5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
20s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Size

484KB
MD5

a343fed4bd504af60503fbd80efa5326
SHA1

239da9a238861c2e9fcd0cfc534259116f283eeb
SHA256

332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5
SHA512

d62b44e5c9637f10a7b0c54db4f389a16888a5132673375daf5cf0ad2fe2302adb17a3630599dc512a4aa18fceb8f47b7324a7c6c66c6823446894b642181b19
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2492	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
2340	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
2340	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2340	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
2492	audiohd.exe
2784	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Token: SeDebugPrivilege	2492	audiohd.exe
Token: SeDebugPrivilege	2784	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2492	2340	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	30
PID 2340 wrote to memory of 2492	2340	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	30
PID 2340 wrote to memory of 2492	2340	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	30
PID 2340 wrote to memory of 2492	2340	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	30
PID 2492 wrote to memory of 2784	2492	audiohd.exe	31
PID 2492 wrote to memory of 2784	2492	audiohd.exe	31
PID 2492 wrote to memory of 2784	2492	audiohd.exe	31
PID 2492 wrote to memory of 2784	2492	audiohd.exe	31
PID 2784 wrote to memory of 2696	2784	powershell.exe	33
PID 2784 wrote to memory of 2696	2784	powershell.exe	33
PID 2784 wrote to memory of 2696	2784	powershell.exe	33
PID 2784 wrote to memory of 2696	2784	powershell.exe	33
PID 2696 wrote to memory of 2792	2696	csc.exe	34
PID 2696 wrote to memory of 2792	2696	csc.exe	34
PID 2696 wrote to memory of 2792	2696	csc.exe	34
PID 2696 wrote to memory of 2792	2696	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
"C:\Users\Admin\AppData\Local\Temp\332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndwworn-.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBDD4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBDD3.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBDD4.tmp

Filesize
1KB

MD5
3726acec748ea91ea976914de195f405

SHA1
317154415a6cd645442f0302c0086438006fd7bd

SHA256
6411e572e068727cb157da6f699c196ca9ce686f530a7289053ceadb1dba5dff

SHA512
e7e5947c61d0ef7f79785feddb0885fc73da04c7bf79e4696824088198c1eadb29629853961306a0a1ff30e9f0c2b337d21196e1ed1c8a1396a85896e5046109

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndwworn-.dll

Filesize
6KB

MD5
c96f3c3faf9492756928e7617ba7220e

SHA1
9b6d320f78723d99065e389329cf59ba6336643a

SHA256
66813384c6d68e03c6f0368c4ab25ebc3c24ccc4f515aefe092dba455b7f2b59

SHA512
7806aa06644cf42e65262c7851ed37c3c244ceacd3b4f7f8085192c4950fea53286d9f26e4cc6ec37955af3e118fb4a38782c3accbe40a0fffccf2eaf8ebd9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndwworn-.pdb

Filesize
13KB

MD5
08537dfece700870a39d596ed2ca6bc8

SHA1
c595fb105062f66d061ad444ce014e979003e76f

SHA256
ae0853d42069a2d7e331295a0ec343dc0d73d5e262300b4ea2b26de3aad90540

SHA512
3002a4467d25656a56a3016db91cabcca1c4fe10ec1330c6c08634abba7499ed8466adf27a90296c84623b342b6ca7daeed3278f2efa91a1a6dacad2af7a441f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBDD3.tmp

Filesize
652B

MD5
d860aa699198f9f9092ce53d6f68a0ba

SHA1
01489dc4449718f112dc56aa465e767a7424bd4e

SHA256
d31c6c35d0160657eb1b15f0f686f4a8e811e85f04b141c5bc03da62056c78b8

SHA512
1221315856291058eb92df394e4aa1f3632b9c55b315be9be671d53de98928c0afaf500f2febaad3a473f3faca95d9e7cee14ae4fb0ce997fe962a2097a34950

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndwworn-.cmdline

Filesize
309B

MD5
7e6fb692c1cbf9669f2fde95968ef708

SHA1
52e1085c497a69f57870443444617066ddcf3fcb

SHA256
fa873e6733e7aa25065b6a9fa8668e8223ba84955636c8962b090769eebb4baf

SHA512
53a4ce7ef195a072fd6b5b721b29f184ec1da17d3388ee1308bb6ae3140db18db53eebe290916325ea928714881eb198dbb9b2eb3e138418d2c9947a14678ca8

Download Submit
\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
487KB

MD5
21a792cc1492fca051016e5f169dae79

SHA1
02c419c48af27d020a193c04dd2bd2703ab0cc7d

SHA256
3454e08a8c89ab46666e4dddf5b108bc7de9b0fee87ea32ac13804fb5a2c1ee3

SHA512
11377fdd18bf2b7500485395b5945d6834eb78834e27148243f6e56663ebc6c01db77089af2517edf8f211952f01bd39ee142147506e633097703adff68e8e94

Download Submit
memory/2340-1-0x0000000001040000-0x0000000001056000-memory.dmp

Filesize
88KB

Download
memory/2340-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/2492-12-0x00000000009B0000-0x00000000009C6000-memory.dmp

Filesize
88KB

Download
memory/2492-13-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-14-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-32-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-33-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download