4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6b79788476c3806befcdd2dead8231a.exe
Size

506KB
MD5

f6b79788476c3806befcdd2dead8231a
SHA1

56eba5da31c728dc287435a555e527b1a27cae37
SHA256

9c798b5cf50fd400ce59355b91a741ab5ccfcffdaedc50815981fa280f4776a9
SHA512

f46f9b568f3d0cb6b4e799a68a3d7defd4e35cbf3df59840d05e575e8580a0cd8e95a497b5f5b272c21fe4105264272d4b58c8bec211597bbcf2de099eab49f3
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2396	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
2588	f6b79788476c3806befcdd2dead8231a.exe
2588	f6b79788476c3806befcdd2dead8231a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6b79788476c3806befcdd2dead8231a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2588	f6b79788476c3806befcdd2dead8231a.exe
2396	audiohd.exe
2812	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	f6b79788476c3806befcdd2dead8231a.exe
Token: SeDebugPrivilege	2396	audiohd.exe
Token: SeDebugPrivilege	2812	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2396	2588	f6b79788476c3806befcdd2dead8231a.exe	30
PID 2588 wrote to memory of 2396	2588	f6b79788476c3806befcdd2dead8231a.exe	30
PID 2588 wrote to memory of 2396	2588	f6b79788476c3806befcdd2dead8231a.exe	30
PID 2588 wrote to memory of 2396	2588	f6b79788476c3806befcdd2dead8231a.exe	30
PID 2396 wrote to memory of 2812	2396	audiohd.exe	31
PID 2396 wrote to memory of 2812	2396	audiohd.exe	31
PID 2396 wrote to memory of 2812	2396	audiohd.exe	31
PID 2396 wrote to memory of 2812	2396	audiohd.exe	31
PID 2812 wrote to memory of 2156	2812	powershell.exe	33
PID 2812 wrote to memory of 2156	2812	powershell.exe	33
PID 2812 wrote to memory of 2156	2812	powershell.exe	33
PID 2812 wrote to memory of 2156	2812	powershell.exe	33
PID 2156 wrote to memory of 2900	2156	csc.exe	34
PID 2156 wrote to memory of 2900	2156	csc.exe	34
PID 2156 wrote to memory of 2900	2156	csc.exe	34
PID 2156 wrote to memory of 2900	2156	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe
"C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wrniwnzn.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA738.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA737.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
516KB

MD5
cd92ee37d2fa25da4c3c2f3f64356678

SHA1
83e206c750b1e84550992ddbe2f644b7b374d3d9

SHA256
9694bfd0b6e3d2aeebb9742614691275d3d18550799dab26bfe97ca10a04b046

SHA512
9b12281f1709e549018d17a8cdfa0cacb62b1a7086c863e08495e6b671323b1e193904e4c141f585ad5a116fa822fbc0fd9269c7fdefadd7e098a2a327a2d6bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA738.tmp

Filesize
1KB

MD5
bbea049ae2eec53ca92c7be260ec3d8f

SHA1
9ab1752c1c40cd5428cde3ef17a740e0f32407c8

SHA256
39242bd1f0c5898c6356f99fb71045a28e0cfbd8c0395662cc41ebd5fda9f6df

SHA512
8cfb62e757d7ac6e01f73fd78390bd0e9be2f24ae1bdf33018b056a38cefa398203629dbdd13bb8bdbcf9c5049784336bceb0b5ed821588ff8d338f696ca4b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrniwnzn.dll

Filesize
6KB

MD5
de8643efc7fb44b66d5af952a6cc0bec

SHA1
dd84f13c7638b92085866c9f84159da6d596c112

SHA256
b1292e51890dd9b7f9d5e829a824e1618c112282a62ba6dfd9c3f3a8ef6d76be

SHA512
7e0ec992f4163a55764891680aaea17223289f79ec78830f9520e03240b924788cae100801008cce10930c43a51300dd8f2c19a1358f2e15ca8c14d6ae92ae68

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrniwnzn.pdb

Filesize
13KB

MD5
959bbfc4ea76da344e6f360434805e3e

SHA1
bada6862287abebdd5a6a6795398dfa148c7d8a1

SHA256
631615da8b1a8c3a52196de317be51a9d48c9b466190f071c7dd6850757f22ef

SHA512
9bec6de43dd2bf5384c54d8fb32908ab19893f18541046a60a4aae3db613bb4f3ea031968a11c7031b9f497595981bd108ee8aa1ebf7bc01a806f0e366cd8809

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA737.tmp

Filesize
652B

MD5
b47ff3a6129fcbda8a466bd12b007217

SHA1
9d63fd183e31b09d867416c2d08c80d52082f511

SHA256
61da0ef0d95a4081c0327ce0c4bc31dca1b8341a4abde26a7eca5e9c666705d7

SHA512
3c126b8b86c12511211e49b65b53af898a8cc1e65c5d51d3a36747d7a07b511bc7cfccc754b2569e982d2f005be133e8d89592d416af14335de6d4ba020c19dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wrniwnzn.cmdline

Filesize
309B

MD5
0f53dadd052a7842f0459a3cb8726788

SHA1
51a96f7bd0d3ff636df393318db5769c19c2fb02

SHA256
33f65693dbe725e50692c61c59bf6d0fbf907a260bce4fbac6607e6e420a79b4

SHA512
bac69bf32bce0b28aca929b8be07ffbc762c322260454cbb23d46762eced68158e55e0fe3ec9045f7002106449f3df0edf43c67381034a2e930c97daceeca43e

Download Submit
memory/2396-12-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/2396-13-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-14-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-32-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2396-33-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-1-0x0000000001260000-0x0000000001276000-memory.dmp

Filesize
88KB

Download
memory/2588-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download