d50ad141854cca0a356de2c38f533ae4e87bb9379d96f656f12fb75c94024cc8

Analysis

max time kernel
1792s
max time network
1588s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-07-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voicemod Pro 2.6.0.7 (x64) Multilingual [PeskTop.com]/VoicemodSetup_2.6.0.7.exe
Size

64.4MB
MD5

ac5c87490c1d1949dfe6f50ee007e6ea
SHA1

ecca4b6ea32fa0af34b739a1c9e93cc400651091
SHA256

7ff3b571ce5e9853333c9a1bda22070755c4ac579b9aa785e56db315e851e32d
SHA512

6ad0c745b3e49eab9587b13135261be98a858d24f797a200217a3eadb65d8219ea51535cc64426187e8cbc9a030e3998011842c18d348037e6b2dc57f1efa24d
SSDEEP

1572864:jSJjRAbmycmDxlBFllh8LRdKKPGleP6YDmq5glXg4Y:giyyXPrlhSdCQCYDVglw4Y

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

VoicemodSetup_2.6.0.7.tmpcurl.execurl.execurl.exe

pid process

200 VoicemodSetup_2.6.0.7.tmp
2268 curl.exe
3060 curl.exe
4088 curl.exe
Loads dropped DLL 3 IoCs

Processes:

VoicemodSetup_2.6.0.7.tmp

pid process

200 VoicemodSetup_2.6.0.7.tmp
200 VoicemodSetup_2.6.0.7.tmp
200 VoicemodSetup_2.6.0.7.tmp
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4388 tasklist.exe
3564 tasklist.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4388 tasklist.exe
Token: SeDebugPrivilege 3564 tasklist.exe

pid	process
200	VoicemodSetup_2.6.0.7.tmp
2268	curl.exe
3060	curl.exe
4088	curl.exe

pid	process
200	VoicemodSetup_2.6.0.7.tmp
200	VoicemodSetup_2.6.0.7.tmp
200	VoicemodSetup_2.6.0.7.tmp

pid	process
4388	tasklist.exe
3564	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	4388	tasklist.exe
Token: SeDebugPrivilege	3564	tasklist.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

VoicemodSetup_2.6.0.7.exeVoicemodSetup_2.6.0.7.tmpcmd.execmd.exe

description	pid	process	target process
PID 4400 wrote to memory of 200	4400	VoicemodSetup_2.6.0.7.exe	VoicemodSetup_2.6.0.7.tmp
PID 4400 wrote to memory of 200	4400	VoicemodSetup_2.6.0.7.exe	VoicemodSetup_2.6.0.7.tmp
PID 4400 wrote to memory of 200	4400	VoicemodSetup_2.6.0.7.exe	VoicemodSetup_2.6.0.7.tmp
PID 200 wrote to memory of 2268	200	VoicemodSetup_2.6.0.7.tmp	curl.exe
PID 200 wrote to memory of 2268	200	VoicemodSetup_2.6.0.7.tmp	curl.exe
PID 200 wrote to memory of 3060	200	VoicemodSetup_2.6.0.7.tmp	curl.exe
PID 200 wrote to memory of 3060	200	VoicemodSetup_2.6.0.7.tmp	curl.exe
PID 200 wrote to memory of 3836	200	VoicemodSetup_2.6.0.7.tmp	cmd.exe
PID 200 wrote to memory of 3836	200	VoicemodSetup_2.6.0.7.tmp	cmd.exe
PID 3836 wrote to memory of 4388	3836	cmd.exe	tasklist.exe
PID 3836 wrote to memory of 4388	3836	cmd.exe	tasklist.exe
PID 200 wrote to memory of 1096	200	VoicemodSetup_2.6.0.7.tmp	cmd.exe
PID 200 wrote to memory of 1096	200	VoicemodSetup_2.6.0.7.tmp	cmd.exe
PID 1096 wrote to memory of 3564	1096	cmd.exe	tasklist.exe
PID 1096 wrote to memory of 3564	1096	cmd.exe	tasklist.exe
PID 200 wrote to memory of 4088	200	VoicemodSetup_2.6.0.7.tmp	curl.exe
PID 200 wrote to memory of 4088	200	VoicemodSetup_2.6.0.7.tmp	curl.exe

