ce4086304354e6b6b38980304fba8bd81af0584373ef6f20c942973872a28320

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2023 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoicemodSetup_2.44.1.0.exe
Size

111.3MB
MD5

ae1d130e21a0da1a118e54fd5836f4d7
SHA1

b9b227b2b0651d8f1e9a6440f7e182c271879a05
SHA256

ce4086304354e6b6b38980304fba8bd81af0584373ef6f20c942973872a28320
SHA512

569d173ab372167fbe9eb85ccd246cfe91652f8fe9a48fc752ead9dacd554dc59270717976a982ffbf90508cf6257d086bad0dddc1319dc2a99761255aa14cc5
SSDEEP

3145728:bVX2CAhbOmul06PlsCFiBP/BCF7NabyP2iKeaxv:bp2pGShI7yyuiKeYv

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4316	VoicemodSetup_2.44.1.0.tmp

Loads dropped DLL 3 IoCs

pid	Process
4316	VoicemodSetup_2.44.1.0.tmp
4316	VoicemodSetup_2.44.1.0.tmp
4316	VoicemodSetup_2.44.1.0.tmp

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1584	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	tasklist.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 4316	2084	VoicemodSetup_2.44.1.0.exe	81
PID 2084 wrote to memory of 4316	2084	VoicemodSetup_2.44.1.0.exe	81
PID 2084 wrote to memory of 4316	2084	VoicemodSetup_2.44.1.0.exe	81
PID 4316 wrote to memory of 2164	4316	VoicemodSetup_2.44.1.0.tmp	82
PID 4316 wrote to memory of 2164	4316	VoicemodSetup_2.44.1.0.tmp	82
PID 4316 wrote to memory of 2820	4316	VoicemodSetup_2.44.1.0.tmp	84
PID 4316 wrote to memory of 2820	4316	VoicemodSetup_2.44.1.0.tmp	84
PID 4316 wrote to memory of 4188	4316	VoicemodSetup_2.44.1.0.tmp	86
PID 4316 wrote to memory of 4188	4316	VoicemodSetup_2.44.1.0.tmp	86
PID 4188 wrote to memory of 1584	4188	cmd.exe	88
PID 4188 wrote to memory of 1584	4188	cmd.exe	88
PID 4316 wrote to memory of 5100	4316	VoicemodSetup_2.44.1.0.tmp	90
PID 4316 wrote to memory of 5100	4316	VoicemodSetup_2.44.1.0.tmp	90
PID 4316 wrote to memory of 2828	4316	VoicemodSetup_2.44.1.0.tmp	94
PID 4316 wrote to memory of 2828	4316	VoicemodSetup_2.44.1.0.tmp	94
PID 4316 wrote to memory of 228	4316	VoicemodSetup_2.44.1.0.tmp	97
PID 4316 wrote to memory of 228	4316	VoicemodSetup_2.44.1.0.tmp	97
PID 4316 wrote to memory of 2884	4316	VoicemodSetup_2.44.1.0.tmp	102
PID 4316 wrote to memory of 2884	4316	VoicemodSetup_2.44.1.0.tmp	102

C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.44.1.0.exe
"C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.44.1.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\is-E3Q1T.tmp\VoicemodSetup_2.44.1.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E3Q1T.tmp\VoicemodSetup_2.44.1.0.tmp" /SL5="$70224,115956117,720896,C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.44.1.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=ecc70296-7405-4ae7-81c8-95373cc69196 -o C:\Users\Admin\AppData\Local\Temp\is-23BHF.tmp\deviceId.txt
    3⤵
    PID:2164
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"mp_deviceid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"2.44.1.0\", \"machine_guid\": \"ecc70296-7405-4ae7-81c8-95373cc69196\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"False\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:2820
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1584
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"mp_deviceid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"2.44.1.0\", \"machine_guid\": \"ecc70296-7405-4ae7-81c8-95373cc69196\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:5100
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"mp_deviceid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpLicense\" , \"custom_attributes\": { \"version\": \"2.44.1.0\", \"machine_guid\": \"ecc70296-7405-4ae7-81c8-95373cc69196\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:2828
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"mp_deviceid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectDir\" , \"custom_attributes\": { \"version\": \"2.44.1.0\", \"machine_guid\": \"ecc70296-7405-4ae7-81c8-95373cc69196\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"6\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:228
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\"},\"mp_deviceid\": \"955da56d-ac1a-44e3-bd71-83d2fbdd237e\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpSelectTasks\" , \"custom_attributes\": { \"version\": \"2.44.1.0\", \"machine_guid\": \"ecc70296-7405-4ae7-81c8-95373cc69196\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"9\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
    3⤵
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-23BHF.tmp\bg-bottom.png

Filesize
1KB

MD5
a85701bbac20a65391e4e202afc96204

SHA1
a0e73596a79baaa29fbbb368bd132e3ee49d3b03

SHA256
7e3058acb23e999d1ddfdea122afd33bc487b075c2a966affeec4d38cdbb738f

SHA512
55b1015a0d6a613104ae7edb64a59d198a176ee4fc0c32d9f1af1e7ad577af606adf55ea5586ad25443fb9ea9e770dbc2267301027c1a5f3db5eff928086a27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-23BHF.tmp\bg-inner.png

Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-23BHF.tmp\bg-top.png

Filesize
32KB

MD5
dc19715992c0051d1456308b41f04e98

SHA1
85abf86dd0e738638fff84ecd44e5b3cdbb4b96d

SHA256
86bfe5acda1b1fc9bc8f205a58c824ad58179925d2ceae11b2a341122604457d

SHA512
2f7b3bfa6c084b830213996f7691b6abcb9efd0ac44da4739972758b4eab0478e46761d8590fcea03d2902909c2c992f1eed1ef48e353a05ba67c06189d2117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-23BHF.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-23BHF.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-23BHF.tmp\buttons.png

Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-23BHF.tmp\deviceId.txt

Filesize
36B

MD5
a4e69a31a7209ac540bd86e3ed45fac4

SHA1
0fdd10e59c0858b9839b3a7f996e2fb4aa9777a0

SHA256
b5adbc47cacd00df2fc21bbf70fd383d2df7491645627dc721acfb35380c41fe

SHA512
506cc80712ae77a32e50335032a2f0f58603ab54c816f27744aa3767dedf9c5358e6c99f44ae50135b00b7fcd19902940f9a4cfff513efc400860d953da2df93

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-23BHF.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E3Q1T.tmp\VoicemodSetup_2.44.1.0.tmp

Filesize
2.4MB

MD5
398aeafaab81de7876bc093f628ca49e

SHA1
5a452368a2a61dc7b2c2b231a741e7ea0c3ff4ce

SHA256
abefebabae0dd61e1c72a3d960e07cda8e2cf24682054a484cbef6921845d21d

SHA512
7db213686ebd604b4ef52610cabfdbacac5b0931d45a28521ebc9fa4b8bc4c0d2ec1c660d26147874e62b7226379a8f2550dd4db00e27c03d3b44c4b609ec781

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt

Filesize
6KB

MD5
17faa1734665421923ba456d59b33c96

SHA1
29f1ac9f05c672647c5d0ea783261e18a4759198

SHA256
3cf36d9f705a4205defeb3c97ffc631089a1903a98dc38f0251ae748062aca4d

SHA512
4382908620f1cd5bd0807a28055027019061384404e8460412f8f01c51cf37c3271214ac577a0d7ea73df155f85fc08f529966e9165cf87dedad5ec965f90df3

Download Submit
memory/2084-101-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2084-137-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2084-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4316-80-0x00000000022E0000-0x0000000002420000-memory.dmp

Filesize
1.2MB

Download
memory/4316-104-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/4316-95-0x00000000022E0000-0x0000000002420000-memory.dmp

Filesize
1.2MB

Download
memory/4316-100-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/4316-85-0x00000000022E0000-0x0000000002420000-memory.dmp

Filesize
1.2MB

Download
memory/4316-102-0x00000000022E0000-0x0000000002420000-memory.dmp

Filesize
1.2MB

Download
memory/4316-103-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/4316-90-0x00000000022E0000-0x0000000002420000-memory.dmp

Filesize
1.2MB

Download
memory/4316-105-0x0000000003820000-0x000000000382E000-memory.dmp

Filesize
56KB

Download
memory/4316-107-0x00000000022E0000-0x0000000002420000-memory.dmp

Filesize
1.2MB

Download
memory/4316-108-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/4316-26-0x0000000003820000-0x000000000382E000-memory.dmp

Filesize
56KB

Download
memory/4316-135-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/4316-6-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download