5656064ae4d3c302be4f376131bce57fa83ba30e94c329f33adb91836d7f4bf8

Analysis

max time kernel
17s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Size

484KB
MD5

a343fed4bd504af60503fbd80efa5326
SHA1

239da9a238861c2e9fcd0cfc534259116f283eeb
SHA256

332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5
SHA512

d62b44e5c9637f10a7b0c54db4f389a16888a5132673375daf5cf0ad2fe2302adb17a3630599dc512a4aa18fceb8f47b7324a7c6c66c6823446894b642181b19
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	audiohd.exe

Executes dropped EXE 1 IoCs

pid	Process
3736	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5320	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
3736	audiohd.exe
1904	powershell.exe
1904	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5320	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Token: SeDebugPrivilege	3736	audiohd.exe
Token: SeDebugPrivilege	1904	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5320 wrote to memory of 3736	5320	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	87
PID 5320 wrote to memory of 3736	5320	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	87
PID 5320 wrote to memory of 3736	5320	332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe	87
PID 3736 wrote to memory of 1904	3736	audiohd.exe	88
PID 3736 wrote to memory of 1904	3736	audiohd.exe	88
PID 3736 wrote to memory of 1904	3736	audiohd.exe	88
PID 1904 wrote to memory of 6064	1904	powershell.exe	90
PID 1904 wrote to memory of 6064	1904	powershell.exe	90
PID 1904 wrote to memory of 6064	1904	powershell.exe	90
PID 6064 wrote to memory of 4860	6064	csc.exe	91
PID 6064 wrote to memory of 4860	6064	csc.exe	91
PID 6064 wrote to memory of 4860	6064	csc.exe	91

C:\Users\Admin\AppData\Local\Temp\332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
"C:\Users\Admin\AppData\Local\Temp\332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5320
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psihd5p1\psihd5p1.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:6064
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E0C.tmp" "c:\Users\Admin\AppData\Local\Temp\psihd5p1\CSC8A919121CFF241A89BE9D81EFD0A3AC.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
491KB

MD5
879d538f8eb2cd8080bb842bce7d5ef1

SHA1
805ad24477d37118ba08254e8bca3ecb5da70ff4

SHA256
043c5b978538623842e177f7a6952fbbdc9b9b58dce5c045db1dafc68e313cc6

SHA512
c42f099887b2363a4e21baeee40c56a44c8f3dc576fb2d089b6a3d43a7fe738b6adfe0019ae127f36cf8cb772a1cd44e3bf9135f2c35e0089bd85b8533d6fc03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6E0C.tmp

Filesize
1KB

MD5
20ac3111e9f85922fcb0ccdfccd7b539

SHA1
e6dca621c961c3050f78c1ae7e1c69f7a4bfa628

SHA256
8106582b6c87bbc682769842fe388e4be0e2c83df91176bc21022effae0a9b1b

SHA512
b136241ebf7701a6e95ca6d78968ae434687cee5b2e3fafb4d321c21d5f8692d226be2846f1ecc63e5b6dd17419a05d7588b4184fcd4c25e378c8f3e9ef8196d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qeufkyca.4rf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\psihd5p1\psihd5p1.dll

Filesize
6KB

MD5
cdaa8ec4a241bc0d1ba850d511d1a942

SHA1
11730f579ce1610dad9b65f186553cf149753489

SHA256
24829ca3c7a2b30100628a9d493c50668cb3901df9dcdc057004c6ff34ddef6c

SHA512
55a9b9d2fd68d4488ff4be0c588d78d6ca4d241b6ed26a7aca57913930d10067d1c06ba4bda591cee934e1d5033c38146314ab5a8802a5dc84a24cdf9d0c75c0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\psihd5p1\CSC8A919121CFF241A89BE9D81EFD0A3AC.TMP

Filesize
652B

MD5
732c0db86eea7a47590e8c511ce1a8af

SHA1
41421289b6980111dc1d4edd15514d5cf5e3fb6c

SHA256
ed102af77eaaef3ee554703bcda66bfe2b707f490e89208ee985e2115a4dd54a

SHA512
e32b93a04cd36884322bc40d294d40da6ddb670541eca088064aecd3bfdddb3ff5b87951eaaf059ad32dc7c14a706de3475e2d89cad37477475517ff13240e04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\psihd5p1\psihd5p1.cmdline

Filesize
360B

MD5
d7a2b14169939f3d19e56d68d4889ebb

SHA1
30499b6ddeec6c7bb2085f988e01104e4cc3f2fd

SHA256
9af9bd6b8a10251843f2799d15f2460abc7ff63425c748f87815daa972887601

SHA512
3a7dc3782dcdf09ee75dbe23f700927196d07b86420e13439cd0d598a8fbe13545678e59c385e5883625d14170cceb2232f94b457f44bc989f6be4b5e758d12d

Download Submit
memory/1904-21-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/1904-38-0x0000000006330000-0x000000000637C000-memory.dmp

Filesize
304KB

Download
memory/1904-22-0x0000000005430000-0x0000000005452000-memory.dmp

Filesize
136KB

Download
memory/1904-19-0x00000000029D0000-0x0000000002A06000-memory.dmp

Filesize
216KB

Download
memory/1904-36-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/1904-35-0x0000000005CC0000-0x0000000006014000-memory.dmp

Filesize
3.3MB

Download
memory/1904-24-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/1904-39-0x0000000007940000-0x0000000007FBA000-memory.dmp

Filesize
6.5MB

Download
memory/1904-37-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/1904-23-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/1904-25-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/1904-20-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/1904-40-0x0000000006810000-0x000000000682A000-memory.dmp

Filesize
104KB

Download
memory/1904-58-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/1904-52-0x00000000068D0000-0x00000000068D8000-memory.dmp

Filesize
32KB

Download
memory/3736-17-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/3736-16-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/3736-54-0x0000000006970000-0x0000000006A02000-memory.dmp

Filesize
584KB

Download
memory/3736-55-0x0000000005D60000-0x0000000005D6A000-memory.dmp

Filesize
40KB

Download
memory/3736-56-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/3736-57-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/5320-3-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/5320-2-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/5320-1-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/5320-0-0x000000007528E000-0x000000007528F000-memory.dmp

Filesize
4KB

Download