b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137

Analysis

max time kernel
40s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 02:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe
Size

268KB
MD5

ed19e1a621eba1a37ad406075a6db9d7
SHA1

e23ce29fa6a15f9eb167f3db5731fc2af096edb6
SHA256

b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137
SHA512

86a63aa8b8c1dd34ae6ee41ab90ac73f4a9f87b8b74e75f14abd56ef1ec3e83b5a29891234c2ffdea6470208f2ba98e4c7cfca7feecf6873e0b8b57a36ece9aa
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF:G+IF6foPCaTRMXbaev0FQcmWk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2144	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
1820	b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe
1820	b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1820	b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe
2144	audiohd.exe
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe
Token: SeDebugPrivilege	2144	audiohd.exe
Token: SeDebugPrivilege	2756	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2144	1820	b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe	30
PID 1820 wrote to memory of 2144	1820	b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe	30
PID 1820 wrote to memory of 2144	1820	b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe	30
PID 1820 wrote to memory of 2144	1820	b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe	30
PID 2144 wrote to memory of 2756	2144	audiohd.exe	32
PID 2144 wrote to memory of 2756	2144	audiohd.exe	32
PID 2144 wrote to memory of 2756	2144	audiohd.exe	32
PID 2144 wrote to memory of 2756	2144	audiohd.exe	32

C:\Users\Admin\AppData\Local\Temp\b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe
"C:\Users\Admin\AppData\Local\Temp\b1dec4e4ed1ceaf448565d0778995175ad44941d6f617fcd9df00f6d43d68137.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
274KB

MD5
1fa6b7eebd92ba3881aafa3ed83bc88d

SHA1
efcddb4f51fb209397f7dba177d7242774708379

SHA256
11904a592b6f0949a4f31c362695923cf173b247c21048394c2e4dfb1bc73541

SHA512
8a6e98ddac1fab08eff9ef77beccfd9115f96f3dd3f87b603f139f7000fa53861c732b6e7542fc4d5d9f9e0e13e7c302fc97163b9df7c4aba51fb848b7ea558a

Download Submit
memory/1820-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/1820-1-0x0000000001040000-0x0000000001056000-memory.dmp

Filesize
88KB

Download
memory/2144-12-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2144-13-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-14-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-19-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-20-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download