34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6

Analysis

max time kernel
81s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 20:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe
Size

4.6MB
MD5

bb8dd921a1d08f46ce501c40d3fb40a7
SHA1

e2974f45b85aba463d964fe57f743f19076aa5c7
SHA256

34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6
SHA512

2c167ee671090dd509fc883787236c2944c285ad81ec818ddbae5c7ba253afa349a8df0dc45f65bf6872736282cd5a0aa61d51255e3d14e1aefa3fee6b49abb4
SSDEEP

98304:Q+CKjW9RXhzbG+NB2BxeHawH9z1cevf6rE687v7L4dm8:l419bGeBZ9dvf487v7L4dD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
576	audiofc.exe
1368	audiofc.exe

Loads dropped DLL 3 IoCs

pid	Process
4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-MG1JS.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-P3SN4.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-TI4M6.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-NMB2I.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-DJ6G5.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\plugins\internal\is-E395K.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File opened for modification	C:\Program Files (x86)\Audio format converter\unins000.dat	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-AIU4O.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-GB2NM.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\stuff\is-LU8FS.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-JDICR.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-J0HMA.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-229U0.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-VQC9C.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-V9QAJ.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-0TIRE.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-OD65Q.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-AQ0V2.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\stuff\is-PEEO7.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-MTM70.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-506PI.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-6C0QB.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-ECT16.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-AFDB7.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-GF2KI.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-LO985.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-LMES4.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\stuff\is-UQ0M2.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-2UMI9.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-JE8GN.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-TSP8V.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\plugins\internal\is-FSLPS.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-QAGOO.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\stuff\is-IG6J9.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\is-MK7CK.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-3OSHG.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\lessmsi\is-MQ8OO.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-KAHFJ.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\is-OQTBT.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File opened for modification	C:\Program Files (x86)\Audio format converter\audiofc.exe	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-44JDV.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-8T11A.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-8LSUN.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-SSN3H.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-HHMOI.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-NNTG6.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-JVCJP.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-D06E9.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-GU4JS.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\unins000.dat	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
File created	C:\Program Files (x86)\Audio format converter\bin\x86\is-345S4.tmp	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4532	3688	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	23
PID 3688 wrote to memory of 4532	3688	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	23
PID 3688 wrote to memory of 4532	3688	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe	23
PID 4532 wrote to memory of 3360	4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	27
PID 4532 wrote to memory of 3360	4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	27
PID 4532 wrote to memory of 3360	4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	27
PID 4532 wrote to memory of 576	4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	31
PID 4532 wrote to memory of 576	4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	31
PID 4532 wrote to memory of 576	4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	31
PID 3360 wrote to memory of 3028	3360	net.exe	29
PID 3360 wrote to memory of 3028	3360	net.exe	29
PID 3360 wrote to memory of 3028	3360	net.exe	29
PID 4532 wrote to memory of 1368	4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	28
PID 4532 wrote to memory of 1368	4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	28
PID 4532 wrote to memory of 1368	4532	34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp	28

C:\Users\Admin\AppData\Local\Temp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe
"C:\Users\Admin\AppData\Local\Temp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\is-28PRJ.tmp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-28PRJ.tmp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp" /SL5="$90054,4538029,54272,C:\Users\Admin\AppData\Local\Temp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 31
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 31
      4⤵
      PID:3028
- - C:\Program Files (x86)\Audio format converter\audiofc.exe
    "C:\Program Files (x86)\Audio format converter\audiofc.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1368
- - C:\Program Files (x86)\Audio format converter\audiofc.exe
    "C:\Program Files (x86)\Audio format converter\audiofc.exe" -i
    3⤵
    - Executes dropped EXE
    PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-28PRJ.tmp\34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6.tmp

Filesize
92KB

MD5
6a3dd53ba7c28000750f604133b072cc

SHA1
d0c20f11b02fbdce077bdd68520a78801c6f75d7

SHA256
b11b4b425f2b1f0469bcce0c308b91cc0fb955becd26f1fc26ec8c405f2f04e5

SHA512
465f90dff2170b5ae61fccf9538a9fb713d08cb521ce124c4dfe48b7a8e0ece8f84f09e61a59d0e5d88f451683bf1eb7af9a7c280a589cc1f6e07c1e73696514

Download Submit
memory/576-130-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/576-126-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/576-129-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/576-125-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-142-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-151-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-134-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-183-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-180-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-177-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-174-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-137-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-171-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-168-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-141-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-145-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-148-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-132-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-152-0x00000000021C0000-0x0000000002262000-memory.dmp

Filesize
648KB

Download
memory/1368-158-0x00000000021C0000-0x0000000002262000-memory.dmp

Filesize
648KB

Download
memory/1368-157-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-161-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-164-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/1368-165-0x00000000021C0000-0x0000000002262000-memory.dmp

Filesize
648KB

Download
memory/3688-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3688-135-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3688-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4532-138-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4532-136-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4532-7-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download