189c456c653e587b81b4f3950b102a94c4570c2a7057c50b138b511162a2c46a

Analysis

max time kernel
91s
max time network
125s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aa071d8cc2dd74176f041bba8762b3d.exe
Size

509KB
MD5

8aa071d8cc2dd74176f041bba8762b3d
SHA1

600a6b37b8ef0216dbb2a1b0089b47e8e0121f77
SHA256

ac0f2c31139dba2b54497d4c90022629da055b9e9ae49d2eb780bedcf70fe41f
SHA512

a843de8b779c04f884f4faefd7933a9350855c4c15b8865334df08a2d86e51c5785d28c284ab625464de0c69191c1212a2714cb80e888a0c065f3758d5cacded
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2416	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	8aa071d8cc2dd74176f041bba8762b3d.exe
2536	8aa071d8cc2dd74176f041bba8762b3d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8aa071d8cc2dd74176f041bba8762b3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2536	8aa071d8cc2dd74176f041bba8762b3d.exe
2416	audiohd.exe
2316	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	8aa071d8cc2dd74176f041bba8762b3d.exe
Token: SeDebugPrivilege	2416	audiohd.exe
Token: SeDebugPrivilege	2316	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2416	2536	8aa071d8cc2dd74176f041bba8762b3d.exe	31
PID 2536 wrote to memory of 2416	2536	8aa071d8cc2dd74176f041bba8762b3d.exe	31
PID 2536 wrote to memory of 2416	2536	8aa071d8cc2dd74176f041bba8762b3d.exe	31
PID 2536 wrote to memory of 2416	2536	8aa071d8cc2dd74176f041bba8762b3d.exe	31
PID 2416 wrote to memory of 2316	2416	audiohd.exe	32
PID 2416 wrote to memory of 2316	2416	audiohd.exe	32
PID 2416 wrote to memory of 2316	2416	audiohd.exe	32
PID 2416 wrote to memory of 2316	2416	audiohd.exe	32
PID 2316 wrote to memory of 2760	2316	powershell.exe	34
PID 2316 wrote to memory of 2760	2316	powershell.exe	34
PID 2316 wrote to memory of 2760	2316	powershell.exe	34
PID 2316 wrote to memory of 2760	2316	powershell.exe	34
PID 2760 wrote to memory of 2396	2760	csc.exe	35
PID 2760 wrote to memory of 2396	2760	csc.exe	35
PID 2760 wrote to memory of 2396	2760	csc.exe	35
PID 2760 wrote to memory of 2396	2760	csc.exe	35

C:\Users\Admin\AppData\Local\Temp\8aa071d8cc2dd74176f041bba8762b3d.exe
"C:\Users\Admin\AppData\Local\Temp\8aa071d8cc2dd74176f041bba8762b3d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\44tu713_.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC42.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\44tu713_.dll

Filesize
6KB

MD5
760f74558c6db6437947ab11b296d935

SHA1
4ba87ae26ea61905b4f6125f6141585afaf69a51

SHA256
b4b343fb09c5106065870b170c7659cc245bbfa1b8f5b8ae3352ba828d48291b

SHA512
b7fe41b69fe5cc6157592626a6560a4bd50a144841d1ee339c6ede5c1b6720a2e3f576026afbd25c7581ba012e854de7d5bdbdc32c642ff9813d8a6747fd342d

Download Submit
C:\Users\Admin\AppData\Local\Temp\44tu713_.pdb

Filesize
13KB

MD5
5c7d114276f71104986b24511866ffba

SHA1
b83a257556cd7ecdb68b56c6955dc52b4eca2264

SHA256
bcf1650c17c906950eaa3ad65c540b465825db3540fd87e64ca52ed14b8f967d

SHA512
78ca6ff8719f09cee765e4ceef371e336687a913ad61a542a5b8d357512cb016b564eb89605d816deaae5043ded5053578f50803d90f5074f4fc71f79cda315f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC43.tmp

Filesize
1KB

MD5
f80cadf71137d9c24e639e07c8579aa0

SHA1
2bbf40a1ebd648ae9012de206915eba0086e1bc5

SHA256
d76bb17b515a3a759f27532c7782c90f26598cd58025656c054bc326d3db66bd

SHA512
5d1411c05e84a13de9216efbef6e4149a394ef0e55856247a9f4c902ce95473b4d9be92b3be1cb3d5e363bbc001d2d7d48a62f8670bf943208cba3fa3c25832a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\44tu713_.cmdline

Filesize
309B

MD5
14449eac5403452a0decf6b0bb039c23

SHA1
832e13b20bbd985c3815475e887ae7bb98e9560d

SHA256
83048c577ea7bfb3c0887935c02a3614ae25d1d981bebdd0af52af6397c39753

SHA512
ea44596bc280a0da04251b3371d4fc9f82665b8ef832872c5967dec3b02a4bcb92c3a81a09ee2f5ac85fd3ae14d234917d67bbea824fb794b42a3e22d4b08a7b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEC42.tmp

Filesize
652B

MD5
462fc2552f11ae8815a14e79321b596a

SHA1
9edf39778b99392d805ccd313e6005569a64ce1f

SHA256
5004ee69632264d898bd34d3750ed91946e26ea8ba9e2403ef31b86a80424ce0

SHA512
78eeabb453b883450e9c10ebb9cd01259a9591fc43b026980980828639e3b80d1e0b0887e3f78e562ff142da91969b5fee2ab37ca8757dea278e1d7b92313ddb

Download Submit
\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
515KB

MD5
9e3bcccd19638175dbadf325f6a9e176

SHA1
58bc0cdcc6b65c2fad5ee64783beb31ea0811ce8

SHA256
89afa35121ca2cba1375e349479592c771fe951375fe882baf44955770af7c96

SHA512
3bafcb13c414ee1d13c33de19aa939513064372f78ac8ebebb0a514b551821eacf9dbc3428a6a14d8f59209522203f52458f807cccf28a85776d3e56760d978b

Download Submit
memory/2416-13-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-14-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-12-0x0000000001360000-0x0000000001376000-memory.dmp

Filesize
88KB

Download
memory/2416-32-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-33-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-0-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x00000000001A0000-0x00000000001B6000-memory.dmp

Filesize
88KB

Download