545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
Size

517KB
MD5

f3882841d807ebcc147ff9c45263ee4d
SHA1

b97d48e074558a172948c835044eff8142af4882
SHA256

67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e
SHA512

fb3d4cccd0a6210886422250ce60da509659a49c27b1a9bb279725563f39365acff1f7fb868a2537e8db896fd849e4872488c367eda94af9bcf0aa654ca29697
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	audiohd.exe

Executes dropped EXE 1 IoCs

pid	Process
3972	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5416	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
3972	audiohd.exe
4728	powershell.exe
4728	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5416	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
Token: SeDebugPrivilege	3972	audiohd.exe
Token: SeDebugPrivilege	4728	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5416 wrote to memory of 3972	5416	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe	87
PID 5416 wrote to memory of 3972	5416	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe	87
PID 5416 wrote to memory of 3972	5416	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe	87
PID 3972 wrote to memory of 4728	3972	audiohd.exe	88
PID 3972 wrote to memory of 4728	3972	audiohd.exe	88
PID 3972 wrote to memory of 4728	3972	audiohd.exe	88
PID 4728 wrote to memory of 5824	4728	powershell.exe	92
PID 4728 wrote to memory of 5824	4728	powershell.exe	92
PID 4728 wrote to memory of 5824	4728	powershell.exe	92
PID 5824 wrote to memory of 5884	5824	csc.exe	93
PID 5824 wrote to memory of 5884	5824	csc.exe	93
PID 5824 wrote to memory of 5884	5824	csc.exe	93

C:\Users\Admin\AppData\Local\Temp\67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
"C:\Users\Admin\AppData\Local\Temp\67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5416
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fjhtjjly\fjhtjjly.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5824
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7791.tmp" "c:\Users\Admin\AppData\Local\Temp\fjhtjjly\CSC2C969BB8F02E45CDBB33FFA44937B1.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
524KB

MD5
ac3bcdf5ab4335484a43f38f975c3490

SHA1
6256522ff0cb3b99bd31e3d14f116eb362c1dbe3

SHA256
625fd1e300c466d6841cc75b6ac6fd22a3a902e8477df79dbb6613e86eab3bf3

SHA512
93cb11477922e547d95ec4ab11ede41d8242f62a2763447a8d1ac62081e90a29b113e64b3136198f207d582f8b7543c67c61250c7e0af190ca90a72983124495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7791.tmp

Filesize
1KB

MD5
dfbde7f27ef5bab53696f78b2414a2b5

SHA1
1a3e32c338f924b7f9f2855eb6312663e287496e

SHA256
24ceb60a53d96ad8a6fda6589cde7c4f83fa9cdeb94e986497a2b89e8aaa5e2d

SHA512
8d3cf5ec9d59d25376bc8d1ffeddcaa0dcdcda6842eaeae838aed1f3505628f3625acc2585b7d49cee29f0f876d2a38869665e97fc0cf89645c8c9693bf8eca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsco0zes.qov.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjhtjjly\fjhtjjly.dll

Filesize
6KB

MD5
29f2b9579e3bc3d2f27f9aec5677f6a3

SHA1
58f3264b27ec835cd4efb759d0459a00fac2bc53

SHA256
c9768c0ea7c69e8b7e5f51868be8a3a1e86c5e51e5c8ebf0ea9d0b6e77e9beef

SHA512
e43f5a44ac2fd06a7fc7abb648ccecacafa600615627c1b6812950201583e3ea561c849133bbeff49f66da450e79fd434fbcda850533655b24ed391c10bb959c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fjhtjjly\CSC2C969BB8F02E45CDBB33FFA44937B1.TMP

Filesize
652B

MD5
f4af1246f6142d661d2049c645657cd1

SHA1
70b7647ad7a6ae7dc3ade0c8c243181101ff7fae

SHA256
9fc03ccafd7961442cf8e60c17150895b0acf47241f31ef7058cba5ee57fd65f

SHA512
75835b5c8f6ce3057ff71944070aa7cdc43d98c417850f5f0bd321fc48c8961f4774599c3595d8062a49fa6bac17791a1724e55a69dea846d9c6154923219feb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fjhtjjly\fjhtjjly.cmdline

Filesize
360B

MD5
647acb9cc991ce0af71406e521528e51

SHA1
5e3e98bd0fbf48fb9ea41f4ae71eaff86d5db2c3

SHA256
b8a8e835fde970c63d06f1552a01f4bf9120cb45a02dd39f0f6d9ed251db472e

SHA512
3779c5d4214ee1de28cda187ca8225ecf9d91157dcbd614969f6fa4b040fa36ac4351821975d441a72c0131dd8b89e7e1777ca46575ceb283ad3c328e1727f12

Download Submit
memory/3972-55-0x00000000061D0000-0x00000000061DA000-memory.dmp

Filesize
40KB

Download
memory/3972-54-0x00000000061E0000-0x0000000006272000-memory.dmp

Filesize
584KB

Download
memory/3972-17-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3972-16-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3972-56-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3972-57-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4728-20-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4728-25-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/4728-36-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/4728-35-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4728-37-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/4728-38-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/4728-40-0x0000000006C90000-0x0000000006CAA000-memory.dmp

Filesize
104KB

Download
memory/4728-39-0x0000000007DB0000-0x000000000842A000-memory.dmp

Filesize
6.5MB

Download
memory/4728-24-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/4728-23-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/4728-52-0x0000000006D20000-0x0000000006D28000-memory.dmp

Filesize
32KB

Download
memory/4728-22-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4728-21-0x00000000059D0000-0x0000000005FF8000-memory.dmp

Filesize
6.2MB

Download
memory/4728-58-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4728-19-0x0000000002E20000-0x0000000002E56000-memory.dmp

Filesize
216KB

Download
memory/5416-3-0x00000000053D0000-0x000000000546C000-memory.dmp

Filesize
624KB

Download
memory/5416-2-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/5416-1-0x00000000009E0000-0x00000000009F6000-memory.dmp

Filesize
88KB

Download
memory/5416-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download