4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6b79788476c3806befcdd2dead8231a.exe
Size

506KB
MD5

f6b79788476c3806befcdd2dead8231a
SHA1

56eba5da31c728dc287435a555e527b1a27cae37
SHA256

9c798b5cf50fd400ce59355b91a741ab5ccfcffdaedc50815981fa280f4776a9
SHA512

f46f9b568f3d0cb6b4e799a68a3d7defd4e35cbf3df59840d05e575e8580a0cd8e95a497b5f5b272c21fe4105264272d4b58c8bec211597bbcf2de099eab49f3
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3344	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6b79788476c3806befcdd2dead8231a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
6016	f6b79788476c3806befcdd2dead8231a.exe
3344	audiohd.exe
4140	powershell.exe
4140	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	6016	f6b79788476c3806befcdd2dead8231a.exe
Token: SeDebugPrivilege	3344	audiohd.exe
Token: SeDebugPrivilege	4140	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 6016 wrote to memory of 3344	6016	f6b79788476c3806befcdd2dead8231a.exe	78
PID 6016 wrote to memory of 3344	6016	f6b79788476c3806befcdd2dead8231a.exe	78
PID 6016 wrote to memory of 3344	6016	f6b79788476c3806befcdd2dead8231a.exe	78
PID 3344 wrote to memory of 4140	3344	audiohd.exe	79
PID 3344 wrote to memory of 4140	3344	audiohd.exe	79
PID 3344 wrote to memory of 4140	3344	audiohd.exe	79
PID 4140 wrote to memory of 1444	4140	powershell.exe	81
PID 4140 wrote to memory of 1444	4140	powershell.exe	81
PID 4140 wrote to memory of 1444	4140	powershell.exe	81
PID 1444 wrote to memory of 4892	1444	csc.exe	82
PID 1444 wrote to memory of 4892	1444	csc.exe	82
PID 1444 wrote to memory of 4892	1444	csc.exe	82

C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe
"C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6016
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\00gi22uy\00gi22uy.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE62A.tmp" "c:\Users\Admin\AppData\Local\Temp\00gi22uy\CSC12CDCAC3C4EB42A082AEF21A756413D.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4892

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
513KB

MD5
0e282e3e64b8c5f822567ba185d3ccba

SHA1
834ea2a77d4e6fd72b0dec20f1ce982cfc5912c6

SHA256
6bb83ea253040e3bf7c8c433dda8811d57a369215d4a1edd7870349acd6ba349

SHA512
049ded9eaf3e0309ab7e53657af8d2a5ced9c1f8b78597acd25900915547a4a7da1b141847b4aa093ccf757a4a78e0a503fb30fa2fcb0c7860bea13735c3efe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00gi22uy\00gi22uy.dll

Filesize
6KB

MD5
6186f3547dff65c5436e36db43477488

SHA1
7c0e81bba62061770499834f73cb26efae68681d

SHA256
35662c4008068c9f021327b722763c5be8812c088bef91c7d79181d966409124

SHA512
8179ba50074e7a9c27b79eb6b5eab771d94f894131eeab7a48552c67584eac5aa3cfb5e08ad10221f6613893c8c2e4a64f83efbf49c61460d165211ea4ebf2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE62A.tmp

Filesize
1KB

MD5
04e3138c789dafccfa7463fdf173f0f8

SHA1
c8d4c0d322435c611240c87e6c0a81e93ae6d921

SHA256
c93d3b41c08428fb6e3d4e5003e07388a1e96e1e250e7b37d7fffdb1782b1b37

SHA512
17ba95a7a118ac5ac2e96a4ca4c3f34f21ece2da60db37480f3bc7dd1e5efb5bc93ca354f2b895204d0c345e8a008541e08f7c715e37e7314b8d973bb00006bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3srganjj.aj0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\00gi22uy\00gi22uy.cmdline

Filesize
360B

MD5
bb01eea830507421289d0fd46c17d384

SHA1
88f8297f2d782c204ca262df124aac74aa035e2d

SHA256
b5230eb00a9c1a5311474f3222fa496bd4e837e614914fd8d9fcabe04d2baefa

SHA512
040c1267827daa4eb55bdf8807c10e021764ff4f6ec1120b875e0867175be93a291e1a462f9f5da4734655a7ff0b3a7c133569bc0341ba020e2ba0ca22e83020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\00gi22uy\CSC12CDCAC3C4EB42A082AEF21A756413D.TMP

Filesize
652B

MD5
3e61f0dfa09610ba6f4fbe510ca08649

SHA1
00eca63198bd467734606763b60d32835c487727

SHA256
f6923c51b9fa945899640a78400bf6ba2b52038b3e7949d70b0fb059efbcec86

SHA512
d0876081230224dd2f925442d6062ab62c50f334fbc8205276762c7227d14834f2ae58b9778fb46e9c3d9aa7f97e1347ee96cc04cc19fd6ee9bf5deaed46e12f

Download Submit
memory/3344-54-0x00000000060B0000-0x00000000060BA000-memory.dmp

Filesize
40KB

Download
memory/3344-53-0x0000000006A70000-0x0000000006B02000-memory.dmp

Filesize
584KB

Download
memory/3344-17-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/3344-16-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/3344-55-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/3344-56-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/4140-20-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/4140-23-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/4140-24-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/4140-35-0x00000000055B0000-0x0000000005907000-memory.dmp

Filesize
3.3MB

Download
memory/4140-36-0x0000000005A70000-0x0000000005A8E000-memory.dmp

Filesize
120KB

Download
memory/4140-37-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

Filesize
304KB

Download
memory/4140-39-0x0000000005F90000-0x0000000005FAA000-memory.dmp

Filesize
104KB

Download
memory/4140-38-0x00000000070C0000-0x000000000773A000-memory.dmp

Filesize
6.5MB

Download
memory/4140-26-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/4140-25-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4140-51-0x0000000006020000-0x0000000006028000-memory.dmp

Filesize
32KB

Download
memory/4140-22-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/4140-21-0x0000000004DF0000-0x000000000541A000-memory.dmp

Filesize
6.2MB

Download
memory/4140-57-0x0000000074BE0000-0x0000000075391000-memory.dmp

Filesize
7.7MB

Download
memory/4140-19-0x00000000022B0000-0x00000000022E6000-memory.dmp

Filesize
216KB

Download
memory/6016-3-0x0000000004AB0000-0x0000000004B4C000-memory.dmp

Filesize
624KB

Download
memory/6016-2-0x0000000004FB0000-0x0000000005556000-memory.dmp

Filesize
5.6MB

Download
memory/6016-1-0x0000000000010000-0x0000000000026000-memory.dmp

Filesize
88KB

Download
memory/6016-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download