278352ec13e7eae8a2aba645098d349e77fecb2d0a5f006551c9d48e09575a46

Analysis

max time kernel
34s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voltsploit.exe
Size

32.7MB
MD5

6520ffe8272c83805bb8937f48372c17
SHA1

b6617ed5e25e5765bd71628093288d29b094baba
SHA256

12f044076f5c4879640cc50ecfad22876b235136bef1a04a566bd3e6fa6569e7
SHA512

479e0fe94bb93985ac9c7a70e5901d397e6c9f6c0dec0b1f5df13558896565bfa26b516bb406867e732608e646efcbba914125f57c85da2125f490d6704b649a
SSDEEP

393216:CtJKPxXnM5Izeo7TEMoNeQtezfDLRZBE2+qBvtgaYjfLZJRzZu97SCKH3pTfHkkq:L0IRTN5KezfhZB4+ZCFGWCM7HkkruMu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	Voltsploit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	644	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	644	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1440	1944	Voltsploit.exe	85
PID 1944 wrote to memory of 1440	1944	Voltsploit.exe	85
PID 1944 wrote to memory of 1440	1944	Voltsploit.exe	85

C:\Users\Admin\AppData\Local\Temp\Voltsploit.exe
"C:\Users\Admin\AppData\Local\Temp\Voltsploit.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\matrix.bat" "
  2⤵
  PID:1440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\matrix.bat

Filesize
270B

MD5
5744fef3d00802cdab3d9d9fb03b2821

SHA1
56b0eaad9185c62ecd831ce7d3288c6cfb63ff3d

SHA256
92b73f05d52df9a3db460664af974b7ebdea1c5ced5f4e1801874e6e6387d8ca

SHA512
4def8a413704a5372a8381600770b7004d7330315df61655464e10027572a0cedd1d0424e4dd63ab3daeb11e1aba7effb27d7f94d27c5ecc73ebeb5a5ab8dcf5

Download Submit
memory/1944-0-0x000000007530E000-0x000000007530F000-memory.dmp

Filesize
4KB

Download
memory/1944-1-0x0000000000D90000-0x0000000002E50000-memory.dmp

Filesize
32.8MB

Download
memory/1944-2-0x0000000007E00000-0x00000000083A4000-memory.dmp

Filesize
5.6MB

Download
memory/1944-3-0x0000000007850000-0x00000000078E2000-memory.dmp

Filesize
584KB

Download
memory/1944-4-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/1944-5-0x0000000007A70000-0x0000000007A7A000-memory.dmp

Filesize
40KB

Download
memory/1944-6-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/1944-11-0x000000007530E000-0x000000007530F000-memory.dmp

Filesize
4KB

Download
memory/1944-12-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download