6c9908c37d0419f8a19a2ce5055d255ecd9663d3b59957d99072fa18c1f9e547

Analysis

max time kernel
1798s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25/04/2024, 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pandora ahhah.exe
Size

11.0MB
MD5

d3a8ab19805f4f661739397f18eff7ca
SHA1

831c7c6f11c2ddceaeaa89463412be5c81707dff
SHA256

6c9908c37d0419f8a19a2ce5055d255ecd9663d3b59957d99072fa18c1f9e547
SHA512

73032608a4021a766b53f60af7e6cbd5b9989a5edeeb2abbfad5293acd074fba4d2607f78a4280c3ce5fcedde660caf93efaf872a4d7e9b5eed25f3a4bac90d2
SSDEEP

24576:iZApS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGfS2xIbt+rH:iZAL4auS+UjfU2T/5XDFxIbt+r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3188	WindowsInput.exe
3828	AudioDriver.exe

Loads dropped DLL 1 IoCs

pid	Process
3828	AudioDriver.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsInput.InstallLog	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	pandora ahhah.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe
3828	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3828	AudioDriver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3828	AudioDriver.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3188	4676	pandora ahhah.exe	81
PID 4676 wrote to memory of 3188	4676	pandora ahhah.exe	81
PID 4676 wrote to memory of 3828	4676	pandora ahhah.exe	82
PID 4676 wrote to memory of 3828	4676	pandora ahhah.exe	82
PID 4676 wrote to memory of 3828	4676	pandora ahhah.exe	82

C:\Users\Admin\AppData\Local\Temp\pandora ahhah.exe
"C:\Users\Admin\AppData\Local\Temp\pandora ahhah.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3188
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
11.0MB

MD5
d3a8ab19805f4f661739397f18eff7ca

SHA1
831c7c6f11c2ddceaeaa89463412be5c81707dff

SHA256
6c9908c37d0419f8a19a2ce5055d255ecd9663d3b59957d99072fa18c1f9e547

SHA512
73032608a4021a766b53f60af7e6cbd5b9989a5edeeb2abbfad5293acd074fba4d2607f78a4280c3ce5fcedde660caf93efaf872a4d7e9b5eed25f3a4bac90d2

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
memory/3188-25-0x00007FFCE3E30000-0x00007FFCE47D1000-memory.dmp

Filesize
9.6MB

Download
memory/3188-39-0x000000001CDF0000-0x000000001D2BE000-memory.dmp

Filesize
4.8MB

Download
memory/3188-57-0x00007FFCE3E30000-0x00007FFCE47D1000-memory.dmp

Filesize
9.6MB

Download
memory/3188-40-0x000000001D360000-0x000000001D3FC000-memory.dmp

Filesize
624KB

Download
memory/3188-28-0x00007FFCE3E30000-0x00007FFCE47D1000-memory.dmp

Filesize
9.6MB

Download
memory/3188-27-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/3188-26-0x0000000001970000-0x0000000001990000-memory.dmp

Filesize
128KB

Download
memory/3188-24-0x0000000001930000-0x0000000001948000-memory.dmp

Filesize
96KB

Download
memory/3188-31-0x000000001C160000-0x000000001C184000-memory.dmp

Filesize
144KB

Download
memory/3828-75-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3828-90-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3828-89-0x0000000074E40000-0x00000000755F1000-memory.dmp

Filesize
7.7MB

Download
memory/3828-87-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3828-86-0x0000000006510000-0x000000000651A000-memory.dmp

Filesize
40KB

Download
memory/3828-78-0x0000000006310000-0x0000000006320000-memory.dmp

Filesize
64KB

Download
memory/3828-76-0x0000000006520000-0x00000000066E2000-memory.dmp

Filesize
1.8MB

Download
memory/3828-74-0x0000000074E40000-0x00000000755F1000-memory.dmp

Filesize
7.7MB

Download
memory/4676-4-0x0000000005EE0000-0x0000000006486000-memory.dmp

Filesize
5.6MB

Download
memory/4676-61-0x0000000006FA0000-0x0000000006FEE000-memory.dmp

Filesize
312KB

Download
memory/4676-6-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

Filesize
304KB

Download
memory/4676-73-0x0000000074E40000-0x00000000755F1000-memory.dmp

Filesize
7.7MB

Download
memory/4676-2-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/4676-7-0x0000000006490000-0x00000000064F6000-memory.dmp

Filesize
408KB

Download
memory/4676-11-0x0000000006950000-0x0000000006972000-memory.dmp

Filesize
136KB

Download
memory/4676-12-0x0000000006930000-0x000000000693C000-memory.dmp

Filesize
48KB

Download
memory/4676-8-0x0000000005E30000-0x0000000005E38000-memory.dmp

Filesize
32KB

Download
memory/4676-5-0x0000000005D90000-0x0000000005E22000-memory.dmp

Filesize
584KB

Download
memory/4676-0-0x0000000000D10000-0x0000000000E46000-memory.dmp

Filesize
1.2MB

Download
memory/4676-1-0x0000000074E40000-0x00000000755F1000-memory.dmp

Filesize
7.7MB

Download
memory/4676-9-0x0000000005ED0000-0x0000000005ED8000-memory.dmp

Filesize
32KB

Download
memory/4676-10-0x0000000006850000-0x0000000006908000-memory.dmp

Filesize
736KB

Download
memory/4676-3-0x0000000001850000-0x000000000185A000-memory.dmp

Filesize
40KB

Download