5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Size

484KB
MD5

a343fed4bd504af60503fbd80efa5326
SHA1

239da9a238861c2e9fcd0cfc534259116f283eeb
SHA256

332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5
SHA512

d62b44e5c9637f10a7b0c54db4f389a16888a5132673375daf5cf0ad2fe2302adb17a3630599dc512a4aa18fceb8f47b7324a7c6c66c6823446894b642181b19
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	audiohd.exe

Executes dropped EXE 1 IoCs

pid	Process
5264	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1472	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
5264	audiohd.exe
6016	powershell.exe
6016	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Token: SeDebugPrivilege	5264	audiohd.exe
Token: SeDebugPrivilege	6016	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 5264	1472	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	87
PID 1472 wrote to memory of 5264	1472	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	87
PID 1472 wrote to memory of 5264	1472	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	87
PID 5264 wrote to memory of 6016	5264	audiohd.exe	92
PID 5264 wrote to memory of 6016	5264	audiohd.exe	92
PID 5264 wrote to memory of 6016	5264	audiohd.exe	92
PID 6016 wrote to memory of 4972	6016	powershell.exe	94
PID 6016 wrote to memory of 4972	6016	powershell.exe	94
PID 6016 wrote to memory of 4972	6016	powershell.exe	94
PID 4972 wrote to memory of 4928	4972	csc.exe	95
PID 4972 wrote to memory of 4928	4972	csc.exe	95
PID 4972 wrote to memory of 4928	4972	csc.exe	95

C:\Users\Admin\AppData\Local\Temp\332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
"C:\Users\Admin\AppData\Local\Temp\332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mjapr3hp\mjapr3hp.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA74C.tmp" "c:\Users\Admin\AppData\Local\Temp\mjapr3hp\CSC7EA7F58CAC54CE4A4C4C2FEA11625D4.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
492KB

MD5
9d449b0dfbcac381fd4b7d5a598b6e2d

SHA1
5c6e0bb124c3a3f8774a0e5f341b9eba6cfd31ac

SHA256
13d586d5e73b9bf6e12feacc3bf1d14d2bd2b73724d36b9bec2eb250a9c8f05a

SHA512
ecbac51d43167e03fe8a31e4bd169e7082bdba6aa80b135341f93d014a1e5154f1bffca30d83837f5d0a33a4107f7b35602ae7b68b6fd1b96960d0bc98af5558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA74C.tmp

Filesize
1KB

MD5
476ab87e92d71307ce2f160cba2ef103

SHA1
3d0bd0ce109511ba7d15e04c53981c5baf52e543

SHA256
0ffb7a3841f99a3b89057142c8b524c866faa80e1b27b57390037f77aa8c9d23

SHA512
10ed0481b852705a32b8eb1a44aac3cc4146825e074ef990b79b70822891f34c3ad026c7d99c8e832fbac3cac5e84cece5850727615c24ab94eb55fdcb6e6ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nw5phsxz.xcr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjapr3hp\mjapr3hp.dll

Filesize
6KB

MD5
919d6cd6da6a949c2e4eff36bcd5e334

SHA1
c6d207d2982a67f8ad5805dfbea825673e52e07e

SHA256
36a595be80d191528ecfbc4ce3e3cf975821fef49bb7e5dc19c443e5b6c8e2c0

SHA512
8e0b0f2459e3dba464e4d216ad3ee5a9b2df8cf8bd17479f82d3d0c637c7b62506d72225af2c1bcfe9fb833c6334cc2e8936ed4a46016fc800fb8443818fa6ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mjapr3hp\CSC7EA7F58CAC54CE4A4C4C2FEA11625D4.TMP

Filesize
652B

MD5
3247ce12850ea223100745ecf666b0e3

SHA1
65a1039cdcb7c9f4d4ea622d079eb09e4f07d54c

SHA256
0ce24108fdf3a554cfe51df6c21bfe4d22c1e5f02d01741dd69cdca2f099ed65

SHA512
9887e1f5f9fedda9b5f1d48b658cf5ec7b0b90d9c39aabe7cb4c54b036483bd04b6b63e9351d4ae7d0dd7936139ee0ca74a7ee58682f89b13f6d8da1db001303

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mjapr3hp\mjapr3hp.cmdline

Filesize
360B

MD5
458e09e98b63c540a448f62495d56391

SHA1
d9cb847ad1206dfb2cd6c57fac5f4786cc784dd4

SHA256
20bf6d4aff22a4dc5854f0ec8cdefc2ddca819b94039c56e862be1b3c351b966

SHA512
303b3d266d8dc682b19479e68615fb75636d5e09d66be8885a47e34a73b894258edfbbb99293d73b1878dadae69f0e5270b772d3e646838d25891b42aed91da5

Download Submit
memory/1472-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/1472-3-0x0000000005570000-0x000000000560C000-memory.dmp

Filesize
624KB

Download
memory/1472-2-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/1472-1-0x0000000000B80000-0x0000000000B96000-memory.dmp

Filesize
88KB

Download
memory/5264-16-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/5264-17-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/5264-57-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/5264-56-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/5264-55-0x00000000063B0000-0x00000000063BA000-memory.dmp

Filesize
40KB

Download
memory/5264-54-0x0000000006D60000-0x0000000006DF2000-memory.dmp

Filesize
584KB

Download
memory/6016-22-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/6016-38-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/6016-40-0x00000000064F0000-0x000000000650A000-memory.dmp

Filesize
104KB

Download
memory/6016-39-0x0000000007610000-0x0000000007C8A000-memory.dmp

Filesize
6.5MB

Download
memory/6016-37-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/6016-32-0x0000000005990000-0x0000000005CE4000-memory.dmp

Filesize
3.3MB

Download
memory/6016-20-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/6016-26-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/6016-25-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/6016-52-0x0000000006580000-0x0000000006588000-memory.dmp

Filesize
32KB

Download
memory/6016-21-0x00000000050D0000-0x00000000056F8000-memory.dmp

Filesize
6.2MB

Download
memory/6016-23-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/6016-24-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/6016-19-0x0000000004A10000-0x0000000004A46000-memory.dmp

Filesize
216KB

Download
memory/6016-58-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download