8667c6073c7206aa1b8ca8e1e59f3d2ece73c5b720692057325005bb03b0edf9

Analysis

max time kernel
133s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-02-2023 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup soothe2 v1.1.2.exe
Size

29.3MB
MD5

0158a14c23a8da850a6ee55097662354
SHA1

42a81c184384b1570e3fa38f47366ffe64e418a5
SHA256

d5b6c825e2febc952ac4cc7e9a5977398a545bcc067fa5e9f490b461efb23d37
SHA512

c7e7252ebf2071c5c6052600939319e88a304a81b3f5102d4aa120913f5252f46e86861287c563a515eb4c926a3a13b216fb758985639a77bc35f255917b600b
SSDEEP

786432:qBPNt1Vn5rkfUg2K39kqiCXg8aJmd2V+fJk4pNs:MPvb5L4CJmd2QfJ3pO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
276	Setup soothe2 v1.1.2.tmp

Loads dropped DLL 13 IoCs

pid	Process
1708	Setup soothe2 v1.1.2.exe
276	Setup soothe2 v1.1.2.tmp
276	Setup soothe2 v1.1.2.tmp
276	Setup soothe2 v1.1.2.tmp
276	Setup soothe2 v1.1.2.tmp
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Steinberg\VSTPlugins\oeksound\soothe2_x64.dll	Setup soothe2 v1.1.2.tmp
File created	C:\Program Files\Steinberg\VSTPlugins\oeksound\is-9F8JB.tmp	Setup soothe2 v1.1.2.tmp
File created	C:\Program Files\Common Files\VST3\oeksound\is-LKUTU.tmp	Setup soothe2 v1.1.2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
276	Setup soothe2 v1.1.2.tmp
276	Setup soothe2 v1.1.2.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1640	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1640	AUDIODG.EXE
Token: 33	1640	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1640	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
276	Setup soothe2 v1.1.2.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
276	Setup soothe2 v1.1.2.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 276	1708	Setup soothe2 v1.1.2.exe	28
PID 1708 wrote to memory of 276	1708	Setup soothe2 v1.1.2.exe	28
PID 1708 wrote to memory of 276	1708	Setup soothe2 v1.1.2.exe	28
PID 1708 wrote to memory of 276	1708	Setup soothe2 v1.1.2.exe	28
PID 1708 wrote to memory of 276	1708	Setup soothe2 v1.1.2.exe	28
PID 1708 wrote to memory of 276	1708	Setup soothe2 v1.1.2.exe	28
PID 1708 wrote to memory of 276	1708	Setup soothe2 v1.1.2.exe	28

C:\Users\Admin\AppData\Local\Temp\Setup soothe2 v1.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Setup soothe2 v1.1.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\is-CFUTC.tmp\Setup soothe2 v1.1.2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CFUTC.tmp\Setup soothe2 v1.1.2.tmp" /SL5="$7011E,30179246,121344,C:\Users\Admin\AppData\Local\Temp\Setup soothe2 v1.1.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:276

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-CFUTC.tmp\Setup soothe2 v1.1.2.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CFUTC.tmp\Setup soothe2 v1.1.2.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
\Program Files\Steinberg\VSTPlugins\oeksound\soothe2_x64.dll

Filesize
39.0MB

MD5
78ddc1c38ea683c68cb23c573a1fe823

SHA1
299228782c54f9d371167f3e0f2c8b8a2a5bf4e8

SHA256
b87d41a5f7fbfd1b46a8ae90127326ef155ad64e4281e92f852ca8aeef2c702e

SHA512
9a513138f81fef2abac9e4a17136247425b97284519334699ab7e98fe36448e180a9767dd6528f9f2dde56b0cc65dae59ababaebbecce96b482a7fbec4b7cdb2

Download Submit
\Program Files\Steinberg\VSTPlugins\oeksound\soothe2_x64.dll

Filesize
39.0MB

MD5
78ddc1c38ea683c68cb23c573a1fe823

SHA1
299228782c54f9d371167f3e0f2c8b8a2a5bf4e8

SHA256
b87d41a5f7fbfd1b46a8ae90127326ef155ad64e4281e92f852ca8aeef2c702e

SHA512
9a513138f81fef2abac9e4a17136247425b97284519334699ab7e98fe36448e180a9767dd6528f9f2dde56b0cc65dae59ababaebbecce96b482a7fbec4b7cdb2

Download Submit
\Program Files\Steinberg\VSTPlugins\oeksound\soothe2_x64.dll

Filesize
39.0MB

MD5
78ddc1c38ea683c68cb23c573a1fe823

SHA1
299228782c54f9d371167f3e0f2c8b8a2a5bf4e8

SHA256
b87d41a5f7fbfd1b46a8ae90127326ef155ad64e4281e92f852ca8aeef2c702e

SHA512
9a513138f81fef2abac9e4a17136247425b97284519334699ab7e98fe36448e180a9767dd6528f9f2dde56b0cc65dae59ababaebbecce96b482a7fbec4b7cdb2

Download Submit
\Program Files\Steinberg\VSTPlugins\oeksound\soothe2_x64.dll

Filesize
39.0MB

MD5
78ddc1c38ea683c68cb23c573a1fe823

SHA1
299228782c54f9d371167f3e0f2c8b8a2a5bf4e8

SHA256
b87d41a5f7fbfd1b46a8ae90127326ef155ad64e4281e92f852ca8aeef2c702e

SHA512
9a513138f81fef2abac9e4a17136247425b97284519334699ab7e98fe36448e180a9767dd6528f9f2dde56b0cc65dae59ababaebbecce96b482a7fbec4b7cdb2

Download Submit
\Program Files\Steinberg\VSTPlugins\oeksound\soothe2_x64.dll

Filesize
39.0MB

MD5
78ddc1c38ea683c68cb23c573a1fe823

SHA1
299228782c54f9d371167f3e0f2c8b8a2a5bf4e8

SHA256
b87d41a5f7fbfd1b46a8ae90127326ef155ad64e4281e92f852ca8aeef2c702e

SHA512
9a513138f81fef2abac9e4a17136247425b97284519334699ab7e98fe36448e180a9767dd6528f9f2dde56b0cc65dae59ababaebbecce96b482a7fbec4b7cdb2

Download Submit
\Program Files\Steinberg\VSTPlugins\oeksound\soothe2_x64.dll

Filesize
39.0MB

MD5
78ddc1c38ea683c68cb23c573a1fe823

SHA1
299228782c54f9d371167f3e0f2c8b8a2a5bf4e8

SHA256
b87d41a5f7fbfd1b46a8ae90127326ef155ad64e4281e92f852ca8aeef2c702e

SHA512
9a513138f81fef2abac9e4a17136247425b97284519334699ab7e98fe36448e180a9767dd6528f9f2dde56b0cc65dae59ababaebbecce96b482a7fbec4b7cdb2

Download Submit
\Program Files\Steinberg\VSTPlugins\oeksound\soothe2_x64.dll

Filesize
39.0MB

MD5
78ddc1c38ea683c68cb23c573a1fe823

SHA1
299228782c54f9d371167f3e0f2c8b8a2a5bf4e8

SHA256
b87d41a5f7fbfd1b46a8ae90127326ef155ad64e4281e92f852ca8aeef2c702e

SHA512
9a513138f81fef2abac9e4a17136247425b97284519334699ab7e98fe36448e180a9767dd6528f9f2dde56b0cc65dae59ababaebbecce96b482a7fbec4b7cdb2

Download Submit
\Program Files\Steinberg\VSTPlugins\oeksound\soothe2_x64.dll

Filesize
39.0MB

MD5
78ddc1c38ea683c68cb23c573a1fe823

SHA1
299228782c54f9d371167f3e0f2c8b8a2a5bf4e8

SHA256
b87d41a5f7fbfd1b46a8ae90127326ef155ad64e4281e92f852ca8aeef2c702e

SHA512
9a513138f81fef2abac9e4a17136247425b97284519334699ab7e98fe36448e180a9767dd6528f9f2dde56b0cc65dae59ababaebbecce96b482a7fbec4b7cdb2

Download Submit
\ProgramData\oeksound\soothe2\unins000.exe

Filesize
1.1MB

MD5
2a23577cc7d0775cd28d405e7f7d10db

SHA1
f8af1497a5524e9a143b068374d209a9caf2f5c0

SHA256
aa884077c3de3ca9219f42bc0fb99894f7be1a1170113ca354202828b7076510

SHA512
f747b318c3c1b027eb9d7f9cf1698a531ab9842b1390574f9b691bd216ab4fa7a4d9cd7b9385120d8cc62ce448f0837427ad1f00312988e58ce0170fa5e3f72e

