Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 11:44
Static task
static1
Behavioral task
behavioral1
Sample
cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
Resource
win10v20201028
General
-
Target
cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
-
Size
3.9MB
-
MD5
f779b9615b86f9dded7f6de1e5c3178c
-
SHA1
932bb2bb8ee87f26726f0cfd01113fbe65936271
-
SHA256
cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d
-
SHA512
710b974627772a4fbf600fb0417690bbc4b956d4d25debae2748f23be473ce17f5356df9f37d17a3b65bcfd462f3bb8377d21af001f9f5e619ff01a2cfcbf500
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Soundcrd.exeSoundcrd.exeSoundcrd.exepid process 1180 Soundcrd.exe 3548 Soundcrd.exe 2204 Soundcrd.exe -
Processes:
yara_rule upx C:\Users\Admin\AppData\Roaming\Soundcrd.exe upx C:\Users\Admin\AppData\Roaming\Soundcrd.exe upx behavioral2/memory/3548-11-0x0000000000400000-0x00000000004B5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Soundcrd.exe upx behavioral2/memory/2204-15-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2204-20-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2204-21-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/3548-19-0x0000000000400000-0x00000000004B5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Soundcrd.exe upx behavioral2/memory/3548-24-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Soundcrd.exedescription pid process target process PID 1180 set thread context of 3548 1180 Soundcrd.exe Soundcrd.exe PID 1180 set thread context of 2204 1180 Soundcrd.exe Soundcrd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Soundcrd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
Soundcrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Soundcrd.exeSoundcrd.exedescription pid process Token: SeDebugPrivilege 2204 Soundcrd.exe Token: SeIncreaseQuotaPrivilege 3548 Soundcrd.exe Token: SeSecurityPrivilege 3548 Soundcrd.exe Token: SeTakeOwnershipPrivilege 3548 Soundcrd.exe Token: SeLoadDriverPrivilege 3548 Soundcrd.exe Token: SeSystemProfilePrivilege 3548 Soundcrd.exe Token: SeSystemtimePrivilege 3548 Soundcrd.exe Token: SeProfSingleProcessPrivilege 3548 Soundcrd.exe Token: SeIncBasePriorityPrivilege 3548 Soundcrd.exe Token: SeCreatePagefilePrivilege 3548 Soundcrd.exe Token: SeBackupPrivilege 3548 Soundcrd.exe Token: SeRestorePrivilege 3548 Soundcrd.exe Token: SeShutdownPrivilege 3548 Soundcrd.exe Token: SeDebugPrivilege 3548 Soundcrd.exe Token: SeSystemEnvironmentPrivilege 3548 Soundcrd.exe Token: SeChangeNotifyPrivilege 3548 Soundcrd.exe Token: SeRemoteShutdownPrivilege 3548 Soundcrd.exe Token: SeUndockPrivilege 3548 Soundcrd.exe Token: SeManageVolumePrivilege 3548 Soundcrd.exe Token: SeImpersonatePrivilege 3548 Soundcrd.exe Token: SeCreateGlobalPrivilege 3548 Soundcrd.exe Token: 33 3548 Soundcrd.exe Token: 34 3548 Soundcrd.exe Token: 35 3548 Soundcrd.exe Token: 36 3548 Soundcrd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exeSoundcrd.exeSoundcrd.exepid process 580 cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe 1180 Soundcrd.exe 2204 Soundcrd.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.execmd.exeSoundcrd.exedescription pid process target process PID 580 wrote to memory of 2148 580 cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe cmd.exe PID 580 wrote to memory of 2148 580 cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe cmd.exe PID 580 wrote to memory of 2148 580 cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe cmd.exe PID 2148 wrote to memory of 3188 2148 cmd.exe reg.exe PID 2148 wrote to memory of 3188 2148 cmd.exe reg.exe PID 2148 wrote to memory of 3188 2148 cmd.exe reg.exe PID 580 wrote to memory of 1180 580 cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe Soundcrd.exe PID 580 wrote to memory of 1180 580 cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe Soundcrd.exe PID 580 wrote to memory of 1180 580 cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe Soundcrd.exe PID 1180 wrote to memory of 3548 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 3548 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 3548 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 3548 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 3548 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 3548 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 3548 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 3548 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 2204 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 2204 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 2204 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 2204 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 2204 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 2204 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 2204 1180 Soundcrd.exe Soundcrd.exe PID 1180 wrote to memory of 2204 1180 Soundcrd.exe Soundcrd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe"C:\Users\Admin\AppData\Local\Temp\cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMHBA.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exe"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NMHBA.batMD5
173bcce4810d4901872d0ef4f0bfea4e
SHA1561b03fdfe68b6419fddf57f32e1aab9a6126a2f
SHA25610ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d
SHA5122401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeMD5
191a1f6f257a7bd5a6e8c62ec29ea2ad
SHA10ea0890aa6e0054b2b97bfd9d5372c9a8aaf557e
SHA2560a64c6b7bd6d2b87997a29250d50275c14da7499d151435f9bb874f6464dd0ac
SHA51221735dff6a395739c979f1bb782fd18537a690eb54b8c01c96cc63d440405c644e43f0107f02997d2dc529a77e5faba86666dfeacf972f990a7751a67af84e7b
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeMD5
191a1f6f257a7bd5a6e8c62ec29ea2ad
SHA10ea0890aa6e0054b2b97bfd9d5372c9a8aaf557e
SHA2560a64c6b7bd6d2b87997a29250d50275c14da7499d151435f9bb874f6464dd0ac
SHA51221735dff6a395739c979f1bb782fd18537a690eb54b8c01c96cc63d440405c644e43f0107f02997d2dc529a77e5faba86666dfeacf972f990a7751a67af84e7b
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeMD5
191a1f6f257a7bd5a6e8c62ec29ea2ad
SHA10ea0890aa6e0054b2b97bfd9d5372c9a8aaf557e
SHA2560a64c6b7bd6d2b87997a29250d50275c14da7499d151435f9bb874f6464dd0ac
SHA51221735dff6a395739c979f1bb782fd18537a690eb54b8c01c96cc63d440405c644e43f0107f02997d2dc529a77e5faba86666dfeacf972f990a7751a67af84e7b
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeMD5
191a1f6f257a7bd5a6e8c62ec29ea2ad
SHA10ea0890aa6e0054b2b97bfd9d5372c9a8aaf557e
SHA2560a64c6b7bd6d2b87997a29250d50275c14da7499d151435f9bb874f6464dd0ac
SHA51221735dff6a395739c979f1bb782fd18537a690eb54b8c01c96cc63d440405c644e43f0107f02997d2dc529a77e5faba86666dfeacf972f990a7751a67af84e7b
-
memory/1180-5-0x0000000000000000-mapping.dmp
-
memory/1180-8-0x0000000073970000-0x0000000073A03000-memory.dmpFilesize
588KB
-
memory/2148-2-0x0000000000000000-mapping.dmp
-
memory/2204-16-0x0000000000407450-mapping.dmp
-
memory/2204-15-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2204-18-0x0000000073970000-0x0000000073A03000-memory.dmpFilesize
588KB
-
memory/2204-20-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2204-21-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3188-4-0x0000000000000000-mapping.dmp
-
memory/3548-14-0x0000000073970000-0x0000000073A03000-memory.dmpFilesize
588KB
-
memory/3548-12-0x00000000004B3310-mapping.dmp
-
memory/3548-11-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3548-19-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3548-24-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB