1f20cd153b2c322bf1ff9941e4e5204098abdc7da37250ce3fb38612b3e927ba

General

Target

audacity-win-2.4.2.exe
Size

26.8MB
MD5

cad3e11f580c2dc35503e6ee11833c94
SHA1

522ff2efcc2dc89b6de70c6a0cc486e53b4a7afc
SHA256

1f20cd153b2c322bf1ff9941e4e5204098abdc7da37250ce3fb38612b3e927ba
SHA512

ec112cf72f8602b4dd1ae8f2144b96329af423f9011eeb32abece9ce126f065f39201c0d737a155614848ce917ce9a9b5964b0aaa6d53b50ab98731113750df8

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

audacity-win-2.4.2.tmp

pid process

2444 audacity-win-2.4.2.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2444	audacity-win-2.4.2.tmp

Drops file in Program Files directory 64 IoCs

Processes:

audacity-win-2.4.2.tmp

description	ioc	process
File created	C:\Program Files (x86)\Audacity\Languages\nb\is-EM7QR.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\Nyquist\is-DF2O0.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\0\06\is-QMQPK.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-JG339.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\is-QPCAN.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\5\54\is-V16B3.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\5\56\is-JE50M.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-6UBTB.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-CTSF3.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\2\24\is-KIJLV.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\2\2f\is-JCDD8.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\4\4b\is-2MN3H.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\Nyquist\is-A5N1O.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\c\c9\is-25PNR.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\f\f2\is-OM6T9.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-MFLFB.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\b\b0\is-5EBUL.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\e\e8\is-8OHME.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-0T18K.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-OTH8V.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\Languages\de\is-DLARH.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\2\2e\is-D049Q.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\6\62\is-44SN2.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\8\88\is-N5K3T.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\e\e1\is-C7DNC.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-DQQJA.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\Nyquist\rawwaves\is-Q47U6.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\Plug-Ins\is-6OHBI.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\0\00\is-S60MS.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\4\4d\is-20FFI.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\b\bb\is-6N65V.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\6\61\is-DSTQ9.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\6\65\is-KN9A3.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\b\b6\is-VUORL.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\e\e6\is-GMRB9.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-HLPLR.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\1\11\is-3H5VL.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\2\21\is-B050D.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\2\2e\is-LKP3E.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-S6DB4.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\d\da\is-QJ506.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-OV8BL.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-F6J66.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\3\3d\is-LQDF6.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\4\44\is-BV9N0.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\5\50\is-MELE1.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\a\a0\is-888CG.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\Languages\sl\is-H0NKE.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\1\11\is-C66VM.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\5\51\is-URFM3.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\5\52\is-NU8A1.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-CNANV.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\1\10\is-HS0OJ.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\b\bb\is-3CL5R.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-PCVO3.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\c\cf\is-SMK94.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\e\e9\is-CQ4JH.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-P4OKF.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\man\is-UM39O.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\Languages\km\is-P4JBP.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\2\2c\is-JKTCR.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\2\2d\is-O86BR.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\a\a8\is-C4CFJ.tmp	audacity-win-2.4.2.tmp
File created	C:\Program Files (x86)\Audacity\help\manual\m\images\1\1b\is-PJIGF.tmp	audacity-win-2.4.2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 11 IoCs

Processes:

audacity-win-2.4.2.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Audacity.Project	audacity-win-2.4.2.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Audacity.Project\OpenWithList	audacity-win-2.4.2.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Audacity.Project\ = "Audacity Project File"	audacity-win-2.4.2.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Audacity.Project\shell\	audacity-win-2.4.2.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Audacity.Project\shell\open	audacity-win-2.4.2.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Audacity.Project\shell\open\command\ = "\"C:\\Program Files (x86)\\Audacity\\audacity.exe\" \"%1\""	audacity-win-2.4.2.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.AUP	audacity-win-2.4.2.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Audacity.Project\OpenWithList\audacity.exe	audacity-win-2.4.2.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Audacity.Project\shell\open\command	audacity-win-2.4.2.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AUP\ = "Audacity.Project"	audacity-win-2.4.2.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Audacity.Project\shell	audacity-win-2.4.2.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

audacity-win-2.4.2.tmp

pid process

2444 audacity-win-2.4.2.tmp
2444 audacity-win-2.4.2.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

audacity-win-2.4.2.tmp

pid process

2444 audacity-win-2.4.2.tmp

pid	process
2444	audacity-win-2.4.2.tmp
2444	audacity-win-2.4.2.tmp

pid	process
2444	audacity-win-2.4.2.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

audacity-win-2.4.2.exe

description	pid	process	target process
PID 3920 wrote to memory of 2444	3920	audacity-win-2.4.2.exe	audacity-win-2.4.2.tmp
PID 3920 wrote to memory of 2444	3920	audacity-win-2.4.2.exe	audacity-win-2.4.2.tmp
PID 3920 wrote to memory of 2444	3920	audacity-win-2.4.2.exe	audacity-win-2.4.2.tmp

C:\Users\Admin\AppData\Local\Temp\audacity-win-2.4.2.exe
"C:\Users\Admin\AppData\Local\Temp\audacity-win-2.4.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\is-MK9FB.tmp\audacity-win-2.4.2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MK9FB.tmp\audacity-win-2.4.2.tmp" /SL5="$5006A,27436400,295936,C:\Users\Admin\AppData\Local\Temp\audacity-win-2.4.2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-MK9FB.tmp\audacity-win-2.4.2.tmp

MD5
0d6a4b1517227e494d49fd1f9bc9f8c3

SHA1
1581aa63b6abd03400714253ab4713f3d80470f5

SHA256
d6108658bd3a728049b01a7d00cc2bb51662ce254f1eb1c0a68330961f17bdc2

SHA512
9992fbc5ee0261c483342b748549e3db737974160b68258330a33dd41108c0088e27230c7b08057796a4eb8df008323df9e5e9a45f7fcd6f016b569f5107c403

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MK9FB.tmp\audacity-win-2.4.2.tmp

MD5
0d6a4b1517227e494d49fd1f9bc9f8c3

SHA1
1581aa63b6abd03400714253ab4713f3d80470f5

SHA256
d6108658bd3a728049b01a7d00cc2bb51662ce254f1eb1c0a68330961f17bdc2

SHA512
9992fbc5ee0261c483342b748549e3db737974160b68258330a33dd41108c0088e27230c7b08057796a4eb8df008323df9e5e9a45f7fcd6f016b569f5107c403

Download Submit
memory/2444-116-0x0000000000000000-mapping.dmp

Download
memory/2444-118-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3920-114-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads