63b2109d651e58bdceb6dcd68821e723f4a5ce45875405cf395ff04937ea26b8

Analysis

max time kernel
59s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f6a6c80412876ea03ad4f91bde1f4f9.exe
Size

441KB
MD5

9f6a6c80412876ea03ad4f91bde1f4f9
SHA1

fc790ac37fe77fee5fb4f38faea0484735bca3ac
SHA256

efb79eb15122d2db2c044077ec6b477ddcb468cf643a4373be39d745a010f3d7
SHA512

75af93120e1c0e4ff8eb53697457c59dd9c3344c160010674a9794831b36ad327268bd4d2487d5e64d3e8350f72657513e2318d7f204149ddcf450c04441382e
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2988	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
2396	9f6a6c80412876ea03ad4f91bde1f4f9.exe
2396	9f6a6c80412876ea03ad4f91bde1f4f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f6a6c80412876ea03ad4f91bde1f4f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2396	9f6a6c80412876ea03ad4f91bde1f4f9.exe
2988	audiohd.exe
2900	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	9f6a6c80412876ea03ad4f91bde1f4f9.exe
Token: SeDebugPrivilege	2988	audiohd.exe
Token: SeDebugPrivilege	2900	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2988	2396	9f6a6c80412876ea03ad4f91bde1f4f9.exe	31
PID 2396 wrote to memory of 2988	2396	9f6a6c80412876ea03ad4f91bde1f4f9.exe	31
PID 2396 wrote to memory of 2988	2396	9f6a6c80412876ea03ad4f91bde1f4f9.exe	31
PID 2396 wrote to memory of 2988	2396	9f6a6c80412876ea03ad4f91bde1f4f9.exe	31
PID 2988 wrote to memory of 2900	2988	audiohd.exe	32
PID 2988 wrote to memory of 2900	2988	audiohd.exe	32
PID 2988 wrote to memory of 2900	2988	audiohd.exe	32
PID 2988 wrote to memory of 2900	2988	audiohd.exe	32
PID 2900 wrote to memory of 2196	2900	powershell.exe	34
PID 2900 wrote to memory of 2196	2900	powershell.exe	34
PID 2900 wrote to memory of 2196	2900	powershell.exe	34
PID 2900 wrote to memory of 2196	2900	powershell.exe	34
PID 2196 wrote to memory of 2880	2196	csc.exe	35
PID 2196 wrote to memory of 2880	2196	csc.exe	35
PID 2196 wrote to memory of 2880	2196	csc.exe	35
PID 2196 wrote to memory of 2880	2196	csc.exe	35

C:\Users\Admin\AppData\Local\Temp\9f6a6c80412876ea03ad4f91bde1f4f9.exe
"C:\Users\Admin\AppData\Local\Temp\9f6a6c80412876ea03ad4f91bde1f4f9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4fcufvec.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE82E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE82D.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fcufvec.dll

Filesize
6KB

MD5
bc4c190a88e63ece5c4d870341b23be1

SHA1
81cd8528a2a867f6b6196653ccdaea9de43fffdf

SHA256
54003939f244514d72ed7d665e98a271c872b10f433dafcf87c970b4702e8973

SHA512
81b44795f8c8ffdbca05c0b7bb748056c78e7ca22d645185e581f58bdfd11aa5fe6c3255957d22dead464a737f67be265173df0958c284363447adacc06dd658

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fcufvec.pdb

Filesize
13KB

MD5
971177cd5a8088f0ad3542357f9f62d2

SHA1
540f83863192349ec690685d3fdd19c4bd62303c

SHA256
15b0e48f3c47c70458bdd7457faf71c61d17c649ca1641038fa5bbefa0db30e4

SHA512
0e9b44d8d89dfbef86f92da156a50e77394f1b072445d6a3cce4726ff06700e51a7519c657e6b0dd5a712f2b8589adcf895ab5ce4064322b45b87efb50ccf7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE82E.tmp

Filesize
1KB

MD5
42e4eb1df72b136b463004da1c3ab5cc

SHA1
d80867196f6ffa78f3ab92d0913b8236e54f81c8

SHA256
00d12c2e4df68199e4e19c18690c60e888798817e986ffbe4b4cc184b46e855f

SHA512
1089047e5b820e53ada36e41e11786f58ca6fce00e94b42cd7530e75f83fa048cde631e58f334c4486bc6d7282f192ac8cfdf78006266209fb8ddafd780fedf8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4fcufvec.cmdline

Filesize
309B

MD5
c150d33c6d166b13c0cc53683ab43224

SHA1
d8922fccf496737af5da46c242dc22c5f8cd6fd2

SHA256
bf368d1a3ae41bac1f61e566837a011b6c39a6aa6537851da5c53e0b2d2545b5

SHA512
e7a1a6bed3b4ce08e6df090cc65554e528116db0d5cda4730e9faf43d8a348898e45b30a142cbd81a92bdf7663fe31bfee301cea730625b7d4039b8cf21a56e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE82D.tmp

Filesize
652B

MD5
e63cb78d6f4904b7de4c73eb57e51a01

SHA1
f98717f72ad2bc84ea243063edf5bad28c1d3324

SHA256
a999e3dbda403114ebf8e6e8ed700e84beaae0abef049cf3848cc0d3240a9a2d

SHA512
06625ab4f93b5eebaacd0a4204665301a91febf3d71ff7367b4bb0206d8734ac9174005a4f39b4b9913999d5b1eb235bbc92e14296510fa1a4aefbb718e22751

Download Submit
\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
443KB

MD5
374b55e194edafdb4b53bc72ed824009

SHA1
72bb4939abeb102bfeb1c2d369d9b1d3e3ef3444

SHA256
611e67ed11508bbd1561f7b9af8790dea378e018feb13a69590d3e0ee7e5b772

SHA512
51066aa11087b505766e4f725fda41baefd85a509e4a7695128ba67c903e591419d3f7a7391cec4764d7452d85453e34c07b13a8faa05580762014f6edb4cc27

Download Submit
memory/2396-1-0x0000000000140000-0x0000000000156000-memory.dmp

Filesize
88KB

Download
memory/2396-0-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/2988-12-0x0000000000EF0000-0x0000000000F06000-memory.dmp

Filesize
88KB

Download
memory/2988-13-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-14-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-32-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-33-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download