508b7e479336ac9ad90f0a895c90eafdc704c3fa550c2d4bb0110e7c0cdbff9d

General

Target

bba59ea14d0ed98a56d74928b5e6d470N.exe
Size

852KB
MD5

bba59ea14d0ed98a56d74928b5e6d470
SHA1

7cababdb2adabe721cb98be28551b55cb5295edf
SHA256

508b7e479336ac9ad90f0a895c90eafdc704c3fa550c2d4bb0110e7c0cdbff9d
SHA512

235f49197565b9d954a3030ab5772fa52b5d86007be45b70f11858daa06e5ec405a68c6cdd7b76d4d6467bc421ac72be359c73388f3005afbd25ce34dd64c709
SSDEEP

3072:tZTz1WIXC6GESSgWNRXumi7+IF6foPCaTRMXbaev0FQcmWk6kwsNIf6cHzbQ2v0V:tZHcIX9SSgMi+IFZMbQrkodzb4VF2Yd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2724	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
2676	bba59ea14d0ed98a56d74928b5e6d470N.exe
2676	bba59ea14d0ed98a56d74928b5e6d470N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bba59ea14d0ed98a56d74928b5e6d470N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2676	bba59ea14d0ed98a56d74928b5e6d470N.exe
2724	audiohd.exe
2484	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	bba59ea14d0ed98a56d74928b5e6d470N.exe
Token: SeDebugPrivilege	2724	audiohd.exe
Token: SeDebugPrivilege	2484	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2724	2676	bba59ea14d0ed98a56d74928b5e6d470N.exe	30
PID 2676 wrote to memory of 2724	2676	bba59ea14d0ed98a56d74928b5e6d470N.exe	30
PID 2676 wrote to memory of 2724	2676	bba59ea14d0ed98a56d74928b5e6d470N.exe	30
PID 2676 wrote to memory of 2724	2676	bba59ea14d0ed98a56d74928b5e6d470N.exe	30
PID 2724 wrote to memory of 2484	2724	audiohd.exe	31
PID 2724 wrote to memory of 2484	2724	audiohd.exe	31
PID 2724 wrote to memory of 2484	2724	audiohd.exe	31
PID 2724 wrote to memory of 2484	2724	audiohd.exe	31
PID 2484 wrote to memory of 2600	2484	powershell.exe	33
PID 2484 wrote to memory of 2600	2484	powershell.exe	33
PID 2484 wrote to memory of 2600	2484	powershell.exe	33
PID 2484 wrote to memory of 2600	2484	powershell.exe	33
PID 2600 wrote to memory of 2500	2600	csc.exe	34
PID 2600 wrote to memory of 2500	2600	csc.exe	34
PID 2600 wrote to memory of 2500	2600	csc.exe	34
PID 2600 wrote to memory of 2500	2600	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\bba59ea14d0ed98a56d74928b5e6d470N.exe
"C:\Users\Admin\AppData\Local\Temp\bba59ea14d0ed98a56d74928b5e6d470N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9kt5sllu.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3850.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC384F.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
857KB

MD5
db27a91703d46cf98d4503fe8503da2f

SHA1
910e3ce1e14aa486c83e67365ffbc5ffaae9554b

SHA256
daa3fb88d157346ef8f445f2216a5d9c1edf06cd7a847245f30b4565704d83ec

SHA512
03815c2cbf4c45bca4d4485d1bf0ae095117ff081b503ef1107e2ac619d5c3e85e6730ba4d84471a59f38b80c7ecd48e75bbe6b8818a9d71733882507200cad8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kt5sllu.dll

Filesize
6KB

MD5
86c174b16d372acc8ec793d6d18ea20c

SHA1
a0491c9dcee30cdea4aa1abb329a02e3f68e774b

SHA256
fdeacdb00f5ff61f7e76de90a959e939b99b4e83f4dd64f019a4976e6b8930a6

SHA512
ba0788ced856cb92a60224bf1a449d83daf40c44902bb5177ada19b77a4f9e498736881509a320b9b361285643692fd2baf856b666a62927065d5c473ff02d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kt5sllu.pdb

Filesize
13KB

MD5
415113287388fd1899176016eb809d8e

SHA1
d53b0032d8ba6f4e9287306925a8d80481eccda9

SHA256
95d75b91a07cfb77db7381eb588607e5e40492330d0090090314c84eec54fda6

SHA512
edb5a710695b8ff91dbd22357448dfb9d72a21037ef2c5c7608e6322deceb38bf47dbe66da555a3ccc5921317bd67e0174027a83ac294fd488cd7a8ee21e905e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3850.tmp

Filesize
1KB

MD5
e05370c1f920f1e097472f4cd9c2b5e4

SHA1
471b3a273b6c2ffd7cb8490e325eda714286e216

SHA256
eb322a4439d3a22e4c61f24c46404d86959c322170f008fa0cd3a1363394c754

SHA512
ca1ba6e4bb639aea98cc3da06538457c8896b204260ae798f53c167a67c523e4a08e70b76b39aadee2bf36dbaca15c2d1f9e61996dfc725fd4acf90a7e58b3ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9kt5sllu.cmdline

Filesize
309B

MD5
b1902c23c6653f0d4ac30876937e1eb8

SHA1
4bc844f96c974acd3ebba168af2b33e39f081a2b

SHA256
153a47a684933cb26f6be4c795c2b4ba3e2150d6657d3a5fd9cd4afc0344f725

SHA512
42f4be5197e96d81f480a2233140315ac3718ff072b4bef21373dd7bb261e9627a692c2d95b4c694210a037fb841fddaa97b090d3446fbabbf199be517eb5f0d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC384F.tmp

Filesize
652B

MD5
423d6fc8c02402a08a7a728b28d792f5

SHA1
a824e3ad125ad2cb96610c5e62a79f71e1fd74f4

SHA256
9714b19c66ba446b983a5ea51746f27deb740338766007181acaad38a61b7f93

SHA512
017c388dd06feb6718db41944118f608db5b5d0ecc36e1e18c1dc6d384b5db61c99ff56fc472fabcb23f9fd10240d5f68f2f4b9f3bf885a48ffa005b4873eb5a

Download Submit
memory/2676-13-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2676-3-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-2-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-1-0x0000000000770000-0x0000000000786000-memory.dmp

Filesize
88KB

Download
memory/2724-16-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-15-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-14-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-35-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-34-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-36-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-37-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-38-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing