Analysis
-
max time kernel
131s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 02:01
Static task
static1
Behavioral task
behavioral1
Sample
42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe
-
Size
149KB
-
MD5
0ce8dd46919a2dc2476a9bfadf88aee5
-
SHA1
24ce36c4808046d2a82e082f4d419c6d25533d2f
-
SHA256
42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de
-
SHA512
603c979e7cce3535c56e6fcfd12c3580f90a9dc866ad2d982bb3131f144723b15f32e8d8b53f4cc431582c83fd2f42de31ddef4fe3f95dcc8032318b83a9514a
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
soundtyp.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat soundtyp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 soundtyp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE soundtyp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies soundtyp.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 soundtyp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
soundtyp.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix soundtyp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" soundtyp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" soundtyp.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
soundtyp.exepid process 3396 soundtyp.exe 3396 soundtyp.exe 3396 soundtyp.exe 3396 soundtyp.exe 3396 soundtyp.exe 3396 soundtyp.exe 3396 soundtyp.exe 3396 soundtyp.exe 3396 soundtyp.exe 3396 soundtyp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exepid process 2712 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exesoundtyp.exedescription pid process target process PID 4008 wrote to memory of 2712 4008 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe PID 4008 wrote to memory of 2712 4008 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe PID 4008 wrote to memory of 2712 4008 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe 42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe PID 3516 wrote to memory of 3396 3516 soundtyp.exe soundtyp.exe PID 3516 wrote to memory of 3396 3516 soundtyp.exe soundtyp.exe PID 3516 wrote to memory of 3396 3516 soundtyp.exe soundtyp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe"C:\Users\Admin\AppData\Local\Temp\42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\42441876b8d0db0a3ea49640bb989b269801ed6d48fa895eb544bb9a56eb24de.exe--528073dc2⤵
- Suspicious behavior: RenamesItself
PID:2712
-
C:\Windows\SysWOW64\soundtyp.exe"C:\Windows\SysWOW64\soundtyp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\soundtyp.exe--780e4c4e2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2712-115-0x0000000000000000-mapping.dmp
-
memory/2712-117-0x0000000000570000-0x00000000006BA000-memory.dmpFilesize
1.3MB
-
memory/2712-118-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3396-120-0x0000000000000000-mapping.dmp
-
memory/3396-122-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/3396-123-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3516-119-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/3516-121-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4008-114-0x0000000000590000-0x00000000005A1000-memory.dmpFilesize
68KB
-
memory/4008-116-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB