8807e02e98ee46320cfeb677bdb1b16ad01c6d28243a338061de9363f1a138a1

General

Target

ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].exe
Size

20.3MB
MD5

388c5d8dfc0b014496434bdab68ead65
SHA1

186e63395d47d6b60fbf5b22a3afc17ff7ab9f4a
SHA256

8807e02e98ee46320cfeb677bdb1b16ad01c6d28243a338061de9363f1a138a1
SHA512

7d0ab1660e4e9767a16389efa6aa7c05d8e066f357aab42126a8c93c42dc1a88915a10c429f6ac608de68a24b6cd58618ea4aef90ed57250f7034626f132fbfe
SSDEEP

393216:DUdN8+/ZQMj/QFnC+o27aWo/LjCK8W01jFBn0nubEXFfsj/e3zx04K/tWaehGlu:D45RQZnC+KXzZFeFBncsuN01tWaIGc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2628	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp
4324	Amped - Fluff 2C.exe
388	Amped - Fluff 2C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ML Sound Lab\Amped - Fluff 2C.exe	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp
File created	C:\Program Files\_uninstaller\ML Sound Lab\Amped - Fluff 2C\unins000.dat	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp
File created	C:\Program Files\_uninstaller\ML Sound Lab\Amped - Fluff 2C\is-7TU64.tmp	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp
File created	C:\Program Files\Common Files\VST3\ML Sound Lab\is-DEPUG.tmp	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp
File created	C:\Program Files\ML Sound Lab\is-47L0K.tmp	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp
File opened for modification	C:\Program Files\_uninstaller\ML Sound Lab\Amped - Fluff 2C\unins000.dat	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2628	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp
2628	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2632	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2632	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2628	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4324	Amped - Fluff 2C.exe
4324	Amped - Fluff 2C.exe
4324	Amped - Fluff 2C.exe
388	Amped - Fluff 2C.exe
388	Amped - Fluff 2C.exe
388	Amped - Fluff 2C.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2628	5092	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].exe	92
PID 5092 wrote to memory of 2628	5092	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].exe	92
PID 5092 wrote to memory of 2628	5092	ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].exe	92

C:\Users\Admin\AppData\Local\Temp\ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].exe
"C:\Users\Admin\AppData\Local\Temp\ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\is-TC3SQ.tmp\ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TC3SQ.tmp\ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp" /SL5="$501D4,20434655,898560,C:\Users\Admin\AppData\Local\Temp\ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2396

C:\Program Files\ML Sound Lab\Amped - Fluff 2C.exe
"C:\Program Files\ML Sound Lab\Amped - Fluff 2C.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x39c 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Program Files\ML Sound Lab\Amped - Fluff 2C.exe
"C:\Program Files\ML Sound Lab\Amped - Fluff 2C.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ML Sound Lab\Amped - Fluff 2C.exe

Filesize
5.6MB

MD5
068196312234f941531a96a1e39010d6

SHA1
e3ed72aafa02d86bc088b2b7e9b95a49534e6e48

SHA256
3df0af5b92f5c1aaf838543dfbd069d098baf16b4e30779f94b8335e05155473

SHA512
f3b705d061cf4a4172b01136a403689dcd9123fe8232ed5a780740b045293e76fe4491ea4741aa85b0fad16e48ef9916580535f87fae51c25e6fdca81603e8bf

Download Submit
C:\Program Files\ML Sound Lab\Amped - Fluff 2C.exe

Filesize
20.9MB

MD5
6ae460bfaa61ea7c33707dcf5b7de02f

SHA1
24e75ee3e5cc788992285f2879f9ae5d1081b7c0

SHA256
65324f7fef4ac1a20607e18aabe0881273e0daef2f0e5253b986a8eea6b8e978

SHA512
465732b78d8fb1ab72e1282f26366f1c623d91001dc7dd4092bbd2f3f053c7f67d556e727b17ac69cccc316a507774c5df48836fcb0f57cf6f47fbb0f79b4f78

Download Submit
C:\Program Files\ML Sound Lab\Amped - Fluff 2C.exe

Filesize
23.5MB

MD5
65e2dc362feb0a31e55851a591572ccb

SHA1
dca30ec055e9efcbfab1a0e24f3596856ecf8109

SHA256
de8fc7cb9c6f72b296fe4662a8eabee3082aaa9422e17529f8fcdbca57eeaa41

SHA512
d38a1ecd19002377a6cb1f2f3765e9a91307b4e2e8b33da90f42795ccb5938373287171217fc70e3ed50299156fc7e2b3a0e055df7d5198d4dc150e00ed3a990

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TC3SQ.tmp\ML_Sound_Lab_Amped_-_Fluff_2C_1.0.0_WiN_[MOCHA].tmp

Filesize
3.1MB

MD5
a5d32c89aadc6400d656d43ae938e4f8

SHA1
18673f0c8e4509c3ed2df3ed0612bd0c81adf015

SHA256
2a74b18589e3d14b6b9618dc842eec69b82774cd8282a1da3f4669662cd78599

SHA512
3f69140615e8313469f08274f0b9073b045741ddd3f231bdb2dd6cb36219e9ce989c763b25f2e7796bc2b266a10b7b95c537504935b0df8ee131c43d323e5257

Download Submit
C:\Users\Admin\AppData\Roaming\Amped - Fluff 2C\Amped - Fluff 2C.settings

Filesize
3KB

MD5
dd8de2792c65f10952125e109d3b3c9b

SHA1
b1781f12f4eac6303dafd006c04031ad6af32af6

SHA256
3994233be147ddab3272bf21d2c69404d468e7d1d12c4b8a2655ffb5f9eff536

SHA512
38b60677285265b6f28a54aa16a0addd3cbc3a9250a8ba93a08393309a00ce239a744bccae2681b9efeee29cb4407bbf9b2b9f254bec6cbb2f9d04dc983588a2

Download Submit
C:\Users\Admin\AppData\Roaming\ML Sound Lab\Amped - Fluff 2C.settings

Filesize
26B

MD5
513b5c654609608a237b138e6ba09b69

SHA1
78301bebc88250368b2d4f4ee873badd98a9e858

SHA256
42484a1bba68225d5fbe221d698f3d5cba37cfe0363c5ae2eba5ec152fa8036b

SHA512
67510e9f79f3888b117d0bee2898bc50af06004df660dfb635bd4c0fa4f5e7f5d994f3a91812c629403ca4ecb3700f3023c2c529aab5fffd251d2c575203c318

Download Submit
memory/2628-6-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/2628-20-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2628-22-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/5092-1-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/5092-11-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/5092-23-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing