8ed90458d2d38abe6510377a28ccae07ab44bb0d72bdf7dfb7f7400775f2ae17

Analysis

max time kernel
204s
max time network
130s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoicemodSetup_2.46.0.0.exe
Size

113.0MB
MD5

6a1079c0feb201875ab6d12db2c38c35
SHA1

38e546d7acce9b6e8e74abd45b139f79fd13cd4f
SHA256

8ed90458d2d38abe6510377a28ccae07ab44bb0d72bdf7dfb7f7400775f2ae17
SHA512

128d6203c4733473006b1afde324a2346ad7f2fa5151e9f03e14155e9e916ad6cc240abee4c00a186f26a643b69a75e06d25dac7e3d93a850b9a01f6d28d8457
SSDEEP

1572864:mSXyMuz2+zu5uxFbEOSe4TeXiZinscllPAc3Nxmc5X+a1Uyo5GyhloNy1UPhzTno:mSXyMuHQYHSWSmoc3/mc5lUiNy1UZzk

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2912	VoicemodSetup_2.46.0.0.tmp
2656	curl.exe

Loads dropped DLL 5 IoCs

pid	Process
2872	VoicemodSetup_2.46.0.0.exe
2912	VoicemodSetup_2.46.0.0.tmp
2912	VoicemodSetup_2.46.0.0.tmp
2644	Process not Found
2912	VoicemodSetup_2.46.0.0.tmp

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2312	tasklist.exe
2416	tasklist.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	tasklist.exe
Token: SeDebugPrivilege	2416	tasklist.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2912	2872	VoicemodSetup_2.46.0.0.exe	28
PID 2872 wrote to memory of 2912	2872	VoicemodSetup_2.46.0.0.exe	28
PID 2872 wrote to memory of 2912	2872	VoicemodSetup_2.46.0.0.exe	28
PID 2872 wrote to memory of 2912	2872	VoicemodSetup_2.46.0.0.exe	28
PID 2872 wrote to memory of 2912	2872	VoicemodSetup_2.46.0.0.exe	28
PID 2872 wrote to memory of 2912	2872	VoicemodSetup_2.46.0.0.exe	28
PID 2872 wrote to memory of 2912	2872	VoicemodSetup_2.46.0.0.exe	28
PID 2912 wrote to memory of 2656	2912	VoicemodSetup_2.46.0.0.tmp	31
PID 2912 wrote to memory of 2656	2912	VoicemodSetup_2.46.0.0.tmp	31
PID 2912 wrote to memory of 2656	2912	VoicemodSetup_2.46.0.0.tmp	31
PID 2912 wrote to memory of 2656	2912	VoicemodSetup_2.46.0.0.tmp	31
PID 2912 wrote to memory of 2620	2912	VoicemodSetup_2.46.0.0.tmp	33
PID 2912 wrote to memory of 2620	2912	VoicemodSetup_2.46.0.0.tmp	33
PID 2912 wrote to memory of 2620	2912	VoicemodSetup_2.46.0.0.tmp	33
PID 2912 wrote to memory of 2620	2912	VoicemodSetup_2.46.0.0.tmp	33
PID 2620 wrote to memory of 2312	2620	cmd.exe	35
PID 2620 wrote to memory of 2312	2620	cmd.exe	35
PID 2620 wrote to memory of 2312	2620	cmd.exe	35
PID 2912 wrote to memory of 2580	2912	VoicemodSetup_2.46.0.0.tmp	37
PID 2912 wrote to memory of 2580	2912	VoicemodSetup_2.46.0.0.tmp	37
PID 2912 wrote to memory of 2580	2912	VoicemodSetup_2.46.0.0.tmp	37
PID 2912 wrote to memory of 2580	2912	VoicemodSetup_2.46.0.0.tmp	37
PID 2580 wrote to memory of 2416	2580	cmd.exe	39
PID 2580 wrote to memory of 2416	2580	cmd.exe	39
PID 2580 wrote to memory of 2416	2580	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.46.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.46.0.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\is-TQL6P.tmp\VoicemodSetup_2.46.0.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TQL6P.tmp\VoicemodSetup_2.46.0.0.tmp" /SL5="$70120,117646647,720896,C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.46.0.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\curl.exe
    "C:\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=d03af81f-989e-4c12-8706-72a6bc079a7b -o C:\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\deviceId.txt
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2312
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_VoicemodDesktop.exe.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\bg-inner.png

Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\bg-top.png

Filesize
32KB

MD5
dc19715992c0051d1456308b41f04e98

SHA1
85abf86dd0e738638fff84ecd44e5b3cdbb4b96d

SHA256
86bfe5acda1b1fc9bc8f205a58c824ad58179925d2ceae11b2a341122604457d

SHA512
2f7b3bfa6c084b830213996f7691b6abcb9efd0ac44da4739972758b4eab0478e46761d8590fcea03d2902909c2c992f1eed1ef48e353a05ba67c06189d2117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\buttons.png

Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\curl.exe

Filesize
5.4MB

MD5
4cd044c22a2fdbb361eb9c9b14fe623a

SHA1
b85779cb56508c1630bdf3d6e43b15a8b9d19eb9

SHA256
6945c565514d907739fb324b551f3f909cb4955443a248c693887ebdf9e291ce

SHA512
abc7a3177f828f9e6f39e1bdff7a11c71e831612fa2481ba6e58c6911b662cfb24f294a35d9abf55df81916d635667a5cb5e062ae164b1b2ff1acae7ac0ba66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TQL6P.tmp\VoicemodSetup_2.46.0.0.tmp

Filesize
2.4MB

MD5
75e45bedca8a288216ae8f77711071c6

SHA1
1efbe104d7434c3b308754323e86ffd045d31612

SHA256
46c5f1b39e16075f744d4f26d42f66d7cb1686e0f4bc1d4a69ebba8b3674ff50

SHA512
a43c0d95df01b3ff2754c1a72f686a6413c29bd234230bed3faa1129b459398408e05d578d764153436fbd10120da69c7621957caf35b214efd281898a57dfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_VoicemodDesktop.exe.txt

Filesize
2KB

MD5
1919e8c1887d4cc236c122de09885e5b

SHA1
452b15b6b7a6d1f498e8fbfbce1e6123b88ad444

SHA256
6be4595233fff89752936f29dcf1a891bd720dfbb8616c60b8f111c5e02ac041

SHA512
1cbad629aec2d781d883a078a0c51359c1a247c282a1ca76e3b0aa92fc5f164f419e5362c08314454138405399494af9a219e60908149e1c513492d6ac680497

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt

Filesize
2KB

MD5
6a56e3c9901f317bda5b6814ca5af90a

SHA1
ab8a142d527afa5c056ebe01b6fdf0d073eb6628

SHA256
1dc3bd6d1c717e0f0f3b84f5855db895975122846ffdd2077c181b108281b266

SHA512
36b30d23686200aaa9f4bbcd59aa57eee69fd0fc80b5012daaf2d24c6ed6d75528d75b63815fb03da6d6a10ace149747c9b25c403275eb2abbf0a08b8eb79095

Download Submit
\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\curl.exe

Filesize
5.4MB

MD5
4cd044c22a2fdbb361eb9c9b14fe623a

SHA1
b85779cb56508c1630bdf3d6e43b15a8b9d19eb9

SHA256
6945c565514d907739fb324b551f3f909cb4955443a248c693887ebdf9e291ce

SHA512
abc7a3177f828f9e6f39e1bdff7a11c71e831612fa2481ba6e58c6911b662cfb24f294a35d9abf55df81916d635667a5cb5e062ae164b1b2ff1acae7ac0ba66f

Download Submit
\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\curl.exe

Filesize
5.4MB

MD5
4cd044c22a2fdbb361eb9c9b14fe623a

SHA1
b85779cb56508c1630bdf3d6e43b15a8b9d19eb9

SHA256
6945c565514d907739fb324b551f3f909cb4955443a248c693887ebdf9e291ce

SHA512
abc7a3177f828f9e6f39e1bdff7a11c71e831612fa2481ba6e58c6911b662cfb24f294a35d9abf55df81916d635667a5cb5e062ae164b1b2ff1acae7ac0ba66f

Download Submit
\Users\Admin\AppData\Local\Temp\is-HAUD7.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-TQL6P.tmp\VoicemodSetup_2.46.0.0.tmp

Filesize
2.4MB

MD5
75e45bedca8a288216ae8f77711071c6

SHA1
1efbe104d7434c3b308754323e86ffd045d31612

SHA256
46c5f1b39e16075f744d4f26d42f66d7cb1686e0f4bc1d4a69ebba8b3674ff50

SHA512
a43c0d95df01b3ff2754c1a72f686a6413c29bd234230bed3faa1129b459398408e05d578d764153436fbd10120da69c7621957caf35b214efd281898a57dfde

Download Submit
memory/2656-21-0x0000000000FA0000-0x0000000001508000-memory.dmp

Filesize
5.4MB

Download
memory/2872-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2872-14-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2912-15-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2912-36-0x0000000003480000-0x000000000348E000-memory.dmp

Filesize
56KB

Download
memory/2912-25-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2912-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2912-90-0x0000000003490000-0x00000000035D0000-memory.dmp

Filesize
1.2MB

Download
memory/2912-95-0x0000000003490000-0x00000000035D0000-memory.dmp

Filesize
1.2MB

Download
memory/2912-100-0x0000000003490000-0x00000000035D0000-memory.dmp

Filesize
1.2MB

Download
memory/2912-105-0x0000000003490000-0x00000000035D0000-memory.dmp

Filesize
1.2MB

Download
memory/2912-110-0x0000000003490000-0x00000000035D0000-memory.dmp

Filesize
1.2MB

Download
memory/2912-111-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2912-113-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/2912-114-0x0000000003480000-0x000000000348E000-memory.dmp

Filesize
56KB

Download