545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

Analysis

max time kernel
139s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
Size

517KB
MD5

f3882841d807ebcc147ff9c45263ee4d
SHA1

b97d48e074558a172948c835044eff8142af4882
SHA256

67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e
SHA512

fb3d4cccd0a6210886422250ce60da509659a49c27b1a9bb279725563f39365acff1f7fb868a2537e8db896fd849e4872488c367eda94af9bcf0aa654ca29697
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2564	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
2768	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2768	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
2564	audiohd.exe
2448	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
Token: SeDebugPrivilege	2564	audiohd.exe
Token: SeDebugPrivilege	2448	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2564	2768	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe	30
PID 2768 wrote to memory of 2564	2768	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe	30
PID 2768 wrote to memory of 2564	2768	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe	30
PID 2768 wrote to memory of 2564	2768	67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe	30
PID 2564 wrote to memory of 2448	2564	audiohd.exe	31
PID 2564 wrote to memory of 2448	2564	audiohd.exe	31
PID 2564 wrote to memory of 2448	2564	audiohd.exe	31
PID 2564 wrote to memory of 2448	2564	audiohd.exe	31
PID 2448 wrote to memory of 3044	2448	powershell.exe	33
PID 2448 wrote to memory of 3044	2448	powershell.exe	33
PID 2448 wrote to memory of 3044	2448	powershell.exe	33
PID 2448 wrote to memory of 3044	2448	powershell.exe	33
PID 3044 wrote to memory of 376	3044	csc.exe	34
PID 3044 wrote to memory of 376	3044	csc.exe	34
PID 3044 wrote to memory of 376	3044	csc.exe	34
PID 3044 wrote to memory of 376	3044	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe
"C:\Users\Admin\AppData\Local\Temp\67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sckfexpc.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D45.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6D44.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6D45.tmp

Filesize
1KB

MD5
d6956527d3d686c82f48f10e64f663ac

SHA1
6e904f0f599dba95b705f5461671e85310f3749f

SHA256
4695aca86ec16d85841a7d3fe5fb1ff543680848286ffb8c7f33b442d70019a5

SHA512
ea8ffe12ff545833aa72f8e5aa55f73abdbf551bd6c5250556d64e45f480dbf6b4c7c8a9ddeb82d62b5e5c08dd60a3cd68b73dad437ef27462fba198a68154aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sckfexpc.dll

Filesize
6KB

MD5
fd2e67fb34365828e7cec72d3c3bcd00

SHA1
fb86cb1c67b7e44937d41c0df9628bea281fe0b9

SHA256
18e61e463f216d305e4a0853ba152d16e387f43dd3755052bac9727579bf6f80

SHA512
81566970a1d6626cf77ca6ec8bb00f529242e095ac13825fa732a861fe50bc063c2de3733408359e9d7eab443de470982eb2ed1176293e384918a4c23774c105

Download Submit
C:\Users\Admin\AppData\Local\Temp\sckfexpc.pdb

Filesize
13KB

MD5
04fce2b68a7e573aafc1b40bdd36b0cf

SHA1
4a1ae1b4e5ca7fd385918716b0f9ad0bce3bdb7d

SHA256
58589cfea47ad5f85297e33a420d8c28ee52f19455bb859d1cc005ba7f7bbbd6

SHA512
9fb8c26b6224fe1c38f4e2e5fad57b514bccc151fbdea371b969d35c3ddf5907bb775fecdb7dfe24f5ccc467989fc783107bd97f28f54f29610da83e6a6f7fac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6D44.tmp

Filesize
652B

MD5
a4e2a2735ae9d8ff843c48795a1bda62

SHA1
54cbfe5482ba7f4e09500db6717ba90344da56b2

SHA256
6858421a2fe6424d704ea799cf50311e323ec16d6f71c10ee8d42a9798155c36

SHA512
bc255a643b077f909fd0b48e2400f4d04219dc2a15c3eee1d8dd94af80e75f6eb1e3aa9dc656d76b69f29b1ed7121c5c7251cfab7a8dd4ba155050bc693c5eca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sckfexpc.cmdline

Filesize
309B

MD5
fdd6544411b06f65c368299de2759f44

SHA1
8322745a68138310a318f954a03d6ccca3653d0f

SHA256
e98555bd1a21eec7d62d46470614b2cedaae4e0eb6d2e4ddade5284e27c112c9

SHA512
e3a9366e4ba987df9b1e63ad6bc8aa007f0a6ae8e439b396ad521669e2ab2fa7e516c742b18c0b0003940988fc38664a066bf7084a5bd5962e54520007c77f6b

Download Submit
\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
521KB

MD5
511123af022350ae744eb9387c87983d

SHA1
2de26b95ceed9fafa3ee8592947dc07cad643030

SHA256
e5b5ee5a16c483d69c5f7796bcef597d5c85d577ffd2d352d786c9364b984df2

SHA512
4ed5abfe8e10519d0b6ea8a1e9a9faadfae8c95a812500447490ce8fc636ad5b4815890041231a8a8096c48984b1c3f488c3aa3ba059aa10d6d1e871b6e53e26

Download Submit
memory/2564-12-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2564-13-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-14-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-32-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-33-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-1-0x0000000001010000-0x0000000001026000-memory.dmp

Filesize
88KB

Download
memory/2768-0-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download