d7108405eebedbd1d610c13bd7dae066a7ca5497f7e1c8c977a92b8401083709

Analysis

max time kernel
51s
max time network
142s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
Size

510KB
MD5

b4f566f5a727720b1ff62aef921c0e0e
SHA1

f889fca2aa15e304d2a1a6f721bd40a03a9e5735
SHA256

2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b
SHA512

9a6c4e1236a7972a3ee56653d32fd49933ca023c08b1c90b1366c3457cf0f5746595b688c7bee626ea846eb92bf9482452dde3d7196bd9384874b1f8b51ed774
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2960	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
2784	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2784	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
2960	audiohd.exe
2800	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
Token: SeDebugPrivilege	2960	audiohd.exe
Token: SeDebugPrivilege	2800	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2960	2784	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe	30
PID 2784 wrote to memory of 2960	2784	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe	30
PID 2784 wrote to memory of 2960	2784	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe	30
PID 2784 wrote to memory of 2960	2784	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe	30
PID 2960 wrote to memory of 2800	2960	audiohd.exe	31
PID 2960 wrote to memory of 2800	2960	audiohd.exe	31
PID 2960 wrote to memory of 2800	2960	audiohd.exe	31
PID 2960 wrote to memory of 2800	2960	audiohd.exe	31
PID 2800 wrote to memory of 2932	2800	powershell.exe	33
PID 2800 wrote to memory of 2932	2800	powershell.exe	33
PID 2800 wrote to memory of 2932	2800	powershell.exe	33
PID 2800 wrote to memory of 2932	2800	powershell.exe	33
PID 2932 wrote to memory of 1612	2932	csc.exe	34
PID 2932 wrote to memory of 1612	2932	csc.exe	34
PID 2932 wrote to memory of 1612	2932	csc.exe	34
PID 2932 wrote to memory of 1612	2932	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
"C:\Users\Admin\AppData\Local\Temp\2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i672mbk3.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5B7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD5B6.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD5B7.tmp

Filesize
1KB

MD5
ce5bc893530766306ea1f1305b1a7929

SHA1
c05cb7161828d35daa8233c3915467fe532fc028

SHA256
86f6319216524fbc3ee435f1889cfe936760265e65b631a0241667a74efd22f9

SHA512
938557aa39afe1b9943317293b0db5d667b85ef2d5d4f24cf841e7842ac582e719ad8c88b08831171ea9fe5197e810f08404c743ac4fa6b1d53445b29df3aee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\i672mbk3.dll

Filesize
6KB

MD5
f84510d23b0cdd67bb33e6a43d9c2b45

SHA1
9e7a643615791129c3e546be23853c811347dff6

SHA256
86c34181aa0d8475c285e1f731ebccbef32bb51ee8725ffa97e191fec17feab7

SHA512
96eaa555b74bfea9e862c82a0f74c5d510cd334d9b38a8c0c46ca2eedbb6ba6468a9818f3fec552f41ce722c4a08e206b6789017c1d853e2865deab5742e3e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\i672mbk3.pdb

Filesize
13KB

MD5
312aefe90060db865af63efe1605e373

SHA1
8530abe46cbc89ce87fb12557db1c2f48e869a0c

SHA256
bba8629a827c9acc98bf140ba0c9435c013044c639ed795fa10a28c97a6d1283

SHA512
eea76fb83a5331a31f69b77573687c4fa4f1304ed0f21cb68e898a59f618bf93d064658b05087dc0d518fabafd2f4ad180125a5456f73c2fb04ebb197a7d6f7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD5B6.tmp

Filesize
652B

MD5
b2c33f621041c86e4b02cae84b4e90d5

SHA1
79908c7b33ea143f8e8c94fbcf7f90147cc344e8

SHA256
c6677069533d9749bee62f77fe0ccac098e46eed0c52d803f63d711089e818b1

SHA512
ecdb512ccf5048c6d50210915537add72f926b90de57053e6d7e1d400d9bba300e1c787cad6146f0ba6e89e6308ac79e4683dac452d34864a0fa7c783ce363a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i672mbk3.cmdline

Filesize
309B

MD5
022ccf8560a1e07116cc4626f51c5cb8

SHA1
5e596806c6965a5d6ff691a5840ed36e0fcaae19

SHA256
696c539ac844de5d8d253868e37e6777d8a3cc72f7505c287ceebb90c09a6926

SHA512
1a3334de987cd6413c22e17aaddacb57b7c03622fa977952aaec77ede77b42167b3f07056372aa60bc882abd6a6761b1d0b005282b35d0ae6763c75d0730f834

Download Submit
\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
516KB

MD5
a8e1e6e7fad6cbcb3cd3e4eff7adf9b7

SHA1
fa23bbbfa1748b9ee65601741c29a393e5ebae04

SHA256
f2ae6b83ea6d351210a01331a73f5aa2882cec69ee2c041b9c7d78b1bc2a095d

SHA512
73620f8ddb4ba346ae17791e68c5c0caba44fc67e2d5ab120d8eba0e02d0ae21656c270b07e3a823dbc93767e67babd54438cb9b1723498aac3ceacec259e615

Download Submit
memory/2784-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/2784-1-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/2960-12-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download
memory/2960-13-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-14-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-32-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-33-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download