d7108405eebedbd1d610c13bd7dae066a7ca5497f7e1c8c977a92b8401083709

Analysis

max time kernel
5s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
Size

510KB
MD5

b4f566f5a727720b1ff62aef921c0e0e
SHA1

f889fca2aa15e304d2a1a6f721bd40a03a9e5735
SHA256

2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b
SHA512

9a6c4e1236a7972a3ee56653d32fd49933ca023c08b1c90b1366c3457cf0f5746595b688c7bee626ea846eb92bf9482452dde3d7196bd9384874b1f8b51ed774
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	audiohd.exe

Executes dropped EXE 1 IoCs

pid	Process
2452	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5548	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
2452	audiohd.exe
5712	powershell.exe
5712	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5548	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
Token: SeDebugPrivilege	2452	audiohd.exe
Token: SeDebugPrivilege	5712	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5548 wrote to memory of 2452	5548	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe	88
PID 5548 wrote to memory of 2452	5548	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe	88
PID 5548 wrote to memory of 2452	5548	2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe	88
PID 2452 wrote to memory of 5712	2452	audiohd.exe	89
PID 2452 wrote to memory of 5712	2452	audiohd.exe	89
PID 2452 wrote to memory of 5712	2452	audiohd.exe	89

C:\Users\Admin\AppData\Local\Temp\2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe
"C:\Users\Admin\AppData\Local\Temp\2b3308a4153ff3a99a4355a4b70e96779a5f60a820b4b65dcf1ffb6b6d5b4b7b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5548
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rmgeqheo\rmgeqheo.cmdline"
      4⤵
      PID:5728
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64D4.tmp" "c:\Users\Admin\AppData\Local\Temp\rmgeqheo\CSCD2C0D1ADF2F8486FBD1898A0ECFF7362.TMP"
        5⤵
        
        PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
513KB

MD5
a263cf68cde824af2a697b20bc3b68b7

SHA1
4790bca4ec5d987d976c7648090414121bbeb88f

SHA256
dfd40fd3680a9fd38db089e60503b8b09982dc71cd8d0ff3c6256505dedd5b2f

SHA512
80abbe089f1993a4c73afb28ea6f498b5884bcab1d08ed981cea8846d153af17f53913bfb74e7ab1bca24059a70822efeecba956088848e15591fba009efdc7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES64D4.tmp

Filesize
1KB

MD5
8cf3208e30368224c540ed34b6a83a2b

SHA1
73728032d23e502be9d2bed8e8a40b1cd28f6de8

SHA256
0d1b6eeb719fa41b477339e9d5993044931014a50918849be7c67b1e41a0f5ee

SHA512
b0094ad8256aca68de57405825147def67656c94be4901cc9ac3f954dd65ed74f93d9972256e1c7de2a5749d11c1823059695ab791390e579a57de7c4ddc4d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxynlegr.nv2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmgeqheo\rmgeqheo.dll

Filesize
6KB

MD5
37351f64c473bf354ca3b68a3ee685f9

SHA1
ad0a186e75ae88baa76b61eee1aab5c57d19234a

SHA256
4999e2d46062d2a7671ad81e37bb64bb2711e574238a5ae132b9c1a1706274e0

SHA512
b6c42c77f8d4ea904cab3992cc0bd7a13db872bbaa45db8767a047fb43e568a88a2cb3ff35cce410c2c1af75d4fc6779de5709e57d797bee38c95f7b6b0d1745

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmgeqheo\CSCD2C0D1ADF2F8486FBD1898A0ECFF7362.TMP

Filesize
652B

MD5
9d7cbdbf6a2294c6e95d2e7106d26f17

SHA1
12c444989150fabd05055c439de6290e7fe4145e

SHA256
865ec808f05ca02bb4b9056683e3aae6b4772a974afce027ba84799d76395556

SHA512
9d3f81e566fdc2a06f01a90a455862f53db604723312d4ec76a65c18981567abc29f0a9e72e48db47fd2664ecd40b8c511fe3844a719989363dcc43b72a6ba33

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rmgeqheo\rmgeqheo.cmdline

Filesize
360B

MD5
f0cc9ea7ddf205ac397319d8e60192ce

SHA1
99b90eae77957391abb757793da310b067b1b9fd

SHA256
ae4d499c939123925fd7b35501c978a9e186168a222633620dba1993f5179fbd

SHA512
407eaa743bb2f98aad9217da0d800cb8855f09d83c1eb3b1771ce08d11c57dfca0143f24f568fa3b7ee8d5897b615fab281a3a9bce7b51adf51ca36606530095

Download Submit
memory/2452-16-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/2452-17-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/2452-57-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/2452-56-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/2452-55-0x00000000067E0000-0x00000000067EA000-memory.dmp

Filesize
40KB

Download
memory/2452-54-0x0000000006800000-0x0000000006892000-memory.dmp

Filesize
584KB

Download
memory/5548-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/5548-3-0x0000000005970000-0x0000000005A0C000-memory.dmp

Filesize
624KB

Download
memory/5548-2-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/5548-1-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

Filesize
88KB

Download
memory/5712-21-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/5712-38-0x00000000065A0000-0x00000000065EC000-memory.dmp

Filesize
304KB

Download
memory/5712-40-0x0000000006A90000-0x0000000006AAA000-memory.dmp

Filesize
104KB

Download
memory/5712-39-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/5712-37-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/5712-36-0x0000000006090000-0x00000000063E4000-memory.dmp

Filesize
3.3MB

Download
memory/5712-23-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/5712-25-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/5712-52-0x0000000006B10000-0x0000000006B18000-memory.dmp

Filesize
32KB

Download
memory/5712-26-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/5712-24-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/5712-19-0x0000000002C80000-0x0000000002CB6000-memory.dmp

Filesize
216KB

Download
memory/5712-22-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/5712-20-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/5712-58-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download