C:\Users\Admin\AppData\Local\Temp\Voicemod Pro 2.6.0.7 (x64) Multilingual [PeskTop.com]\VoicemodSetup_2.6.0.7.exe
"C:\Users\Admin\AppData\Local\Temp\Voicemod Pro 2.6.0.7 (x64) Multilingual [PeskTop.com]\VoicemodSetup_2.6.0.7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\is-K8DFK.tmp\VoicemodSetup_2.6.0.7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K8DFK.tmp\VoicemodSetup_2.6.0.7.tmp" /SL5="$501FE,66753197,750080,C:\Users\Admin\AppData\Local\Temp\Voicemod Pro 2.6.0.7 (x64) Multilingual [PeskTop.com]\VoicemodSetup_2.6.0.7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:200

C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\curl.exe
"C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\curl.exe" -v https://wsw.voicemod.net/api.windows/v2/webutils/getAnonymousId/?initialUuid=9251837d-e9a5-4229-9a78-b1085d98b1bb -o C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\deviceId.txt
3⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\curl.exe
"C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"0f53e42a-5f24-4cfc-97b3-3ad130d9eb70\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"0f53e42a-5f24-4cfc-97b3-3ad130d9eb70\"},\"mp_deviceid\": \"0f53e42a-5f24-4cfc-97b3-3ad130d9eb70\",\"events\": [{\"data\": {\"event_name\": \"Installer Open\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"9251837d-e9a5-4229-9a78-b1085d98b1bb\", \"country\": \"United States\", \"locale\": \"en-US\", \"is_new_user\": \"False\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
3⤵
- Executes dropped EXE
PID:3060

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_unins000.exe.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C tasklist > C:\Users\Admin\AppData\Local\Temp\\tasklist_VoicemodDesktop.exe.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\curl.exe
"C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\curl.exe" -u us1-9ce275fde2ae0e4fa29e7be3416716f8:I9wI9bIvnwhEBAHqgGq3iwgv6F_rq98MMw45315t6FXIOcfqtzsfedlzBqqhJBb- -v https://s2s.mparticle.com/v2/events -H "Content-Type: application/json" -X POST -d "{\"user_identities\": {\"other\": \"0f53e42a-5f24-4cfc-97b3-3ad130d9eb70\"},\"device_info\": {\"platform\": \"roku\",\"roku_publisher_id\": \"0f53e42a-5f24-4cfc-97b3-3ad130d9eb70\"},\"mp_deviceid\": \"0f53e42a-5f24-4cfc-97b3-3ad130d9eb70\",\"events\": [{\"data\": {\"event_name\": \"Installer Page wpWelcome\" , \"custom_attributes\": { \"version\": \"2.6.0.7\", \"machine_guid\": \"9251837d-e9a5-4229-9a78-b1085d98b1bb\", \"country\": \"United States\", \"locale\": \"en-US\", \"is_new_user\": \"True\",\"page_number\": \"1\" }},\"event_type\": \"custom_event\"}],\"environment\": \"production\"}"
3⤵
- Executes dropped EXE
PID:4088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\bg-inner.png
Filesize
964B

MD5
4a1378ccbcbcf4a320bfc4d63aabef36

SHA1
8f17dc3df0a7310ab4a3914a81b7f5576e5546a5

SHA256
f3640a78436c8f83c8b055c74da597e239524201df4ae6db52a3141a1a47699a

SHA512
6800224d90fb8c00f31b51a485b90ce0fbc26aea993484a148981d9ef41ee0ff712d43816c1f8ef8b511165de70683ad98202baf27d1a7fb9f31aa88ff17836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\bg-top.png
Filesize
51KB

