4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6b79788476c3806befcdd2dead8231a.exe
Size

506KB
MD5

f6b79788476c3806befcdd2dead8231a
SHA1

56eba5da31c728dc287435a555e527b1a27cae37
SHA256

9c798b5cf50fd400ce59355b91a741ab5ccfcffdaedc50815981fa280f4776a9
SHA512

f46f9b568f3d0cb6b4e799a68a3d7defd4e35cbf3df59840d05e575e8580a0cd8e95a497b5f5b272c21fe4105264272d4b58c8bec211597bbcf2de099eab49f3
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	f6b79788476c3806befcdd2dead8231a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	audiohd.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6b79788476c3806befcdd2dead8231a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
956	f6b79788476c3806befcdd2dead8231a.exe
2696	audiohd.exe
3168	powershell.exe
3168	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	f6b79788476c3806befcdd2dead8231a.exe
Token: SeDebugPrivilege	2696	audiohd.exe
Token: SeDebugPrivilege	3168	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2696	956	f6b79788476c3806befcdd2dead8231a.exe	91
PID 956 wrote to memory of 2696	956	f6b79788476c3806befcdd2dead8231a.exe	91
PID 956 wrote to memory of 2696	956	f6b79788476c3806befcdd2dead8231a.exe	91
PID 2696 wrote to memory of 3168	2696	audiohd.exe	94
PID 2696 wrote to memory of 3168	2696	audiohd.exe	94
PID 2696 wrote to memory of 3168	2696	audiohd.exe	94
PID 3168 wrote to memory of 4532	3168	powershell.exe	98
PID 3168 wrote to memory of 4532	3168	powershell.exe	98
PID 3168 wrote to memory of 4532	3168	powershell.exe	98
PID 4532 wrote to memory of 3180	4532	csc.exe	99
PID 4532 wrote to memory of 3180	4532	csc.exe	99
PID 4532 wrote to memory of 3180	4532	csc.exe	99

C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe
"C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymoitgms\ymoitgms.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8676.tmp" "c:\Users\Admin\AppData\Local\Temp\ymoitgms\CSCE56501914BB44854BD66F65ECF2FBBEA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
510KB

MD5
6d18932e307d0d35604aea090a73b9af

SHA1
2a071963e98e4b475cb8ebf0c766d13f6b1e99d7

SHA256
8934d14ea8c1ba465d16a67f71659d0e2ffe0d59f926548f0c4b8e509c56e2ef

SHA512
20e43c6387c54369e2a53f9ccb36310c0d8c3fbff18b8a4b503cd8645c67387296808e735f52f077291bbe3fdffd463723adfa6e08ebc6eb00192a69f3a60ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8676.tmp

Filesize
1KB

MD5
bf8f3f63841c41e407777afaeb064808

SHA1
53cea3a3f95af89a063213187e381201013771e3

SHA256
9233ccc6cff52b4db2765c0292f48e612ef288a4d2d57194bb071f4ce3d25fe9

SHA512
56da0ead058d2cc6812c54d92773c17acb0724778f1264cb3967570043ca6dd08c2bef376b74d91783ed4050e66c354af435cc1e928835e0a228bdf8b6dfc0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uc2liuxc.0bh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymoitgms\ymoitgms.dll

Filesize
6KB

MD5
53379e40d2baeaf800f1c03da634fd81

SHA1
011e990adf99529e697777f33310c5ce51270902

SHA256
8622ddf57cc9afb3427972efd4d10c1b6cc4936b7717703ae5b641447f2709f2

SHA512
1a3ecd3d8fe1447fd5aaf3488dc2a5adbc1b5e9032362458450dcdd75ff2213fd2f8b50d61983f0cca08ad514be37b636a032c4cd96df27a617fd05780984acd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymoitgms\CSCE56501914BB44854BD66F65ECF2FBBEA.TMP

Filesize
652B

MD5
671d4a22d7ce0bdc270355d20d6d0e89

SHA1
ad8ea5f2cfa57d8d9934dbd7d316ca2306b11afb

SHA256
c334cfa7b0d9b41c5182beb4bb640b212f252982baf15e5cdfa39d04a4efeee4

SHA512
88acfb52330deb038256908263c390909eacb8cf83da34e4318209913bb7974a308b1f95b3e3751682b0085923277cec952ad88caca5158e8499acc4124fbdd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymoitgms\ymoitgms.cmdline

Filesize
360B

MD5
1012df392e2004f7f4723f84588840b3

SHA1
f683e7e197353a8aac8195f7139297f66e221e1d

SHA256
1a2c8491779973454b113029d7fc1511d6e79015993d28c48d236ecd6441873a

SHA512
39ba420f165f33678cc835a41515e857d3fefa03596651a66969a6e99a3597dd7862527d8f7a13fd0f0434a943f3d1b4a26a5b05f30a390c3a7995a8a4d063c8

Download Submit
memory/956-3-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/956-2-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/956-1-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/956-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/2696-16-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2696-17-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2696-57-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2696-56-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2696-55-0x0000000006770000-0x000000000677A000-memory.dmp

Filesize
40KB

Download
memory/2696-54-0x00000000067A0000-0x0000000006832000-memory.dmp

Filesize
584KB

Download
memory/3168-36-0x0000000005C50000-0x0000000005FA4000-memory.dmp

Filesize
3.3MB

Download
memory/3168-38-0x0000000006130000-0x000000000617C000-memory.dmp

Filesize
304KB

Download
memory/3168-40-0x00000000065D0000-0x00000000065EA000-memory.dmp

Filesize
104KB

Download
memory/3168-39-0x00000000078D0000-0x0000000007F4A000-memory.dmp

Filesize
6.5MB

Download
memory/3168-37-0x00000000060E0000-0x00000000060FE000-memory.dmp

Filesize
120KB

Download
memory/3168-26-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/3168-24-0x0000000005120000-0x0000000005142000-memory.dmp

Filesize
136KB

Download
memory/3168-52-0x0000000006650000-0x0000000006658000-memory.dmp

Filesize
32KB

Download
memory/3168-25-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/3168-23-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3168-21-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/3168-22-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3168-20-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3168-19-0x00000000027B0000-0x00000000027E6000-memory.dmp

Filesize
216KB

Download
memory/3168-58-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download