60f7b00181ca0c690e74cd4f022dff1e6534b6bcfba249d2d4ec68a4ebe79864
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjK8:xPd4n/M+WLcilrpgGH/GwY87mVmIXLg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2940	wn2ra4ohzdr.exe

Loads dropped DLL 1 IoCs

pid	Process
1620	73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2940	1620	73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe	30
PID 1620 wrote to memory of 2940	1620	73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe	30
PID 1620 wrote to memory of 2940	1620	73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe	30
PID 1620 wrote to memory of 2940	1620	73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe	30
PID 2940 wrote to memory of 2844	2940	wn2ra4ohzdr.exe	31
PID 2940 wrote to memory of 2844	2940	wn2ra4ohzdr.exe	31
PID 2940 wrote to memory of 2844	2940	wn2ra4ohzdr.exe	31
PID 2940 wrote to memory of 2844	2940	wn2ra4ohzdr.exe	31

C:\Users\Admin\AppData\Local\Temp\73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe
"C:\Users\Admin\AppData\Local\Temp\73fd45821fd876a3ed29440f33a1010dfafac77a784e188a6ae5f4eb6b93f5e3N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
  "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
    "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
    3⤵
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe

Filesize
139KB

MD5
4c3fc97fcf2630f722ec7437c9b6259e

SHA1
3fcb3cd9e2104b2d1a438a5ae81e1034018044e2

SHA256
4bae73773e37e0bddbbb6a2c71b287865fcacfc6a4720900a9e120fd1c7fe5c3

SHA512
f62c482e266d4c97b322715d9a55803645a525fbd069602dfaa00e9e0628642a3c6507bcf23d5876d06a3814e9e2a9cb3970150cfbb63aff4a5935fad45da61d

Download Submit
memory/1620-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/1620-1-0x0000000001340000-0x0000000001368000-memory.dmp

Filesize
160KB

Download
memory/1620-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-3-0x0000000000600000-0x0000000000620000-memory.dmp

Filesize
128KB

Download
memory/1620-6-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/1620-13-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-14-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/2940-15-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-16-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-17-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-18-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads