ce4086304354e6b6b38980304fba8bd81af0584373ef6f20c942973872a28320

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26/08/2023, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoicemodSetup_2.44.1.0.exe
Size

111.3MB
MD5

ae1d130e21a0da1a118e54fd5836f4d7
SHA1

b9b227b2b0651d8f1e9a6440f7e182c271879a05
SHA256

ce4086304354e6b6b38980304fba8bd81af0584373ef6f20c942973872a28320
SHA512

569d173ab372167fbe9eb85ccd246cfe91652f8fe9a48fc752ead9dacd554dc59270717976a982ffbf90508cf6257d086bad0dddc1319dc2a99761255aa14cc5
SSDEEP

3145728:bVX2CAhbOmul06PlsCFiBP/BCF7NabyP2iKeaxv:bp2pGShI7yyuiKeYv

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2620	VoicemodSetup_2.44.1.0.tmp
1708	curl.exe

Loads dropped DLL 5 IoCs

pid	Process
1856	VoicemodSetup_2.44.1.0.exe
2620	VoicemodSetup_2.44.1.0.tmp
2620	VoicemodSetup_2.44.1.0.tmp
2472	Process not Found
2620	VoicemodSetup_2.44.1.0.tmp

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2900	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	tasklist.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2620	1856	VoicemodSetup_2.44.1.0.exe	28
PID 1856 wrote to memory of 2620	1856	VoicemodSetup_2.44.1.0.exe	28
PID 1856 wrote to memory of 2620	1856	VoicemodSetup_2.44.1.0.exe	28
PID 1856 wrote to memory of 2620	1856	VoicemodSetup_2.44.1.0.exe	28
PID 1856 wrote to memory of 2620	1856	VoicemodSetup_2.44.1.0.exe	28
PID 1856 wrote to memory of 2620	1856	VoicemodSetup_2.44.1.0.exe	28
PID 1856 wrote to memory of 2620	1856	VoicemodSetup_2.44.1.0.exe	28
PID 2620 wrote to memory of 1708	2620	VoicemodSetup_2.44.1.0.tmp	29
PID 2620 wrote to memory of 1708	2620	VoicemodSetup_2.44.1.0.tmp	29
PID 2620 wrote to memory of 1708	2620	VoicemodSetup_2.44.1.0.tmp	29
PID 2620 wrote to memory of 1708	2620	VoicemodSetup_2.44.1.0.tmp	29
PID 2620 wrote to memory of 2112	2620	VoicemodSetup_2.44.1.0.tmp	31
PID 2620 wrote to memory of 2112	2620	VoicemodSetup_2.44.1.0.tmp	31
PID 2620 wrote to memory of 2112	2620	VoicemodSetup_2.44.1.0.tmp	31
PID 2620 wrote to memory of 2112	2620	VoicemodSetup_2.44.1.0.tmp	31
PID 2112 wrote to memory of 2900	2112	cmd.exe	33
PID 2112 wrote to memory of 2900	2112	cmd.exe	33
PID 2112 wrote to memory of 2900	2112	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.44.1.0.exe
"C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.44.1.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\is-IJ7HG.tmp\VoicemodSetup_2.44.1.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IJ7HG.tmp\VoicemodSetup_2.44.1.0.tmp" /SL5="$80124,115956117,720896,C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.44.1.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\curl.exe
    "C:\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=2adee1ad-2a99-4d45-8cbe-92640edff60b -o C:\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\deviceId.txt
    3⤵
    - Executes dropped EXE
    PID:1708
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\bg-inner.png

Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\bg-top.png

Filesize
32KB

MD5
dc19715992c0051d1456308b41f04e98

SHA1
85abf86dd0e738638fff84ecd44e5b3cdbb4b96d

SHA256
86bfe5acda1b1fc9bc8f205a58c824ad58179925d2ceae11b2a341122604457d

SHA512
2f7b3bfa6c084b830213996f7691b6abcb9efd0ac44da4739972758b4eab0478e46761d8590fcea03d2902909c2c992f1eed1ef48e353a05ba67c06189d2117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\buttons.png

Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\curl.exe

Filesize
5.4MB

MD5
4cd044c22a2fdbb361eb9c9b14fe623a

SHA1
b85779cb56508c1630bdf3d6e43b15a8b9d19eb9

SHA256
6945c565514d907739fb324b551f3f909cb4955443a248c693887ebdf9e291ce

SHA512
abc7a3177f828f9e6f39e1bdff7a11c71e831612fa2481ba6e58c6911b662cfb24f294a35d9abf55df81916d635667a5cb5e062ae164b1b2ff1acae7ac0ba66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IJ7HG.tmp\VoicemodSetup_2.44.1.0.tmp

Filesize
2.4MB

MD5
398aeafaab81de7876bc093f628ca49e

SHA1
5a452368a2a61dc7b2c2b231a741e7ea0c3ff4ce

SHA256
abefebabae0dd61e1c72a3d960e07cda8e2cf24682054a484cbef6921845d21d

SHA512
7db213686ebd604b4ef52610cabfdbacac5b0931d45a28521ebc9fa4b8bc4c0d2ec1c660d26147874e62b7226379a8f2550dd4db00e27c03d3b44c4b609ec781

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt

Filesize
2KB

MD5
938b1d40e4cf5c226ada8ba8c641b16b

SHA1
2c088be1e3310c57b36631fdf558dee38b58bb9b

SHA256
a165f15899aeafc291e8f391f05d338f97a5adc63cea78e2713e4638fe0c5e45

SHA512
159856c1f95746da2c29e852406062bd4f92100295e48460ff4c40ebd78fa7f096b5200a65c78eeee734f6a65260950aeb2f0d1f60e7e4a742ec5464991b9377

Download Submit
\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\curl.exe

Filesize
5.4MB

MD5
4cd044c22a2fdbb361eb9c9b14fe623a

SHA1
b85779cb56508c1630bdf3d6e43b15a8b9d19eb9

SHA256
6945c565514d907739fb324b551f3f909cb4955443a248c693887ebdf9e291ce

SHA512
abc7a3177f828f9e6f39e1bdff7a11c71e831612fa2481ba6e58c6911b662cfb24f294a35d9abf55df81916d635667a5cb5e062ae164b1b2ff1acae7ac0ba66f

Download Submit
\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\curl.exe

Filesize
5.4MB

MD5
4cd044c22a2fdbb361eb9c9b14fe623a

SHA1
b85779cb56508c1630bdf3d6e43b15a8b9d19eb9

SHA256
6945c565514d907739fb324b551f3f909cb4955443a248c693887ebdf9e291ce

SHA512
abc7a3177f828f9e6f39e1bdff7a11c71e831612fa2481ba6e58c6911b662cfb24f294a35d9abf55df81916d635667a5cb5e062ae164b1b2ff1acae7ac0ba66f

Download Submit
\Users\Admin\AppData\Local\Temp\is-BS9GV.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-IJ7HG.tmp\VoicemodSetup_2.44.1.0.tmp

Filesize
2.4MB

MD5
398aeafaab81de7876bc093f628ca49e

SHA1
5a452368a2a61dc7b2c2b231a741e7ea0c3ff4ce

SHA256
abefebabae0dd61e1c72a3d960e07cda8e2cf24682054a484cbef6921845d21d

SHA512
7db213686ebd604b4ef52610cabfdbacac5b0931d45a28521ebc9fa4b8bc4c0d2ec1c660d26147874e62b7226379a8f2550dd4db00e27c03d3b44c4b609ec781

Download Submit
memory/1708-22-0x0000000000F40000-0x00000000014A8000-memory.dmp

Filesize
5.4MB

Download
memory/1856-13-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1856-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2620-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2620-33-0x0000000003370000-0x000000000337E000-memory.dmp

Filesize
56KB

Download
memory/2620-15-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2620-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2620-87-0x0000000001F80000-0x00000000020C0000-memory.dmp

Filesize
1.2MB

Download
memory/2620-92-0x0000000001F80000-0x00000000020C0000-memory.dmp

Filesize
1.2MB

Download
memory/2620-97-0x0000000001F80000-0x00000000020C0000-memory.dmp

Filesize
1.2MB

Download
memory/2620-102-0x0000000001F80000-0x00000000020C0000-memory.dmp

Filesize
1.2MB

Download
memory/2620-107-0x00000000033B0000-0x00000000034F0000-memory.dmp

Filesize
1.2MB

Download
memory/2620-109-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2620-110-0x0000000003370000-0x000000000337E000-memory.dmp

Filesize
56KB

Download
memory/2620-116-0x0000000003370000-0x000000000337E000-memory.dmp

Filesize
56KB

Download