Download Submit
\Users\Admin\AppData\Local\Temp\is-CFUTC.tmp\Setup soothe2 v1.1.2.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
\Users\Admin\AppData\Local\Temp\is-HNVQR.tmp\ISSKINU.DLL

Filesize
357KB

MD5
f30afccd6fafc1cad4567ada824c9358

SHA1
60a65b72f208563f90fba0da6af013a36707caa9

SHA256
e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d

SHA512
59b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c

Download Submit
\Users\Admin\AppData\Local\Temp\is-HNVQR.tmp\R2RINNO.dll

Filesize
4KB

MD5
0f8bbab51c5f70093b7ed7dd825d68e8

SHA1
a96809560b3e9001124083937a339cf2453a94c8

SHA256
7fc4fa7f5cea34df0a6733527081886cfb1c49b369df2db454de87cc4e70bdb5

SHA512
7b824ad5d7ec786535106d98bc80c9350f35ac2b76d7ee20163e90becf076dfeaca4732c0ecbe2d3d84a2efef337c380d5548ca0123e69e66e30bb396f0b9b81

Download Submit
\Users\Admin\AppData\Local\Temp\is-HNVQR.tmp\SKIN.CJSTYLES

Filesize
813KB

MD5
5f87caf3f7cf63dde8e6af53bdf31289

SHA1
a2c3cc3d9d831acd797155b667db59a32000d7a8

SHA256
4731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940

SHA512
4875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d

Download Submit
memory/276-102-0x0000000077380000-0x000000007740F000-memory.dmp

Filesize
572KB

Download
memory/276-111-0x0000000076CD0000-0x0000000076D53000-memory.dmp

Filesize
524KB

Download
memory/276-77-0x00000000757F0000-0x000000007581A000-memory.dmp

Filesize
168KB

Download
memory/276-78-0x0000000074DA0000-0x0000000074DD2000-memory.dmp

Filesize
200KB

Download
memory/276-79-0x0000000074C20000-0x0000000074D15000-memory.dmp

Filesize
980KB

Download
memory/276-80-0x0000000075B40000-0x0000000075CDD000-memory.dmp

Filesize
1.6MB

Download
memory/276-81-0x0000000006EB0000-0x0000000006F11000-memory.dmp

Filesize
388KB

Download
memory/276-82-0x0000000077380000-0x000000007740F000-memory.dmp

Filesize
572KB

Download
memory/276-83-0x0000000075600000-0x000000007575C000-memory.dmp

Filesize
1.4MB

Download
memory/276-85-0x0000000075190000-0x0000000075199000-memory.dmp

Filesize
36KB

Download
memory/276-84-0x0000000077550000-0x00000000775F0000-memory.dmp

Filesize
640KB

Download
memory/276-86-0x00000000752A0000-0x000000007543E000-memory.dmp

Filesize
1.6MB

Download
memory/276-87-0x0000000075F10000-0x0000000075F67000-memory.dmp

Filesize
348KB

Download
memory/276-88-0x0000000075FF0000-0x0000000076C3A000-memory.dmp

Filesize
12.3MB

Download
memory/276-89-0x0000000076FD0000-0x000000007704B000-memory.dmp

Filesize
492KB

Download
memory/276-92-0x0000000076CD0000-0x0000000076D53000-memory.dmp

Filesize
524KB

Download
memory/276-93-0x0000000074FF0000-0x0000000075028000-memory.dmp

Filesize
224KB

Download
memory/276-94-0x0000000074FD0000-0x0000000074FE7000-memory.dmp

Filesize
92KB

Download
memory/276-95-0x0000000074E70000-0x0000000074F8F000-memory.dmp

Filesize
1.1MB

Download
memory/276-96-0x0000000074DA0000-0x0000000074DD2000-memory.dmp

Filesize
200KB

Download
memory/276-97-0x0000000074D20000-0x0000000074D59000-memory.dmp

Filesize
228KB

Download
memory/276-98-0x0000000074C20000-0x0000000074D15000-memory.dmp

Filesize
980KB

Download
memory/276-99-0x0000000075B40000-0x0000000075CDD000-memory.dmp

Filesize
1.6MB

Download
memory/276-100-0x0000000074B90000-0x0000000074BC6000-memory.dmp

Filesize
216KB

Download
memory/276-101-0x0000000006EB0000-0x0000000006F11000-memory.dmp

Filesize
388KB

Download
memory/276-75-0x0000000074E70000-0x0000000074F8F000-memory.dmp

Filesize
1.1MB

Download
memory/276-103-0x0000000077550000-0x00000000775F0000-memory.dmp

Filesize
640KB

Download
memory/276-105-0x0000000075170000-0x0000000075182000-memory.dmp

Filesize
72KB

Download
memory/276-104-0x0000000077650000-0x00000000776ED000-memory.dmp

Filesize
628KB

Download
memory/276-106-0x00000000752A0000-0x000000007543E000-memory.dmp

Filesize
1.6MB

Download
memory/276-107-0x0000000075F10000-0x0000000075F67000-memory.dmp

Filesize
348KB

Download
memory/276-108-0x0000000076FD0000-0x000000007704B000-memory.dmp

Filesize
492KB

Download
memory/276-110-0x0000000075200000-0x0000000075213000-memory.dmp

Filesize
76KB

Download
memory/276-76-0x0000000074DE0000-0x0000000074E6C000-memory.dmp

Filesize
560KB

Download
memory/276-112-0x0000000074DE0000-0x0000000074E6C000-memory.dmp

Filesize
560KB

Download
memory/276-113-0x0000000074DA0000-0x0000000074DD2000-memory.dmp

Filesize
200KB

Download
memory/276-115-0x0000000074C20000-0x0000000074D15000-memory.dmp

Filesize
980KB

Download
memory/276-114-0x0000000074D20000-0x0000000074D59000-memory.dmp

Filesize
228KB

Download
memory/276-116-0x0000000075B40000-0x0000000075CDD000-memory.dmp

Filesize
1.6MB

Download
memory/276-117-0x0000000075820000-0x0000000075847000-memory.dmp

Filesize
156KB

Download
memory/276-118-0x0000000006EB0000-0x0000000006F11000-memory.dmp

Filesize
388KB

Download
memory/276-119-0x0000000077550000-0x00000000775F0000-memory.dmp

Filesize
640KB

Download
memory/276-120-0x0000000075190000-0x0000000075199000-memory.dmp

Filesize
36KB

Download
memory/276-121-0x0000000075170000-0x0000000075182000-memory.dmp

Filesize
72KB

Download
memory/276-122-0x00000000752A0000-0x000000007543E000-memory.dmp

Filesize
1.6MB

Download
memory/276-123-0x0000000075F10000-0x0000000075F67000-memory.dmp

Filesize
348KB

Download
memory/276-125-0x0000000076CD0000-0x0000000076D53000-memory.dmp

Filesize
524KB

Download
memory/276-126-0x0000000074DE0000-0x0000000074E6C000-memory.dmp

Filesize
560KB

Download
memory/276-128-0x0000000074D20000-0x0000000074D59000-memory.dmp

Filesize
228KB

Download
memory/276-127-0x0000000074DA0000-0x0000000074DD2000-memory.dmp

Filesize
200KB

Download
memory/276-64-0x0000000006EB0000-0x0000000006F11000-memory.dmp

Filesize
388KB

Download
memory/276-66-0x0000000006EB0000-0x0000000006F11000-memory.dmp

Filesize
388KB

Download
memory/276-68-0x0000000077380000-0x000000007740F000-memory.dmp

Filesize
572KB

Download
memory/276-74-0x0000000074FF0000-0x0000000075028000-memory.dmp

Filesize
224KB

Download
memory/276-73-0x0000000075FF0000-0x0000000076C3A000-memory.dmp

Filesize
12.3MB

Download
memory/276-69-0x0000000075600000-0x000000007575C000-memory.dmp

Filesize
1.4MB

Download
memory/276-72-0x0000000075F10000-0x0000000075F67000-memory.dmp

Filesize
348KB

Download
memory/276-71-0x0000000077650000-0x00000000776ED000-memory.dmp

Filesize
628KB

Download
memory/276-70-0x0000000077550000-0x00000000775F0000-memory.dmp

Filesize
640KB

Download
memory/1708-584-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1708-324-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1708-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1708-55-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1708-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download