34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 20:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe
Size

4.6MB
MD5

bb8dd921a1d08f46ce501c40d3fb40a7
SHA1

e2974f45b85aba463d964fe57f743f19076aa5c7
SHA256

34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6
SHA512

2c167ee671090dd509fc883787236c2944c285ad81ec818ddbae5c7ba253afa349a8df0dc45f65bf6872736282cd5a0aa61d51255e3d14e1aefa3fee6b49abb4
SSDEEP

98304:Q+CKjW9RXhzbG+NB2BxeHawH9z1cevf6rE687v7L4dm8:l419bGeBZ9dvf487v7L4dD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
2296	audiofc.exe
304	audiofc.exe

Loads dropped DLL 7 IoCs

pid	Process
2444	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe
2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-BB12H.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-E987U.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-LSF0Q.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-MU5MD.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\lessmsi\is-8MCQ8.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\plugins\internal\is-94OJP.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-UAQST.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-J9RNB.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-QEE5N.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-VI8NJ.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\stuff\is-1UR70.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File opened for modification	C:\Program Files (x86)\Audio format converter\audiofc.exe	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-76DE0.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-Q95KN.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\plugins\internal\is-IFQPS.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-K8P54.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-H24PH.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\stuff\is-ONRGD.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-Q2E97.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-381VS.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-S66VB.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-A83S2.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-RU8SJ.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\stuff\is-U69OH.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-V4SC1.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-9L86K.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-77CKI.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File opened for modification	C:\Program Files (x86)\Audio format converter\unins000.dat	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\is-1KO24.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-18TAB.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-O237U.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\stuff\is-CSDRD.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-6NROH.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\unins000.dat	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-L271T.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\is-0L4K5.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-Q7SS7.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-BCJ9M.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-V4S6Q.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-9GGO0.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-0Q32L.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-MVC78.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-0MJDA.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-HO5FT.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-QA71F.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-H3DFG.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-4OGQ7.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-956HI.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-K4PJF.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-3LAJT.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-L2SO9.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2056	2444	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	16
PID 2444 wrote to memory of 2056	2444	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	16
PID 2444 wrote to memory of 2056	2444	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	16
PID 2444 wrote to memory of 2056	2444	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	16
PID 2444 wrote to memory of 2056	2444	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	16
PID 2444 wrote to memory of 2056	2444	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	16
PID 2444 wrote to memory of 2056	2444	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	16
PID 2056 wrote to memory of 1568	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	18
PID 2056 wrote to memory of 1568	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	18
PID 2056 wrote to memory of 1568	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	18
PID 2056 wrote to memory of 1568	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	18
PID 2056 wrote to memory of 2296	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	20
PID 2056 wrote to memory of 2296	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	20
PID 2056 wrote to memory of 2296	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	20
PID 2056 wrote to memory of 2296	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	20
PID 1568 wrote to memory of 1636	1568	net.exe	19
PID 1568 wrote to memory of 1636	1568	net.exe	19
PID 1568 wrote to memory of 1636	1568	net.exe	19
PID 1568 wrote to memory of 1636	1568	net.exe	19
PID 2056 wrote to memory of 304	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	33
PID 2056 wrote to memory of 304	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	33
PID 2056 wrote to memory of 304	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	33
PID 2056 wrote to memory of 304	2056	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	33

C:\Users\Admin\AppData\Local\Temp\is-N3NEP.tmp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N3NEP.tmp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp" /SL5="$5014E,4538029,54272,C:\Users\Admin\AppData\Local\Temp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\system32\net.exe" helpmsg 31
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 helpmsg 31
    3⤵
    PID:1636
- C:\Program Files (x86)\Audio format converter\audiofc.exe
  "C:\Program Files (x86)\Audio format converter\audiofc.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Program Files (x86)\Audio format converter\audiofc.exe
  "C:\Program Files (x86)\Audio format converter\audiofc.exe" -s
  2⤵
  - Executes dropped EXE
  PID:304

C:\Users\Admin\AppData\Local\Temp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe
"C:\Users\Admin\AppData\Local\Temp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-170-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-190-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-187-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-183-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-180-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-177-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-137-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-174-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-157-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-171-0x0000000002480000-0x0000000002522000-memory.dmp

Filesize
648KB

Download
memory/304-162-0x0000000002480000-0x0000000002522000-memory.dmp

Filesize
648KB

Download
memory/304-167-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-139-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-142-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-160-0x0000000002480000-0x0000000002522000-memory.dmp

Filesize
648KB

Download
memory/304-161-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-147-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-148-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-151-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/304-154-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2056-144-0x00000000038C0000-0x0000000003A48000-memory.dmp

Filesize
1.5MB

Download
memory/2056-143-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2056-141-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2056-136-0x00000000038C0000-0x0000000003A48000-memory.dmp

Filesize
1.5MB

Download
memory/2056-127-0x00000000038C0000-0x0000000003A48000-memory.dmp

Filesize
1.5MB

Download
memory/2056-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2296-129-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2296-132-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2296-133-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2296-128-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/2444-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2444-140-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2444-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download