88890369a1e8a1390691279082340d8bff5b24645dbf18738c8a1edfa2daf726

Analysis

max time kernel
32s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 16:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MelodysLowLatencyUI_v3.exe
Size

1.1MB
MD5

3ff009a8d1f3704fa7b575e4e60001df
SHA1

7a66fed385dbff6d28263c356b985286e1a41c53
SHA256

88890369a1e8a1390691279082340d8bff5b24645dbf18738c8a1edfa2daf726
SHA512

e0133cc44605a321d98ec157fca221f565f31389e2ad1d8978a1682db6bdfd8e96a1f55ae1cff5143c4f0a05c8a2d76e4e4d359a1ad52a604337d6dfc9872e22
SSDEEP

6144:r2UQwxk71IxhhRigecGh6kEbfg7fhRigecGh6kEbfg7DhRiVj86X6XRAfg7M:qUQwxk71E/RRehzRRehLREjIa

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4888	powercfg.exe
Token: SeCreatePagefilePrivilege	4888	powercfg.exe
Token: SeShutdownPrivilege	2512	powercfg.exe
Token: SeCreatePagefilePrivilege	2512	powercfg.exe
Token: SeShutdownPrivilege	1012	powercfg.exe
Token: SeCreatePagefilePrivilege	1012	powercfg.exe
Token: SeShutdownPrivilege	60	powercfg.exe
Token: SeCreatePagefilePrivilege	60	powercfg.exe
Token: SeShutdownPrivilege	4852	powercfg.exe
Token: SeCreatePagefilePrivilege	4852	powercfg.exe
Token: SeShutdownPrivilege	1856	powercfg.exe
Token: SeCreatePagefilePrivilege	1856	powercfg.exe
Token: SeShutdownPrivilege	4392	powercfg.exe
Token: SeCreatePagefilePrivilege	4392	powercfg.exe
Token: SeShutdownPrivilege	2728	powercfg.exe
Token: SeCreatePagefilePrivilege	2728	powercfg.exe
Token: SeShutdownPrivilege	4424	powercfg.exe
Token: SeCreatePagefilePrivilege	4424	powercfg.exe
Token: SeShutdownPrivilege	1336	powercfg.exe
Token: SeCreatePagefilePrivilege	1336	powercfg.exe
Token: SeShutdownPrivilege	4032	powercfg.exe
Token: SeCreatePagefilePrivilege	4032	powercfg.exe
Token: SeShutdownPrivilege	1560	powercfg.exe
Token: SeCreatePagefilePrivilege	1560	powercfg.exe
Token: SeShutdownPrivilege	4280	powercfg.exe
Token: SeCreatePagefilePrivilege	4280	powercfg.exe
Token: SeShutdownPrivilege	2288	powercfg.exe
Token: SeCreatePagefilePrivilege	2288	powercfg.exe
Token: SeShutdownPrivilege	2076	powercfg.exe
Token: SeCreatePagefilePrivilege	2076	powercfg.exe
Token: SeShutdownPrivilege	2200	powercfg.exe
Token: SeCreatePagefilePrivilege	2200	powercfg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
384	MelodysLowLatencyUI_v3.exe
384	MelodysLowLatencyUI_v3.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
384	MelodysLowLatencyUI_v3.exe
384	MelodysLowLatencyUI_v3.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 3388	384	MelodysLowLatencyUI_v3.exe	95
PID 384 wrote to memory of 3388	384	MelodysLowLatencyUI_v3.exe	95
PID 3388 wrote to memory of 5080	3388	net.exe	97
PID 3388 wrote to memory of 5080	3388	net.exe	97
PID 384 wrote to memory of 4888	384	MelodysLowLatencyUI_v3.exe	98
PID 384 wrote to memory of 4888	384	MelodysLowLatencyUI_v3.exe	98
PID 384 wrote to memory of 2512	384	MelodysLowLatencyUI_v3.exe	100
PID 384 wrote to memory of 2512	384	MelodysLowLatencyUI_v3.exe	100
PID 384 wrote to memory of 1012	384	MelodysLowLatencyUI_v3.exe	102
PID 384 wrote to memory of 1012	384	MelodysLowLatencyUI_v3.exe	102
PID 384 wrote to memory of 60	384	MelodysLowLatencyUI_v3.exe	104
PID 384 wrote to memory of 60	384	MelodysLowLatencyUI_v3.exe	104
PID 384 wrote to memory of 4852	384	MelodysLowLatencyUI_v3.exe	106
PID 384 wrote to memory of 4852	384	MelodysLowLatencyUI_v3.exe	106
PID 384 wrote to memory of 1856	384	MelodysLowLatencyUI_v3.exe	108
PID 384 wrote to memory of 1856	384	MelodysLowLatencyUI_v3.exe	108
PID 384 wrote to memory of 4392	384	MelodysLowLatencyUI_v3.exe	110
PID 384 wrote to memory of 4392	384	MelodysLowLatencyUI_v3.exe	110
PID 384 wrote to memory of 2728	384	MelodysLowLatencyUI_v3.exe	112
PID 384 wrote to memory of 2728	384	MelodysLowLatencyUI_v3.exe	112
PID 384 wrote to memory of 4424	384	MelodysLowLatencyUI_v3.exe	114
PID 384 wrote to memory of 4424	384	MelodysLowLatencyUI_v3.exe	114
PID 384 wrote to memory of 1336	384	MelodysLowLatencyUI_v3.exe	116
PID 384 wrote to memory of 1336	384	MelodysLowLatencyUI_v3.exe	116
PID 384 wrote to memory of 4032	384	MelodysLowLatencyUI_v3.exe	118
PID 384 wrote to memory of 4032	384	MelodysLowLatencyUI_v3.exe	118
PID 384 wrote to memory of 1560	384	MelodysLowLatencyUI_v3.exe	120
PID 384 wrote to memory of 1560	384	MelodysLowLatencyUI_v3.exe	120
PID 384 wrote to memory of 4280	384	MelodysLowLatencyUI_v3.exe	124
PID 384 wrote to memory of 4280	384	MelodysLowLatencyUI_v3.exe	124
PID 384 wrote to memory of 2288	384	MelodysLowLatencyUI_v3.exe	126
PID 384 wrote to memory of 2288	384	MelodysLowLatencyUI_v3.exe	126
PID 384 wrote to memory of 2076	384	MelodysLowLatencyUI_v3.exe	128
PID 384 wrote to memory of 2076	384	MelodysLowLatencyUI_v3.exe	128
PID 384 wrote to memory of 2200	384	MelodysLowLatencyUI_v3.exe	131
PID 384 wrote to memory of 2200	384	MelodysLowLatencyUI_v3.exe	131

C:\Users\Admin\AppData\Local\Temp\MelodysLowLatencyUI_v3.exe
"C:\Users\Admin\AppData\Local\Temp\MelodysLowLatencyUI_v3.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SYSTEM32\net.exe
  "net" start power
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start power
    3⤵
    PID:5080
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /delete 23dc3dc2-9e1b-4954-a427-ca33c8333f77
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 23dc3dc2-9e1b-4954-a427-ca33c8333f77
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /changename 23dc3dc2-9e1b-4954-a427-ca33c8333f77 "Melody Low Latency Power Plan" "Melody Low Latency Power Plan"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setacvalueindex 23dc3dc2-9e1b-4954-a427-ca33c8333f77 54533251-82be-4824-96c1-47b60b740d00 5d76a2ca-e8c0-402f-a133-2158492d58ad 1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setacvalueindex 23dc3dc2-9e1b-4954-a427-ca33c8333f77 2a737441-1930-4402-8d77-b2bebba308a3 d4e98f31-5ffe-4ce1-be31-1b38b384c009 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setacvalueindex 23dc3dc2-9e1b-4954-a427-ca33c8333f77 2a737441-1930-4402-8d77-b2bebba308a3 48e6b7a6-50f5-4782-a5d4-53bb8f07e226 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setacvalueindex 23dc3dc2-9e1b-4954-a427-ca33c8333f77 501a4d13-42af-4429-9fd1-a8218c268e20 ee12f906-d277-404b-b6da-e5fa1a576df5 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setacvalueindex 23dc3dc2-9e1b-4954-a427-ca33c8333f77 0012ee47-9041-4b5d-9b77-535fba8b1442 0b2d69d7-a2a1-449c-9680-f91c70521c60 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setacvalueindex 23dc3dc2-9e1b-4954-a427-ca33c8333f77 0012ee47-9041-4b5d-9b77-535fba8b1442 dbc9e238-6de9-49e3-92cd-8c2b4946b472 1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setacvalueindex 23dc3dc2-9e1b-4954-a427-ca33c8333f77 0012ee47-9041-4b5d-9b77-535fba8b1442 fc95af4d-40e7-4b6d-835a-56d131dbc80e 1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setacvalueindex 23dc3dc2-9e1b-4954-a427-ca33c8333f77 48672F38-7A9A-4bb2-8BF8-3D85BE19DE4E D6BA4903-386F-4c2c-8ADB-5C21B3328D25 1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setacvalueindex 23dc3dc2-9e1b-4954-a427-ca33c8333f77 48672F38-7A9A-4bb2-8BF8-3D85BE19DE4E 73CDE64D-D720-4bb2-A860-C755AFE77EF2 10000
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setactive 23dc3dc2-9e1b-4954-a427-ca33c8333f77
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\SYSTEM32\powercfg.exe
  "powercfg" /delete 23dc3dc2-9e1b-4954-a427-ca33c8333f77
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-0-0x0000020CCD4B0000-0x0000020CCD5CC000-memory.dmp

Filesize
1.1MB

Download
memory/384-1-0x00007FFEC18C0000-0x00007FFEC2381000-memory.dmp

Filesize
10.8MB

Download
memory/384-2-0x0000020CCF340000-0x0000020CCF350000-memory.dmp

Filesize
64KB

Download
memory/384-7-0x0000020CCF340000-0x0000020CCF350000-memory.dmp

Filesize
64KB

Download
memory/384-8-0x00007FFEC18C0000-0x00007FFEC2381000-memory.dmp

Filesize
10.8MB

Download
memory/384-10-0x00007FFEC18C0000-0x00007FFEC2381000-memory.dmp

Filesize
10.8MB

Download