MD5
229152b01d238ac58d066bbdd45219bf

SHA1
b47d2070eb77d723f925f36c902c6cefd5bb1c31

SHA256
acb21fcb80667714749963e8ce2e24b23e3f269de34d8e1734892777cbca2f7e

SHA512
fcf37ba7ae4929d77039b0d90f87cf6523bc7bc4f81ca27c1057f53d93752f0d9603708afaf3e8f460a0e5e67210c8d1eeb44cf95b07919a67a37805b0d63b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\buttons.png
Filesize
7KB

MD5
84d27be69f0f13909dab87c1cb270a29

SHA1
cb3a480bf9d790342e12775b4d50c350475f3bb5

SHA256
ed4b81ffc92f6d41c5d4925f0ac83cd280ad1a781a966d2128275c804f6aa5de

SHA512
290ebef8f3930ffdb0b99df9a99bd419ff591bd83acdb9b49b421a36d920298a05ad8e85dfa7e9e5de8fe9864780eff2af1e85aa5e3fc8b3ce88f074b87bf51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\curl.exe
Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\deviceId.txt
Filesize
36B

MD5
becefc83c0f3a0ee7dfecc5fcb232fe9

SHA1
e1b8cd17c04d6a18e6bd9cc324bb305984659289

SHA256
4a3531076c76b91698360148958a81f04e2b5fc3b446728250fe91daeb1ba166

SHA512
9f011d4a08e81d61f04bd7b4340eaae27fc295897e5b3c1a38d63a9e66e5b1fe1dbe9465689f2a3f6ad66308053ab8ab1a0bd538e5c6a78cde5f069056c3e1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K8DFK.tmp\VoicemodSetup_2.6.0.7.tmp
Filesize
2.5MB

MD5
3b93628e07e9a9352cb7ea41c59ef578

SHA1
48615d4428539e9f0af70153656f3e8ae4e2589c

SHA256
498cfe20132fe22e726b0fb8c5d6bd6153cc73416567148ab469f78820bc6b60

SHA512
fa180bc3c80220c641d445daa82ca4b195dd4c716e3c9e596546bdb3100e0e3fd8e306d0b88c1cf01ab5fe4ef984965d883605e3ef05540767b819157cdb55c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_VoicemodDesktop.exe.txt
Filesize
6KB

MD5
7954abe298935814bbb47fb91bb3f34d

SHA1
5a1f4b8d7a59b064c5c08f270e3bdec3635ca140

SHA256
92e68dd079e9b45a3fdaaab54292e9f42a1415ee6be48bd855210e85b2b1c94f

SHA512
03573303ea3b32596da10c2e5a9165eb49377f615419bc65b45947638c1936f9e24e41574395048e3551cf189d31045ae9629b1ff7fc83f90774ec88cec9e9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasklist_unins000.exe.txt
Filesize
6KB

MD5
62fbe89e25a8c4578a2c23f9b2d9c5b7

SHA1
16fac837514602a185ba45e9b5182b43c08f7f4d

SHA256
728009382433be470dca2c84155692ecd809e7d1d001b1ff23eb3a6f326cb277

SHA512
7993fa6c8d0f7473c2a7a2a68280a29e7b181b24e911ce94b33e5240936d08f6dbc46ae0a7a760c84bd8ca50701087606f1ebe173eceaa0f7827a3490c53213d

Download Submit
\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\botva2.dll
Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-GTCKO.tmp\idp.dll
Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/200-88-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/200-34-0x0000000003460000-0x000000000346E000-memory.dmp

Filesize
56KB

Download
memory/200-6-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/200-98-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/200-108-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/200-103-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/200-93-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/200-111-0x0000000003460000-0x000000000346E000-memory.dmp

Filesize
56KB

Download
memory/200-110-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/200-117-0x0000000003460000-0x000000000346E000-memory.dmp

Filesize
56KB

Download
memory/4400-12-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4400-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4400-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download