11268bfe0f8fd833cba169427a75f4e129b7bf9e7dcb105e7f0c9936c8f9e3cf

Analysis

max time kernel
84s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2022 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sonar.AutoSwitch.zip
Size

24.0MB
MD5

45aa36c06afe11d5c835f056315b6e55
SHA1

8ff0600fc7fb253c0e53f3d0c6cc10068239988d
SHA256

11268bfe0f8fd833cba169427a75f4e129b7bf9e7dcb105e7f0c9936c8f9e3cf
SHA512

cf57bd04dd1de474fdae6dc15597f8ad4e419962588e1dd5d251e18b8609981ff208116dbba87d7141fabe2b90b88ac76e36cded43542504e0d71434489ff5b6
SSDEEP

393216:03j8rZPP+BKRU68ywqcnpeAVRYd8VYKvkWZp9DlDGL9bIcIwETjb+frDBPEhzL4X:gOZPZz8ocnkAVRYd8VY45ZpOL9bPIw3V

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

Sonar.AutoSwitch.exe

pid process

2736 Sonar.AutoSwitch.exe
2736 Sonar.AutoSwitch.exe
2736 Sonar.AutoSwitch.exe
2736 Sonar.AutoSwitch.exe

pid	process
2736	Sonar.AutoSwitch.exe
2736	Sonar.AutoSwitch.exe
2736	Sonar.AutoSwitch.exe
2736	Sonar.AutoSwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Sonar.AutoSwitch.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sonar.AutoSwitch = "C:\\Users\\Admin\\Documents\\Sonar.AutoSwitch\\Sonar.AutoSwitch.exe"	Sonar.AutoSwitch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Sonar.AutoSwitch.exe

description pid process

Token: SeDebugPrivilege 2736 Sonar.AutoSwitch.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Sonar.AutoSwitch.exe

pid process

2736 Sonar.AutoSwitch.exe
2736 Sonar.AutoSwitch.exe
2736 Sonar.AutoSwitch.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Sonar.AutoSwitch.exe

pid process

2736 Sonar.AutoSwitch.exe
2736 Sonar.AutoSwitch.exe
2736 Sonar.AutoSwitch.exe

description	pid	process
Token: SeDebugPrivilege	2736	Sonar.AutoSwitch.exe

pid	process
2736	Sonar.AutoSwitch.exe
2736	Sonar.AutoSwitch.exe
2736	Sonar.AutoSwitch.exe

pid	process
2736	Sonar.AutoSwitch.exe
2736	Sonar.AutoSwitch.exe
2736	Sonar.AutoSwitch.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Sonar.AutoSwitch.zip
1⤵
PID:976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:428

C:\Users\Admin\Documents\Sonar.AutoSwitch\Sonar.AutoSwitch.exe
"C:\Users\Admin\Documents\Sonar.AutoSwitch\Sonar.AutoSwitch.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.net\Sonar.AutoSwitch\D3ZwB6p4MQgoa+wU4FdhzFkvuZVbc9o=\av_libglesv2.dll
Filesize
4.2MB

MD5
73d2fb4c35d323813a86e3bf5c85c345

SHA1
81f751a34e0c25bdea93902a19a94a49ce1495df

SHA256
85b3aee47c0e0eaf3a5ea5c75ba8131387a12639b6a0ef280c28531fb77695ae

SHA512
e81677cc9b99ff3d54f67000a60489603e01a896f90c4ef0c883b82e2fdb7b90d2899c078958b3f060a20373b99cb6c4deb7f64cc4c7e0ba2a708209f4684ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Sonar.AutoSwitch\D3ZwB6p4MQgoa+wU4FdhzFkvuZVbc9o=\e_sqlite3.dll
Filesize
1.6MB

MD5
6a67f4751ef45ae84549a109c0128efe

SHA1
e5a264bb80be05c60095a74b3f9eea89cd2ca41d

SHA256
957066af365f43e7b35b04dc9bcfcf4984c2dd7ed0640e7425f9c0ca014d836a

SHA512
219983369ea2023db4ba6530adfbf54f901d119191da31c25ff5f89ce76ecff21296921618cce171d7a3a4625a2bcf56788dc8bbd7b1c8a803977175057cb4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Sonar.AutoSwitch\D3ZwB6p4MQgoa+wU4FdhzFkvuZVbc9o=\libHarfBuzzSharp.dll
Filesize
893KB

MD5
36c3a408bb7653aa8068f1f8adee899a

SHA1
5cde588b7502328372195a12e6a6a241dd63a3a8

SHA256
77c88a847a8c704e91a1454d5d024d2d05de57bfd351851c2b27f572ba62ea75

SHA512
ce17ddb41c46ea4304a9f7df88c044bb68216c4821e50473998d31a93f62d5d229f08b1223d650cf78c6517b5df2f2fcf8f17ec64045c350b797c0580bff1857

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\Sonar.AutoSwitch\D3ZwB6p4MQgoa+wU4FdhzFkvuZVbc9o=\libSkiaSharp.dll
Filesize
9.0MB

MD5
4c1c559daf37f1b5f051394709c40855

SHA1
19a527046d48e21be32214ff1d78ccc494b274a1

SHA256
53df5bd3ac09600a37686033503aa28157fa19219f2dd4cae191c50e0a59ecfa

SHA512
e8851a09a40e8ddb465c75c9e25c2f8cc3a39ea7e8e437e259a1d1b0d8ac93912057bff16db69215d10c289cbb65cafe137229b006e42c138ec5bc7029a0754e

Download Submit