Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-05-2021 04:11
Static task
static1
Behavioral task
behavioral1
Sample
541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe
-
Size
149KB
-
MD5
aa825e9a91290eb8bb60c6da3687a70c
-
SHA1
246868a8c1e70bb6c63411517140af7e4104aeb4
-
SHA256
541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414
-
SHA512
f34fe96933dedd568aa015865b3d1adeec1db7e0bc02300d1da2e86c68f40aef8d97c184db060793d67901325a6e14aebbf2562c8f9f3c660d95e41a2d508283
Malware Config
Signatures
-
Drops file in System32 directory 5 IoCs
Processes:
soundcomment.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 soundcomment.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat soundcomment.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 soundcomment.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE soundcomment.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies soundcomment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
soundcomment.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix soundcomment.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" soundcomment.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" soundcomment.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
soundcomment.exepid process 1936 soundcomment.exe 1936 soundcomment.exe 1936 soundcomment.exe 1936 soundcomment.exe 1936 soundcomment.exe 1936 soundcomment.exe 1936 soundcomment.exe 1936 soundcomment.exe 1936 soundcomment.exe 1936 soundcomment.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exepid process 4692 541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exesoundcomment.exedescription pid process target process PID 4436 wrote to memory of 4692 4436 541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe 541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe PID 4436 wrote to memory of 4692 4436 541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe 541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe PID 4436 wrote to memory of 4692 4436 541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe 541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe PID 3896 wrote to memory of 1936 3896 soundcomment.exe soundcomment.exe PID 3896 wrote to memory of 1936 3896 soundcomment.exe soundcomment.exe PID 3896 wrote to memory of 1936 3896 soundcomment.exe soundcomment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe"C:\Users\Admin\AppData\Local\Temp\541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\541acc77f8bc50ff4fb2102da1795047ff6716677e166ca4e8234fffa3622414.exe--d5248a572⤵
- Suspicious behavior: RenamesItself
PID:4692
-
C:\Windows\SysWOW64\soundcomment.exe"C:\Windows\SysWOW64\soundcomment.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\soundcomment.exe--1e5709022⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1936-120-0x0000000000000000-mapping.dmp
-
memory/1936-122-0x0000000000640000-0x0000000000651000-memory.dmpFilesize
68KB
-
memory/1936-123-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/3896-121-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4436-114-0x0000000000430000-0x000000000057A000-memory.dmpFilesize
1.3MB
-
memory/4436-115-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4692-116-0x0000000000000000-mapping.dmp
-
memory/4692-117-0x0000000000520000-0x000000000066A000-memory.dmpFilesize
1.3MB
-
memory/4692-118-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB