3671fd712335ef0d15e4d553edf19116f56d2ca18ede39d9d43536ce9e0bf2f4

Analysis

max time kernel
165s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoicemodSetup_2.48.0.0.exe
Size

112.2MB
MD5

91b98d97343351e879ef8304798864c0
SHA1

fba2e0c8229165d7f0cc34930ea96a2430d30ee6
SHA256

3671fd712335ef0d15e4d553edf19116f56d2ca18ede39d9d43536ce9e0bf2f4
SHA512

2a9a855d6a955c4bce3f4c23644cdb5d4454cb6e38b83ed5a42c9cf058e48584b762586415014a919d5567544ce570d99771a2258ef20c230a230bfc46c13fa8
SSDEEP

3145728:tYegNHiVdYZxPKyZ+DXfCJSQYBvvisu9koMvqSs:3gliV4z+bEzoviOv+

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

VoicemodSetup_2.48.0.0.tmp

pid process

1752 VoicemodSetup_2.48.0.0.tmp
Loads dropped DLL 3 IoCs

Processes:

VoicemodSetup_2.48.0.0.tmp

pid process

1752 VoicemodSetup_2.48.0.0.tmp
1752 VoicemodSetup_2.48.0.0.tmp
1752 VoicemodSetup_2.48.0.0.tmp
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4900 tasklist.exe
952 tasklist.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4900 tasklist.exe
Token: SeDebugPrivilege 952 tasklist.exe

pid	process
1752	VoicemodSetup_2.48.0.0.tmp

pid	process
1752	VoicemodSetup_2.48.0.0.tmp
1752	VoicemodSetup_2.48.0.0.tmp
1752	VoicemodSetup_2.48.0.0.tmp

pid	process
4900	tasklist.exe
952	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	4900	tasklist.exe
Token: SeDebugPrivilege	952	tasklist.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

VoicemodSetup_2.48.0.0.exeVoicemodSetup_2.48.0.0.tmpcmd.execmd.exe

description	pid	process	target process
PID 1356 wrote to memory of 1752	1356	VoicemodSetup_2.48.0.0.exe	VoicemodSetup_2.48.0.0.tmp
PID 1356 wrote to memory of 1752	1356	VoicemodSetup_2.48.0.0.exe	VoicemodSetup_2.48.0.0.tmp
PID 1356 wrote to memory of 1752	1356	VoicemodSetup_2.48.0.0.exe	VoicemodSetup_2.48.0.0.tmp
PID 1752 wrote to memory of 3944	1752	VoicemodSetup_2.48.0.0.tmp	curl.exe
PID 1752 wrote to memory of 3944	1752	VoicemodSetup_2.48.0.0.tmp	curl.exe
PID 1752 wrote to memory of 3892	1752	VoicemodSetup_2.48.0.0.tmp	curl.exe
PID 1752 wrote to memory of 3892	1752	VoicemodSetup_2.48.0.0.tmp	curl.exe
PID 1752 wrote to memory of 1572	1752	VoicemodSetup_2.48.0.0.tmp	cmd.exe
PID 1752 wrote to memory of 1572	1752	VoicemodSetup_2.48.0.0.tmp	cmd.exe
PID 1572 wrote to memory of 4900	1572	cmd.exe	tasklist.exe
PID 1572 wrote to memory of 4900	1572	cmd.exe	tasklist.exe
PID 1752 wrote to memory of 2260	1752	VoicemodSetup_2.48.0.0.tmp	cmd.exe
PID 1752 wrote to memory of 2260	1752	VoicemodSetup_2.48.0.0.tmp	cmd.exe
PID 2260 wrote to memory of 952	2260	cmd.exe	tasklist.exe
PID 2260 wrote to memory of 952	2260	cmd.exe	tasklist.exe
PID 1752 wrote to memory of 4312	1752	VoicemodSetup_2.48.0.0.tmp	curl.exe
PID 1752 wrote to memory of 4312	1752	VoicemodSetup_2.48.0.0.tmp	curl.exe

C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.48.0.0.exe
"C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.48.0.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\is-SMTFU.tmp\VoicemodSetup_2.48.0.0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SMTFU.tmp\VoicemodSetup_2.48.0.0.tmp" /SL5="$100060,116886350,720896,C:\Users\Admin\AppData\Local\Temp\VoicemodSetup_2.48.0.0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=5baa2aac-6f09-498d-a5a6-e1e70cf8ebe4 -o C:\Users\Admin\AppData\Local\Temp\is-2I1UV.tmp\deviceId.txt
3⤵
PID:3944

C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"5baa2aac-6f09-498d-a5a6-e1e70cf8ebe4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
3⤵
PID:3892

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_VoicemodDesktop.exe.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\system32\curl.exe
"C:\Windows\system32\curl.exe" -u us1-760719ecefb3654a9377029b145d3706:fz_LnFaF0dOp3ih1I1jB_678-A5yc8Sj4woz-2whrU37YgWiq8_jIpGev6khPc4U -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"device_info\": {\"platform\": \"Android\",\"android_uuid\": \"791012bd-eee0-425f-8175-6693c3480f08\"},\"mp_deviceid\": \"791012bd-eee0-425f-8175-6693c3480f08\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"2.48.0.0\", \"machine_guid\": \"5baa2aac-6f09-498d-a5a6-e1e70cf8ebe4\", \"country\": \"Unknown\", \"locale\": \"en-US\", \"is_new_user\": \"True\", \"voicemod_system\": \"voicemod-v2\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
3⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5124 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8
1⤵
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-2I1UV.tmp\bg-inner.png
Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2I1UV.tmp\bg-top.png
Filesize
32KB

MD5
dc19715992c0051d1456308b41f04e98

SHA1
85abf86dd0e738638fff84ecd44e5b3cdbb4b96d

SHA256
86bfe5acda1b1fc9bc8f205a58c824ad58179925d2ceae11b2a341122604457d

SHA512
2f7b3bfa6c084b830213996f7691b6abcb9efd0ac44da4739972758b4eab0478e46761d8590fcea03d2902909c2c992f1eed1ef48e353a05ba67c06189d2117f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2I1UV.tmp\botva2.dll
Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2I1UV.tmp\buttons.png
Filesize
1KB

MD5
87cc673665996a85a404beb1c8466aee

SHA1
df01fc67a739544244a0ddabd0f818bd960bf071

SHA256
d236f88ef90e6d0e259a586f4e613b14d4a35f3a704ff559dadda31341e99c24

SHA512
2058e3fd362c689a78fb3d0a163fd21bfe472368649c43dc8e48b24fa4bc5ed1307faf1cab2c351a4dd28f903a72d4951a72d7eb27784fee405884661a259c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2I1UV.tmp\deviceId.txt
Filesize
36B

MD5
ff6c47b9df8d61e5a2328195b6b642ae

SHA1
5455f84c4f38d463dc6eb2ea984406defc71447c

SHA256
942d497057c35bcc8ad86dce3436676ef97543fce691c3f7a28331c368ad7d6b

SHA512
0aff74f176c589b3e5edefc439da6725dd786a2f129c9cc17ba6ef080b431b1ad0f1c30039246d17859093db0f4da14ebdc5badbb8d834ed2c24b86605da0e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2I1UV.tmp\idp.dll
Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SMTFU.tmp\VoicemodSetup_2.48.0.0.tmp
Filesize
2.4MB

MD5
e812065f75f42d8bbbe174cf03b02216

SHA1
088914819546a58d1243522c64cea5f6a7d77eb8

SHA256
952d953995b093f37f8ae25c90cc2708f00b6009e83a7695a1f14e62465800ad

SHA512
daa24b600ed75e7f2e2e3a1ead2f0acff0283529890f87a7d455ff6959a5186db86b9f7ae97ce5023d86326fced2fde24395f336c50cc5b0f1a9844756863448

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_VoicemodDesktop.exe.txt
Filesize
8KB

MD5
0bab879b4debcf5c68aec1f688d0e5f3

SHA1
f830f1997e57bf753fcedacb9d1ba8c3e44801c3

SHA256
c5ad45c4107b547d2f59607486e2853ce814e8763f9206e7370cc1c6f507e018

SHA512
de334ceb1cca63141619cead3f8474ceb8609206db6002fb1d64cce28db0a66e0566dfbc72c0442a2fb8838db931fb2a90a683b05a6dfeeac8121f290331d45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt
Filesize
8KB

MD5
cb4fba6e69ab1bdbc3df3ed1879fe9ad

SHA1
3fc97cd643ba6bd44a26a8fdee85d77b117c0b21

SHA256
2058960fd05fcf48bc961eb8f6521b8201b4d213ca249bb458c558f03bab4ed6

SHA512
d290d807b3a50016b33e625a2c43cc375eeaf89c496d984e7b3d0eccb5268ab195d6f4c713c9eecacd5e5db10c907a6b7d104416b768b45f1ee62269916f6c96

Download Submit
memory/1356-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1356-33-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1752-93-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1752-83-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1752-6-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1752-88-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1752-28-0x00000000037B0000-0x00000000037BE000-memory.dmp

Filesize
56KB

Download
memory/1752-98-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1752-103-0x0000000003860000-0x00000000039A0000-memory.dmp

Filesize
1.2MB

Download
memory/1752-104-0x0000000000400000-0x000000000067A000-memory.dmp

Filesize
2.5MB

Download
memory/1752-105-0x00000000037B0000-0x00000000037BE000-memory.dmp

Filesize
56KB

Download
memory/1752-109-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1752-112-0x00000000037B0000-0x00000000037BE000-memory.dmp

Filesize
56KB

Download