7bc72601a99488910e0e3ebfd167b0e6c6a66ac7aa0de499699b7621859e320f

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voicemod Pro by mr.motchy/VoicemodSetup.exe
Size

22.2MB
MD5

2c74a59f3a312c9003e3bdf2f458c87f
SHA1

97b1ede9c186ea36a74bceb1bf5e5689aad99086
SHA256

afd7452c34570e409fc0c2bc8a22fb7429a3cc8f48e85fe6a154656ec020330d
SHA512

b5e8810733694aa773c4c3b8a4063e5fddd962b64d2ad697223ddeb7337f09e8c21fc1efdb2c13c854f2e6884940fac217338e0839fd21d2b4db3c2da031a392
SSDEEP

393216:D2MvvQScyvXuaXVTwkBgoEMNBrDXLuzLYzCdcv8p5UPxaMQlBf4PrE:SMvVcysoEcLuzLig5p5UPxtyAP4

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	VoicemodSetup.tmp

Loads dropped DLL 2 IoCs

pid	Process
2852	VoicemodSetup.exe
2720	VoicemodSetup.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VoicemodSetup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	VoicemodSetup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2720	2852	VoicemodSetup.exe	30
PID 2852 wrote to memory of 2720	2852	VoicemodSetup.exe	30
PID 2852 wrote to memory of 2720	2852	VoicemodSetup.exe	30
PID 2852 wrote to memory of 2720	2852	VoicemodSetup.exe	30
PID 2852 wrote to memory of 2720	2852	VoicemodSetup.exe	30
PID 2852 wrote to memory of 2720	2852	VoicemodSetup.exe	30
PID 2852 wrote to memory of 2720	2852	VoicemodSetup.exe	30

C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\is-VOF2I.tmp\VoicemodSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VOF2I.tmp\VoicemodSetup.tmp" /SL5="$400F4,22991991,87040,C:\Users\Admin\AppData\Local\Temp\Voicemod Pro by mr.motchy\VoicemodSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB1B5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB1C7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\is-K3KNL.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\is-VOF2I.tmp\VoicemodSetup.tmp

Filesize
737KB

MD5
1a9f24ba757fd08f3b4db5570cd1bfd0

SHA1
6c8e5ee1db1bb8471dc2c2c7a1d9835d60df2d8d

SHA256
326071c6e04b3552414337cea066d809d987dbddbc8ad717626abc9dff748956

SHA512
bbc2bc152363d789c636941f71894b8a6062a5b37b33748c5e7eb6014bbb8ee0461c29fd892272758ece489abbe7cc4e0695f094a4963411723f698456c308a6

Download Submit
memory/2720-9-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2720-16-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2720-70-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2720-182-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2720-346-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2852-2-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2852-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2852-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download