4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

08/04/2025, 14:11

250408-rhjmcsvp15 10

22/03/2025, 06:18

250322-g2ywaay1fy 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6b79788476c3806befcdd2dead8231a.exe
Size

506KB
MD5

f6b79788476c3806befcdd2dead8231a
SHA1

56eba5da31c728dc287435a555e527b1a27cae37
SHA256

9c798b5cf50fd400ce59355b91a741ab5ccfcffdaedc50815981fa280f4776a9
SHA512

f46f9b568f3d0cb6b4e799a68a3d7defd4e35cbf3df59840d05e575e8580a0cd8e95a497b5f5b272c21fe4105264272d4b58c8bec211597bbcf2de099eab49f3
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	f6b79788476c3806befcdd2dead8231a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	audiohd.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6b79788476c3806befcdd2dead8231a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3452	f6b79788476c3806befcdd2dead8231a.exe
2532	audiohd.exe
2252	powershell.exe
2252	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	f6b79788476c3806befcdd2dead8231a.exe
Token: SeDebugPrivilege	2532	audiohd.exe
Token: SeDebugPrivilege	2252	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2532	3452	f6b79788476c3806befcdd2dead8231a.exe	88
PID 3452 wrote to memory of 2532	3452	f6b79788476c3806befcdd2dead8231a.exe	88
PID 3452 wrote to memory of 2532	3452	f6b79788476c3806befcdd2dead8231a.exe	88
PID 2532 wrote to memory of 2252	2532	audiohd.exe	91
PID 2532 wrote to memory of 2252	2532	audiohd.exe	91
PID 2532 wrote to memory of 2252	2532	audiohd.exe	91
PID 2252 wrote to memory of 4040	2252	powershell.exe	95
PID 2252 wrote to memory of 4040	2252	powershell.exe	95
PID 2252 wrote to memory of 4040	2252	powershell.exe	95
PID 4040 wrote to memory of 2216	4040	csc.exe	96
PID 4040 wrote to memory of 2216	4040	csc.exe	96
PID 4040 wrote to memory of 2216	4040	csc.exe	96

C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe
"C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\za1i3rtk\za1i3rtk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CA4.tmp" "c:\Users\Admin\AppData\Local\Temp\za1i3rtk\CSCFFA320F609249ADA0E141899BAA4214.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2216

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
510KB

MD5
d573501800ba972d61b7ac59d02bd8b4

SHA1
cd0655768db3ad597d28d044d3ac8574bc22df7e

SHA256
b7c6c389477d4a83706da8c92deafffaa367d8673c6cbc00e355cd67e847a88f

SHA512
4fe13d86a3138ead80bd1176a378d3207c83ef7d177ba622a4ec797ae39fa71a24bc3fbd762a1d88721d248704429f8bf3f77a914b6c31da5c2679176057bd2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6CA4.tmp

Filesize
1KB

MD5
446393da8f2d90384685716a64914ee4

SHA1
40e62503d5f72c40d376486a7291bdb8c9c1fd2a

SHA256
00dff692ff129250ffdb44e92ef8270bd5620538ea4ab35c8ccdd008b7370afc

SHA512
e448e625cb720de3bdb946627f9eb2b7bc0a1af44aac9c402c2cf0331814961b74ea44020539f57b2369ea0f59e4f9bbb84af11f14530ca73fcc85503d270392

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajzianmp.z2a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\za1i3rtk\za1i3rtk.dll

Filesize
6KB

MD5
d7cd000b13a0ace5ab48029118206bcc

SHA1
f2e07281930f5db39045cdd9c59c0029817420f1

SHA256
e348406bff6003ac5a56a40315dc377d147be9ad9695c6414076cf1349f46ed3

SHA512
068b66bdc075fc24473afe20dc865478cc122e6449c8994766371cceb4d6a7d98f2541e7c971269fd7a091f991884022c31f30b122db4aa7d53b28ec750c643f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\za1i3rtk\CSCFFA320F609249ADA0E141899BAA4214.TMP

Filesize
652B

MD5
adb86ac302b4fa50e656b0bd07c01220

SHA1
e5b3dbd0d4bfdd146e9535234e8f7556058e13a9

SHA256
c05a4df55c5f8808a4825a0877548150448b861d937b127d009cf6f63e6114db

SHA512
f724b0b7d446c03e16a4335847fe3268adbf86f2041f0f733c074ef3b9c9b1cdfd10ee1d6195d9dc38dae6a7e203ceddf1fd99fe567fe7f6ebcb4c3d0a92f1e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\za1i3rtk\za1i3rtk.cmdline

Filesize
360B

MD5
5848a907ba43b063e2acdd59ecb6bf62

SHA1
66638c8d017f9975d9765c0d8cb44c6340693bd4

SHA256
fb425b5f682fe6855dfed95ef1f6921e606f70d2fd03710100a4648bc89c20c5

SHA512
4c3e463915e67797408f138712be5741ebcebfbe530f7bee52b46eab5aac4b43849234adacfc9ccfb10e8435f1fb1b553b70d0d53cae0bc0c067d64668873313

Download Submit
memory/2252-36-0x0000000005430000-0x0000000005784000-memory.dmp

Filesize
3.3MB

Download
memory/2252-40-0x0000000005F30000-0x0000000005F4A000-memory.dmp

Filesize
104KB

Download
memory/2252-21-0x0000000004D00000-0x0000000005328000-memory.dmp

Filesize
6.2MB

Download
memory/2252-22-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2252-23-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2252-24-0x0000000004920000-0x0000000004942000-memory.dmp

Filesize
136KB

Download
memory/2252-25-0x00000000049C0000-0x0000000004A26000-memory.dmp

Filesize
408KB

Download
memory/2252-26-0x0000000004BA0000-0x0000000004C06000-memory.dmp

Filesize
408KB

Download
memory/2252-19-0x00000000020B0000-0x00000000020E6000-memory.dmp

Filesize
216KB

Download
memory/2252-58-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2252-37-0x0000000005A20000-0x0000000005A3E000-memory.dmp

Filesize
120KB

Download
memory/2252-38-0x0000000005A60000-0x0000000005AAC000-memory.dmp

Filesize
304KB

Download
memory/2252-39-0x0000000007080000-0x00000000076FA000-memory.dmp

Filesize
6.5MB

Download
memory/2252-20-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2252-52-0x0000000005FB0000-0x0000000005FB8000-memory.dmp

Filesize
32KB

Download
memory/2532-16-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2532-17-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2532-54-0x0000000006250000-0x00000000062E2000-memory.dmp

Filesize
584KB

Download
memory/2532-55-0x0000000005780000-0x000000000578A000-memory.dmp

Filesize
40KB

Download
memory/2532-56-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/2532-57-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3452-3-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download
memory/3452-2-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/3452-1-0x0000000000F40000-0x0000000000F56000-memory.dmp

Filesize
88KB

Download
memory/3452-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download