4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
14/04/2025, 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6b79788476c3806befcdd2dead8231a.exe
Size

506KB
MD5

f6b79788476c3806befcdd2dead8231a
SHA1

56eba5da31c728dc287435a555e527b1a27cae37
SHA256

9c798b5cf50fd400ce59355b91a741ab5ccfcffdaedc50815981fa280f4776a9
SHA512

f46f9b568f3d0cb6b4e799a68a3d7defd4e35cbf3df59840d05e575e8580a0cd8e95a497b5f5b272c21fe4105264272d4b58c8bec211597bbcf2de099eab49f3
SSDEEP

1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	audiohd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	f6b79788476c3806befcdd2dead8231a.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6b79788476c3806befcdd2dead8231a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3812	f6b79788476c3806befcdd2dead8231a.exe
2004	audiohd.exe
3688	powershell.exe
3688	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	f6b79788476c3806befcdd2dead8231a.exe
Token: SeDebugPrivilege	2004	audiohd.exe
Token: SeDebugPrivilege	3688	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 2004	3812	f6b79788476c3806befcdd2dead8231a.exe	82
PID 3812 wrote to memory of 2004	3812	f6b79788476c3806befcdd2dead8231a.exe	82
PID 3812 wrote to memory of 2004	3812	f6b79788476c3806befcdd2dead8231a.exe	82
PID 2004 wrote to memory of 3688	2004	audiohd.exe	85
PID 2004 wrote to memory of 3688	2004	audiohd.exe	85
PID 2004 wrote to memory of 3688	2004	audiohd.exe	85
PID 3688 wrote to memory of 3956	3688	powershell.exe	89
PID 3688 wrote to memory of 3956	3688	powershell.exe	89
PID 3688 wrote to memory of 3956	3688	powershell.exe	89
PID 3956 wrote to memory of 5008	3956	csc.exe	90
PID 3956 wrote to memory of 5008	3956	csc.exe	90
PID 3956 wrote to memory of 5008	3956	csc.exe	90

C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe
"C:\Users\Admin\AppData\Local\Temp\f6b79788476c3806befcdd2dead8231a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ra1gnqxf\ra1gnqxf.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66C8.tmp" "c:\Users\Admin\AppData\Local\Temp\ra1gnqxf\CSC795F0C592274EE88ECC2285546D4E2.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5008

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
513KB

MD5
ffb00e69ae7b4385c7e48cfa6214af12

SHA1
054ce5b40de0d9046b53d906fa875c19c1ff5bd8

SHA256
a16ec26126bcd5d83703dbee5c8702d9a9c9fb29d1f27e8dae24239aad3a0990

SHA512
cdb120128a508bd46cb1a6a3173ddae9719bf5804a655768be4150a0568ffe99300bd200595db20ff3553e5e3614f97983ee5a789cef694956aec883d8875d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES66C8.tmp

Filesize
1KB

MD5
6bacbf3cb2ef82e7910549401421c117

SHA1
83b2fdfc903d0ee64e395c5fbefa2dff2d7e4861

SHA256
0cae31f69ac1cbb3c0369306100192318d0aa5ec0e730977f6b85e3a5efc6066

SHA512
7edf3b5a0392d4fe12ea8bc7ce62e246ac970e01fcfb532048396f4f28f1b7f19b87825b5fb5cac1b99c8b1ca3a0e5f0f284ebe9041f2f343f0925e8b9365afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npxpyrdn.jkb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ra1gnqxf\ra1gnqxf.dll

Filesize
6KB

MD5
bcd22970486a9584df97c79bd0ec59de

SHA1
8898b860eead0a584f6b4a7d43feca06e95333e3

SHA256
12ac06d712ec0ce26e4b7d4dee0855dc9775e6b18e58661373deef100e22de5f

SHA512
e3ee4fe72cd9c88f17b81a73b2ae4940f80efdb5c790e65b9e0cc030dee7050cfd7a49646570f89e0911ae59af376ddd264f43207d85567bd381f512bcfa0848

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ra1gnqxf\CSC795F0C592274EE88ECC2285546D4E2.TMP

Filesize
652B

MD5
7c29e0e8b4b245bcc30541797f32ba20

SHA1
eba6be0411f2ce70cfe1b6adb89dd2a9b4f39d3b

SHA256
9956bdc76194a9cfcdda7407c4349c27b9261b580b9b49910f78090569102448

SHA512
2c9b034bd66ba725447bc9769bd5afafe7573a7e03b6702bcd992a50768b5729204b6792365ff26a50da85a1ff8368ce4d9259c52d51c8f829c1b1833792fd9e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ra1gnqxf\ra1gnqxf.cmdline

Filesize
360B

MD5
16d99659628f930c3a5f2a493abb2f57

SHA1
aa4e7130b4b52c0a610d29eeff7830e3cb6e9240

SHA256
868a8f4aa4a3feccedc5d429c764d09efdd322e5b75ca19d649b841bb76661a8

SHA512
088e87e023fdc6308e9593a5dcc23875dde2c28d4095f723390fcc281e78cf3f98f85b68afdd1a2162014147b3ae1533c8f499d4b35a64b1cf77ce3c1f70d466

Download Submit
memory/2004-58-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/2004-57-0x00000000063C0000-0x0000000006452000-memory.dmp

Filesize
584KB

Download
memory/2004-20-0x00000000743B0000-0x0000000074B61000-memory.dmp

Filesize
7.7MB

Download
memory/2004-19-0x00000000743B0000-0x0000000074B61000-memory.dmp

Filesize
7.7MB

Download
memory/2004-59-0x00000000743B0000-0x0000000074B61000-memory.dmp

Filesize
7.7MB

Download
memory/2004-60-0x00000000743B0000-0x0000000074B61000-memory.dmp

Filesize
7.7MB

Download
memory/3688-23-0x00000000743B0000-0x0000000074B61000-memory.dmp

Filesize
7.7MB

Download
memory/3688-26-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

Filesize
136KB

Download
memory/3688-29-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/3688-39-0x0000000005950000-0x0000000005CA7000-memory.dmp

Filesize
3.3MB

Download
memory/3688-40-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

Filesize
120KB

Download
memory/3688-41-0x0000000005E30000-0x0000000005E7C000-memory.dmp

Filesize
304KB

Download
memory/3688-43-0x0000000006310000-0x000000000632A000-memory.dmp

Filesize
104KB

Download
memory/3688-42-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/3688-27-0x00000000743B0000-0x0000000074B61000-memory.dmp

Filesize
7.7MB

Download
memory/3688-28-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3688-55-0x0000000006380000-0x0000000006388000-memory.dmp

Filesize
32KB

Download
memory/3688-25-0x00000000743B0000-0x0000000074B61000-memory.dmp

Filesize
7.7MB

Download
memory/3688-24-0x0000000004FA0000-0x000000000566A000-memory.dmp

Filesize
6.8MB

Download
memory/3688-61-0x00000000743B0000-0x0000000074B61000-memory.dmp

Filesize
7.7MB

Download
memory/3688-22-0x0000000002450000-0x0000000002486000-memory.dmp

Filesize
216KB

Download
memory/3812-3-0x0000000004AE0000-0x0000000004B7C000-memory.dmp

Filesize
624KB

Download
memory/3812-2-0x0000000004F80000-0x0000000005526000-memory.dmp

Filesize
5.6MB

Download
memory/3812-1-0x0000000000100000-0x0000000000116000-memory.dmp

Filesize
88KB

Download
memory/3812-0-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download