bd599fe01019469d0f408733761a9785c65281d5a870eec8088472e81fa0f65b

Analysis

max time kernel
136s
max time network
175s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
29/06/2023, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55CE9A9A56208D47A508F277AF4A1F84.exe
Size

476KB
MD5

55ce9a9a56208d47a508f277af4a1f84
SHA1

353b99a87e7ba8e0c9866e9bf5bc7a56628a3cba
SHA256

bd599fe01019469d0f408733761a9785c65281d5a870eec8088472e81fa0f65b
SHA512

dd93b798c29a5b502980256f5619c97b56c43003d8ca19dfc0c916bdfaf4c09f5f0941f9be2e4ace6a71f639bf47303d08d54aa8888bb8a7b125e08cd9f8da13
SSDEEP

3072:AkBGWOsTIJgIDU5A/cto68pMABlZQ2wpFD0raM6GYDxJ0yQfxJG:A1ssjn5Mp2w7g+MbSt

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1472	VoiceAI-Installer.exe

Loads dropped DLL 6 IoCs

pid	Process
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Voice.ai\a.log	55CE9A9A56208D47A508F277AF4A1F84.exe
File created	C:\Program Files\Voice.ai\meta	55CE9A9A56208D47A508F277AF4A1F84.exe
File created	C:\Program Files\Voice.ai\VoiceAI-Installer.exe	55CE9A9A56208D47A508F277AF4A1F84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000146cb-103.dat	nsis_installer_1
behavioral1/files/0x00060000000146cb-103.dat	nsis_installer_2
behavioral1/files/0x00060000000146cb-106.dat	nsis_installer_1
behavioral1/files/0x00060000000146cb-106.dat	nsis_installer_2
behavioral1/files/0x00060000000146cb-107.dat	nsis_installer_1
behavioral1/files/0x00060000000146cb-107.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	55CE9A9A56208D47A508F277AF4A1F84.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	55CE9A9A56208D47A508F277AF4A1F84.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe
1908	55CE9A9A56208D47A508F277AF4A1F84.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1472	1908	55CE9A9A56208D47A508F277AF4A1F84.exe	28
PID 1908 wrote to memory of 1472	1908	55CE9A9A56208D47A508F277AF4A1F84.exe	28
PID 1908 wrote to memory of 1472	1908	55CE9A9A56208D47A508F277AF4A1F84.exe	28
PID 1908 wrote to memory of 1472	1908	55CE9A9A56208D47A508F277AF4A1F84.exe	28
PID 1908 wrote to memory of 1472	1908	55CE9A9A56208D47A508F277AF4A1F84.exe	28
PID 1908 wrote to memory of 1472	1908	55CE9A9A56208D47A508F277AF4A1F84.exe	28
PID 1908 wrote to memory of 1472	1908	55CE9A9A56208D47A508F277AF4A1F84.exe	28

C:\Users\Admin\AppData\Local\Temp\55CE9A9A56208D47A508F277AF4A1F84.exe
"C:\Users\Admin\AppData\Local\Temp\55CE9A9A56208D47A508F277AF4A1F84.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Program Files\Voice.ai\VoiceAI-Installer.exe
  "C:\Program Files\Voice.ai\VoiceAI-Installer.exe" /path "C:\Program Files\Voice.ai"
  2⤵
  - Executes dropped EXE
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Voice.ai\VoiceAI-Installer.exe

Filesize
239.2MB

MD5
650bc7735fdacc5ae91179db1d2ceb63

SHA1
baf856fb6fcf937b0205aa8a6cf7f878951a7a8a

SHA256
bebe2ee16f2ad2066d66702c0e7b7f9e50f873858ba1e0a6de04ed66481521a9

SHA512
9f79aa1646e36c05af8c1eb30272520747b85bfdf505eb81b2feb233f4457c5f03bc19533f3ddb1f0fbb11ba034d7f0a6d44742706075438c9cd6c4ba463e6d8

Download Submit
C:\Program Files\Voice.ai\VoiceAI-Installer.exe

Filesize
240.7MB

MD5
7563eb866e235beae1420756baab33bc

SHA1
f83cae813c230457a7c1df35bca3f660adda3d5d

SHA256
07036aa36871895d21aec681a7bdc69714b6dc1ef312efcce2e70ed33af0936d

SHA512
c0401046165909bae5e6c4ae5e7450eccd1eff031280e4b95f98e3d0effc165e6b9a3200a26c8051cb5355c85fcb058e9e7c1e77d379c679d221da1b4e822c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA3DF.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Program Files\Voice.ai\VoiceAI-Installer.exe

Filesize
237.8MB

MD5
3265376f67519f9e307ea480fdd36b04

SHA1
b44382e33929224657ad3b893470433774196752

SHA256
f3bda139658c2e88a8ba52bce08713e6b5dbf8fe5fd6fe3c284ce5fc88307c38

SHA512
64602c6f849085980b66db7d89c702ad352dbb7c56c9294df2a84a363f76967c57838fd23ec2ec320ba026552a067ae054366abd5b673696f54fddef430d92f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA3DF.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA3DF.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA3DF.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA3DF.tmp\System.dll

Filesize
12KB

MD5
792b6f86e296d3904285b2bf67ccd7e0

SHA1
966b16f84697552747e0ddd19a4ba8ab5083af31

SHA256
c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

SHA512
97edc3410b88ca31abc0af0324258d2b59127047810947d0fb5e7e12957db34d206ffd70a0456add3a26b0546643ff0234124b08423c2c9ffe9bdec6eb210f2c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA3DF.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit