189c456c653e587b81b4f3950b102a94c4570c2a7057c50b138b511162a2c46a

Analysis

max time kernel
49s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aa071d8cc2dd74176f041bba8762b3d.exe
Size

509KB
MD5

8aa071d8cc2dd74176f041bba8762b3d
SHA1

600a6b37b8ef0216dbb2a1b0089b47e8e0121f77
SHA256

ac0f2c31139dba2b54497d4c90022629da055b9e9ae49d2eb780bedcf70fe41f
SHA512

a843de8b779c04f884f4faefd7933a9350855c4c15b8865334df08a2d86e51c5785d28c284ab625464de0c69191c1212a2714cb80e888a0c065f3758d5cacded
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	audiohd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	8aa071d8cc2dd74176f041bba8762b3d.exe

Executes dropped EXE 1 IoCs

pid	Process
812	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8aa071d8cc2dd74176f041bba8762b3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4868	8aa071d8cc2dd74176f041bba8762b3d.exe
812	audiohd.exe
4720	powershell.exe
4720	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	8aa071d8cc2dd74176f041bba8762b3d.exe
Token: SeDebugPrivilege	812	audiohd.exe
Token: SeDebugPrivilege	4720	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 812	4868	8aa071d8cc2dd74176f041bba8762b3d.exe	88
PID 4868 wrote to memory of 812	4868	8aa071d8cc2dd74176f041bba8762b3d.exe	88
PID 4868 wrote to memory of 812	4868	8aa071d8cc2dd74176f041bba8762b3d.exe	88
PID 812 wrote to memory of 4720	812	audiohd.exe	89
PID 812 wrote to memory of 4720	812	audiohd.exe	89
PID 812 wrote to memory of 4720	812	audiohd.exe	89
PID 4720 wrote to memory of 2892	4720	powershell.exe	91
PID 4720 wrote to memory of 2892	4720	powershell.exe	91
PID 4720 wrote to memory of 2892	4720	powershell.exe	91
PID 2892 wrote to memory of 2940	2892	csc.exe	92
PID 2892 wrote to memory of 2940	2892	csc.exe	92
PID 2892 wrote to memory of 2940	2892	csc.exe	92

C:\Users\Admin\AppData\Local\Temp\8aa071d8cc2dd74176f041bba8762b3d.exe
"C:\Users\Admin\AppData\Local\Temp\8aa071d8cc2dd74176f041bba8762b3d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ggaenn0v\ggaenn0v.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7937.tmp" "c:\Users\Admin\AppData\Local\Temp\ggaenn0v\CSC1E9A370B2BF74A83AC2B64B831584FFA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
517KB

MD5
9314aba6f3a5973413a9ee75c7f1767a

SHA1
c99ba4d317c0083bf8ed599dd5e4634c9d6c7cdf

SHA256
28114648989e046737476ec564f102be3c9d28a466fc18e378781a02e5d00c47

SHA512
5b62d5c423ffa42c0dbbf973a836014772cf9be68787cc9137601c093a19821f262ce2ab4b6fc8c762c966bc805432b74c200df53fec4f0782994c59c25557cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7937.tmp

Filesize
1KB

MD5
936e1a61bf29d474c2322d69106c6d45

SHA1
1f0ac4aed4202e2e1cdda0921a0016a66b7222f0

SHA256
c91aa06c2d10d0b1202559d218b23b18835d7d3be6b11b5c2d24274a13483c79

SHA512
e535fa5b83a0442427339f8784b9a133a897c786429e53c6dac0ba21a4b4e01234184cd2148e669882c61496ddd542bef9c08781369b525085f5b3afd3d3895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmrk12ya.tuj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggaenn0v\ggaenn0v.dll

Filesize
6KB

MD5
3820fd2886b5b34ecd40a29e1c22c740

SHA1
ddef41cb17878bf59ff729ea858f1f7d22257e74

SHA256
5c85cd0c17ec2c979ec6d35d40b52a3e3c9874bf15078923186c765784b942d4

SHA512
0f35a636435459862d2d79e21f73a8bff4689e06449a4bd640bdec8ce23ebe30ca62dfacf86310f41a2aa6bc19578f21c078c6ba5e705c1df4cc39c0c3779133

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ggaenn0v\CSC1E9A370B2BF74A83AC2B64B831584FFA.TMP

Filesize
652B

MD5
56bc75388fd1cdf9ac69145164de71fc

SHA1
e875bdd20dd05a8b1c511cc97b112e1e220746ce

SHA256
6133b54d19dabcab359aac46a2744cf1f87d48ff5483a9ddbaf523f24df3e7ca

SHA512
62ec825299da25ed1e990f86d80d61b262649d827213009a053233875e1a7bcdd4d194fbe921c385725c59de28569df3b04ae4c1f4ad34bb7ab5d45ab91992ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ggaenn0v\ggaenn0v.cmdline

Filesize
360B

MD5
4dc89e26e0cc981117e8897707103e2c

SHA1
783603730eeba7d6faba3e903f896c51171388d8

SHA256
f481939b9ee82fa1efe1b91daf43dde411d464ca73d80677c5bf7bd395059e54

SHA512
49db99f053b7276ad2fbd8af2f3802750986416a9df655c0bc02472c78e4472a94dc149566ca752e93445d5b338cb372fb95baa8c2431ea7a5f5f8a64ef2a498

Download Submit
memory/812-17-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/812-56-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/812-55-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/812-54-0x00000000058B0000-0x00000000058BA000-memory.dmp

Filesize
40KB

Download
memory/812-53-0x0000000006270000-0x0000000006302000-memory.dmp

Filesize
584KB

Download
memory/812-16-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/4720-39-0x0000000006660000-0x000000000667A000-memory.dmp

Filesize
104KB

Download
memory/4720-24-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/4720-35-0x0000000005AD0000-0x0000000005E24000-memory.dmp

Filesize
3.3MB

Download
memory/4720-36-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/4720-37-0x0000000006180000-0x00000000061CC000-memory.dmp

Filesize
304KB

Download
memory/4720-38-0x0000000007770000-0x0000000007DEA000-memory.dmp

Filesize
6.5MB

Download
memory/4720-19-0x0000000002820000-0x0000000002856000-memory.dmp

Filesize
216KB

Download
memory/4720-23-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/4720-57-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/4720-20-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/4720-51-0x00000000066E0000-0x00000000066E8000-memory.dmp

Filesize
32KB

Download
memory/4720-21-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/4720-22-0x0000000005240000-0x0000000005868000-memory.dmp

Filesize
6.2MB

Download
memory/4720-25-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/4868-1-0x0000000000070000-0x0000000000086000-memory.dmp

Filesize
88KB

Download
memory/4868-2-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/4868-3-0x0000000004A90000-0x0000000004B2C000-memory.dmp

Filesize
624KB

Download
memory/4868-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download