545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69319ee8609b1c1eebe97dc2bdf84c9e.exe
Size

447KB
MD5

69319ee8609b1c1eebe97dc2bdf84c9e
SHA1

987502b1e9b0b2af58b783be6a098b390cbb5f0e
SHA256

b961c3fdb1102f0dd80ff834e302b199be728cbf7998aa0b263982e8770b71cc
SHA512

a2a1b2df6d992ec7b32643856dfd50088b8b88052992dda54f2e96446854dcb18854eac591e0c93991a4c1a99ec278bd05245128760e542c8dc078c97f7fb476
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	69319ee8609b1c1eebe97dc2bdf84c9e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	audiohd.exe

Executes dropped EXE 1 IoCs

pid	Process
4164	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69319ee8609b1c1eebe97dc2bdf84c9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3716	69319ee8609b1c1eebe97dc2bdf84c9e.exe
4164	audiohd.exe
5880	powershell.exe
5880	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3716	69319ee8609b1c1eebe97dc2bdf84c9e.exe
Token: SeDebugPrivilege	4164	audiohd.exe
Token: SeDebugPrivilege	5880	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 4164	3716	69319ee8609b1c1eebe97dc2bdf84c9e.exe	87
PID 3716 wrote to memory of 4164	3716	69319ee8609b1c1eebe97dc2bdf84c9e.exe	87
PID 3716 wrote to memory of 4164	3716	69319ee8609b1c1eebe97dc2bdf84c9e.exe	87
PID 4164 wrote to memory of 5880	4164	audiohd.exe	88
PID 4164 wrote to memory of 5880	4164	audiohd.exe	88
PID 4164 wrote to memory of 5880	4164	audiohd.exe	88
PID 5880 wrote to memory of 1708	5880	powershell.exe	94
PID 5880 wrote to memory of 1708	5880	powershell.exe	94
PID 5880 wrote to memory of 1708	5880	powershell.exe	94
PID 1708 wrote to memory of 5072	1708	csc.exe	95
PID 1708 wrote to memory of 5072	1708	csc.exe	95
PID 1708 wrote to memory of 5072	1708	csc.exe	95

C:\Users\Admin\AppData\Local\Temp\69319ee8609b1c1eebe97dc2bdf84c9e.exe
"C:\Users\Admin\AppData\Local\Temp\69319ee8609b1c1eebe97dc2bdf84c9e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\walg4zeu\walg4zeu.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES900B.tmp" "c:\Users\Admin\AppData\Local\Temp\walg4zeu\CSCDA92B4B7F9884E078EFAC8B34ABDDF21.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
453KB

MD5
f1d27b0197ab8d52fa53d632bc02cd61

SHA1
b4514a1af08c031c8b6cbafc9f9b3892654e26cb

SHA256
a3873d93a09bb22147559d91c5df2dab823bde5fb3ba0d233cadecc3643b421c

SHA512
9282fff704f738bdb42dd61b67e446bc0c9dd687bcbc1ed4b03ba9252954eb96cebcd99151fe4bec1681da21b72cd71ff3b6f16d124e6bdd4c5a6613b47aa295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES900B.tmp

Filesize
1KB

MD5
82a7aa04b30214da9c1c2c33e607e97c

SHA1
067035d3c14f44d0d876dba9745c63b909e155b8

SHA256
2935e4b991a93b0f3f533e8d4ee79e877e187aa697ae5cdeba4a363d17c6387e

SHA512
3795204a115c41c23042e9dfaca6f360785c9abdb21532689f4bb097e34e2f1d851986f931a0b001544b81865db90b2e164d7c144b1a9ad2d78304161594fb5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_siacqifw.gn0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\walg4zeu\walg4zeu.dll

Filesize
6KB

MD5
b7219a33f2b6b562a4f359631a951787

SHA1
7fd16f888a7fd96deafc5538ffde058ae885b1cd

SHA256
78151ed44ab35f09f647943aea0917cfee01acb2a9f27a5ceb85288f90231ae8

SHA512
2dbd0149a970fdc2084bff91631af587712521db5e8b0a6f5e6375adfb7196332c288b9144daade871e7255903b1dc2dd05dec3759fdac9a1c2d2240480a77fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\walg4zeu\CSCDA92B4B7F9884E078EFAC8B34ABDDF21.TMP

Filesize
652B

MD5
cd4589aa21894370cacbdc6cc2e628a0

SHA1
5fc399490eeede097995dac63df8c913ba8ead28

SHA256
adcb5eed5cdc1403e9df79d78481107b04d6ea568c06e8411f9876adfc4bedcf

SHA512
2dfb3ddf6c549542a8e78f3fa186d849e5d1ffc59e7d4b28832736fee6b4bd86fbe7f9a233a0ce6999f453edefd79503f15e5727b3efd3fda5d67f65641c8dfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\walg4zeu\walg4zeu.cmdline

Filesize
360B

MD5
f20af04249d60f4e759b728d7020f919

SHA1
7beaf8e8728eaeeb51cb11db8525cfb501483dc2

SHA256
1d44475660dda2296ab9874976a4ed0294a87b39ebad63256cd6635a1334be5c

SHA512
8992940c6c58b44f22da3da117c1791ab9c86fc6529c1eb7097b6e615450bc4c7f400c590c13b303b10bd3e77ecb6412686a623c865081a87193215fc6ec85be

Download Submit
memory/3716-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3716-3-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download
memory/3716-2-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/3716-1-0x0000000000BC0000-0x0000000000BD6000-memory.dmp

Filesize
88KB

Download
memory/4164-17-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4164-57-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4164-56-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/4164-55-0x0000000006230000-0x000000000623A000-memory.dmp

Filesize
40KB

Download
memory/4164-54-0x0000000006190000-0x0000000006222000-memory.dmp

Filesize
584KB

Download
memory/4164-16-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/5880-20-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/5880-38-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/5880-39-0x0000000007CD0000-0x000000000834A000-memory.dmp

Filesize
6.5MB

Download
memory/5880-40-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

Filesize
104KB

Download
memory/5880-37-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/5880-36-0x00000000061E0000-0x0000000006534000-memory.dmp

Filesize
3.3MB

Download
memory/5880-52-0x0000000006C30000-0x0000000006C38000-memory.dmp

Filesize
32KB

Download
memory/5880-26-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/5880-24-0x0000000005DF0000-0x0000000005E12000-memory.dmp

Filesize
136KB

Download
memory/5880-25-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/5880-23-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/5880-22-0x0000000005790000-0x0000000005DB8000-memory.dmp

Filesize
6.2MB

Download
memory/5880-21-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/5880-19-0x0000000002D60000-0x0000000002D96000-memory.dmp

Filesize
216KB

Download
memory/5880-58-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download