4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
104s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe
Size

135KB
MD5

5269f6855d30bdd88ba0d88453c8e722
SHA1

d87ffc99e105315bebfef48296f6b0e6e87ae5cf
SHA256

f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b
SHA512

7ab21f5e7d7fd6bb2149b80582bc50711941bce8128c26d48710c8e9a60d3eff153ab3f39696451b1a946da052b3dd2a4de444b9bb9e6bdb884bcbe03f654819
SSDEEP

1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKE:xPd4n/M+WLcilrpgGH/GwY87mVmIXU

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe

Executes dropped EXE 2 IoCs

pid	Process
1768	wn2ra4ohzdr.exe
1040	wn2ra4ohzdr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raj4dkhhiap = "C:\\Users\\Admin\\AppData\\Roaming\\raj4dkhhiap\\wn2ra4ohzdr.exe"	f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wn2ra4ohzdr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wn2ra4ohzdr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1768	1124	cmd.exe	96
PID 1124 wrote to memory of 1768	1124	cmd.exe	96
PID 1124 wrote to memory of 1768	1124	cmd.exe	96
PID 3636 wrote to memory of 1040	3636	f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe	99
PID 3636 wrote to memory of 1040	3636	f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe	99
PID 3636 wrote to memory of 1040	3636	f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe	99
PID 1768 wrote to memory of 5036	1768	wn2ra4ohzdr.exe	100
PID 1768 wrote to memory of 5036	1768	wn2ra4ohzdr.exe	100
PID 1768 wrote to memory of 5036	1768	wn2ra4ohzdr.exe	100
PID 1040 wrote to memory of 1168	1040	wn2ra4ohzdr.exe	101
PID 1040 wrote to memory of 1168	1040	wn2ra4ohzdr.exe	101
PID 1040 wrote to memory of 1168	1040	wn2ra4ohzdr.exe	101

C:\Users\Admin\AppData\Local\Temp\f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe
"C:\Users\Admin\AppData\Local\Temp\f812ad48d0a6d53611389e30fd8ae9f80a245fe3360b52dc833f6bf7b7b7859b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
  "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
    "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
    3⤵
    PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
  C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe
    "C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"
    3⤵
    PID:5036

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wn2ra4ohzdr.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe

Filesize
135KB

MD5
35ffe91cd7572f7feae45f4bdcbfa33b

SHA1
16961090ebb1276bdd73e154cbebd4228720c74a

SHA256
541f542a54de7063680511209831ba3f8d93b06c939d3f29d2c2e3a11e532c3f

SHA512
0295c4be6cfedb8c6f7ad49c7d9ffc9095e7c80e5e0f2496e974b9b971cb6a3953a66487f7397d8d0f1d25a7b2ac6bb3c61a7d0780fcf328e4991c51c763b64a

Download Submit
memory/1040-24-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1040-20-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1040-18-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1768-12-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1768-13-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1768-19-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/1768-22-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-6-0x0000000005B40000-0x0000000005B60000-memory.dmp

Filesize
128KB

Download
memory/3636-5-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-0-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/3636-14-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/3636-17-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3636-4-0x00000000059E0000-0x00000000059EA000-memory.dmp

Filesize
40KB

Download
memory/3636-3-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/3636-2-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/3636-1-0x0000000000FC0000-0x0000000000FE8000-memory.dmp

Filesize
160KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads