Overview

overview

6

Static

static

1

Soundpad_x....1.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    105s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2024, 21:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Soundpad_x64-4.0.1.msi

  • Size

    6.6MB

  • MD5

    42e8dd5f84f7d0384df0845312298110

  • SHA1

    75f78634b56c2f87e8a85e23a2608b02971ae90a

  • SHA256

    ca73ea0832176c89fa19a0361acf8e66f3d811d289ef4437f5a026a632c435d9

  • SHA512

    bd6f4ae8c392cc585407704a6d40e10d7edd337084f6c060e6af94759ccffeaa57c7c7bc238862a0fc03c6d0764125801c5558c1acb16f6ae9c1c054dbc87a69

  • SSDEEP

    98304:mSAajJtbtGzMDW9KbkWlQenYxwgxQEOb6cPn9TMdQUKsXcMxGNkte2rsiW+:mSzIMqUQWl1nYDkPn9TsQVKukw2wi

Score
6/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 11 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Soundpad_x64-4.0.1.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:928
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding ABC8D6279F303E2079D12B6B997C8DCD C
      2⤵
      • Loads dropped DLL
      PID:3000
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:5020
      • C:\Program Files\Soundpad\Soundpad.exe
        "C:\Program Files\Soundpad\Soundpad.exe" -i -s
        2⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Registers COM server for autorun
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\UniteFx1.8.0.dll"
          3⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1832
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:552
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x338 0x354
      1⤵
      • Loads dropped DLL
      PID:4656
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5016
      • C:\Program Files\Soundpad\Soundpad.exe
        "C:\Program Files\Soundpad\Soundpad.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Program Files\Soundpad\SoundpadService.exe
          "C:\Program Files\Soundpad\SoundpadService.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4580

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Config.Msi\e57b1bd.rbs
              Filesize

              20KB

              MD5

              ebb5ea9177a4aa95354ae98affc6dd7f

              SHA1

              b73d7d2c1171a6c96260938d63192a9971481eeb

              SHA256

              034d3f6f7dd44ffe9d47c2bdb22ffc7b97e17a09c30fdc40be835b9712263474

              SHA512

              845ae514bf59e43fbd71f45e168bcf18cebed52cbb68af5da7d5605f2a6364a7a9aec6af6c53d2c1b5ec171bc90606ed145cf40bd959dfc9835a058e8d639238

              Download Submit

            • C:\Program Files\Soundpad\Soundpad.exe
              Filesize

              14.7MB

              MD5

              f8622a89bc48dcb9cea7d20128846159

              SHA1

              82758fe0214230c363a5f6e2e8d6ebf5da950670

              SHA256

              29ba2a79749137bb59cde27c6873b157586ed8684bb440ae194ea186e07de50c

              SHA512

              097722a534fe99bc551f46dce7f6accf6ec7163ea64d5850ee523e1f14889ff8578dc654bbf811bf4ce2d15ca918d74939b8f0770ad07478df6e80eddc2da176

              Download Submit

            • C:\Program Files\Soundpad\SoundpadService.exe
              Filesize

              555KB

              MD5

              f371d266e03582a758a34bda017df9fc

              SHA1

              780a7ce280fdfe9298e9ac061ba2da9bcf11e143

              SHA256

              b70f747d64773fcb16c97ab40567edf6f6827800bb9e3e9e67650e5288906920

              SHA512

              5bf7ae453c877f2b7116aed46178611080b8db07fb83a2ccf696d60143b5959473beeec748457ccd696eeab1ef8c8675ca243168669a288e37e4a69a0ca54a71

              Download Submit

            • C:\Program Files\Soundpad\UniteFx.dll
              Filesize

              584KB

              MD5

              bedfb49d331aa755c8e3cc1a4688d8ce

              SHA1

              e24b32c6cdfba6bd470a3fc613dcde4d6932874b

              SHA256

              f7f2e23661c4dd53ae5b7fd5c3733d9c82f8467b75f7f0bca738426356f85c17

              SHA512

              9782a8696a8a11f9a6a012e931a1b9e76c1d5a8c5e3460af851bb62e238829b83f9eabb615d65940ff9870cb57fb647798cf05394477ed35346cd0390868ccdd

              Download Submit

            • C:\Program Files\Soundpad\languages\de\translation.mo
              Filesize

              66KB

              MD5

              2e19463d9f8d2192f8fc35febf0eae32

              SHA1

              6a3ce06834376b73e7844aa68154b309dc576bf1

              SHA256

              67c8e7e3be1fc9da05c65053f115e304fa92e510f3732e8f69ca09879c68791b

              SHA512

              7ed88bb3e3cf30d48cb990bb6fb4526f00439cdb6219f877ead0242ca92962cf81b989ba6c386374713c29795ad2f64535b1ba41f19f1705c5e895c2011ff593

              Download Submit

            • C:\Program Files\Soundpad\sounds\ba dum tss.mp3
              Filesize

              43KB

              MD5

              ecfd36db4cd603fe69fb216ec96314f3

              SHA1

              e773f5862cae36da5b2c94bd9ba19f6a3b30ae2c

              SHA256

              0f346c69f70725b3c0f37d26774fd530d5fc331584a6cfd4eb90857c9be305e5

              SHA512

              644271db61503904fe8a5de3e95e3617f3faf9287862739c929be85e71d8813c30939eb5104072e11dcda71e6f66717077b2e242c33bc7fc49b22fbf5c318673

              Download Submit

            • C:\Program Files\Soundpad\sounds\cue.mp3
              Filesize

              72KB

              MD5

              6048a9609cb4d0a5d2a7d833903d1f75

              SHA1

              1c76f5538c9977dbe2ab0d0e259d049410a43ee5

              SHA256

              c27d55a0413a61b5fb3f30628a2a398602405cc68b2e4e26dc7c196419bba0c6

              SHA512

              cb4a5389e1f8cf7c702522bf2bd54fbef82ad8417a5d46ef3348a35f4912b70801824eef193efe033902487c9deca37fd29782061857c9390819d381d88eccf1

              Download Submit

            • C:\Program Files\Soundpad\sounds\firework.mp3
              Filesize

              40KB

              MD5

              6b19a6bf2f055cc832a8c3b8a7a520ba

              SHA1

              155d3d969d3a87e35c7aef64674baee3e95d2a49

              SHA256

              a4d6fe757479e9a99523f654cedfc5f3d062d02e7d5313d96ad5bf77f58713c6

              SHA512

              36a491302001051ba265e201ebdd9b7a637f3eadfa258f60943ce7ab333e6aa4548c448d70874fe3794fc5c5734e3bbdf3789d9e9ab67b64e9d24f1a32c20498

              Download Submit

            • C:\Program Files\Soundpad\sounds\scream.mp3
              Filesize

              60KB

              MD5

              3fd3a3b313d14a4f8db4e979c38f7fc5

              SHA1

              75d00502088a8f545e1b6225d2985f0e806fd5ef

              SHA256

              d435c1e228e64b5c6883822399026b144827b54d5b06d2ab1df1462710703fc7

              SHA512

              70504de941cda487977a689e6ca2cb46505e92838b083df82a70853f876dbcf6745e42d657e90cf7a9ac5d6d6e43a443e4bef643da950e32f6ab1a30f1c44a8f

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
              Filesize

              765B

              MD5

              fbaf71e6e81cb4b9435b01c6f3b0837c

              SHA1

              c510e1d3adafbc39feacb5635a4ca436e15474ed

              SHA256

              b8ebb46ac02355c67e13fe34d381542ecf1be621c71abf565f12e33383069fb4

              SHA512

              d881b8042399b3c8736f7f26e2440b50dace4a643931b37aebfd7d8e84d42dd1385f6a696e901e236b9968d460c11769cae0dc9477845f338993b91eb16b5150

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_FFE9A242DFD3700E990131874134F0DA
              Filesize

              637B

              MD5

              52db0b8d0012c7f1828a31e33a1831aa

              SHA1

              92316326b79f1f92046205276abceec6e131c4ba

              SHA256

              54f94e4230ad626b2efd4d42e6f4d1d47b9d73478d94aafef6b229a701769637

              SHA512

              b10edd833c329224c05a1fc5beaae8137c8b2334e4f9d0392e04bfb7fc4b133757d3354ca6fbe07654fa62c7094fed3f2461c560c790339fb5463f79b830e4f0

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
              Filesize

              1KB

              MD5

              4f30daadb21efad2f053597776cf5499

              SHA1

              b079774896759fc832be437f6e1319b40371b5fc

              SHA256

              9cba6a870a50f51a7508301cb3c6a754c3455cff5cc22eeb5803b9fd5c6ad8ba

              SHA512

              8c5582309b56279c59f12ef9978cc3c05b852be2cb8cb2a0bbf96a58231d83f9edec7fd61e67901af32f1d1a5f7876f654fd85438590b914512abf694380c2f5

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
              Filesize

              484B

              MD5

              e52c2282b4ee5a23344e32580e552839

              SHA1

              7e6b40770a738df945113016cb6519b6dfcb5756

              SHA256

              2fc02bb14def0c1621806a99a37775e88777168ceff384629f5d6e8c4767b010

              SHA512

              e1ba8e255ab091a941933f23ba5bfe6c67c21805ca44f9cb8a500a2f007b2a7a67d0d8d9e5504f3d1bfdcf8b8990fc60589dfa0225fbb54cd50fc98f3ac77490

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_FFE9A242DFD3700E990131874134F0DA
              Filesize

              484B

              MD5

              85a8d925779e12ab934fbe7fed18a0ab

              SHA1

              931ad53f9654350cfd005ab792ee50e727e95fbe

              SHA256

              b2fa047804a58b9c3f7119453ef00d6d475c1e165aa7e32bf8861690157f4898

              SHA512

              71700cf0f25d0569690092ef0229e9748e67c2f4f9879bb397b6c97acab38a09e15e25a2dc263af8d0fa1adddc04afa5510b78cb151cc9503abfb19d0a40190e

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
              Filesize

              482B

              MD5

              aea2d612fc5e29cc48fd1a3c45fa36e0

              SHA1

              073b84610b100fa1202bb28a3895b00b98d6c99c

              SHA256

              4dec8aeec11c32f148a141d1f864952b4c4c84871b98c2273f39947a925852da

              SHA512

              df935f153d539a50795fbd5a519d7c83ace20019c58da400ba708a56e4c24078f6e6baa84b95260f7f443780d6704169214fc59a2459289c1457bfa4fd14d502

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\MSI6E4A.tmp
              Filesize

              179KB

              MD5

              6b18fc09471ae51e50c34d49403a4900

              SHA1

              08b4d884f9e40cebc73ac220ae23bf7222cb3646

              SHA256

              fa07ee084691932f1d733b7e4c9fbcb5ebfc7b58ab6923c16108ba36cce55e9b

              SHA512

              01512525ab2f74335035c6bc4149e2b5bea176297f96ec18dafc326405d9e59b66ecc9c849cfa5d68bff0e2ffc61872050eab1db8a97faefd98d8c0eb29d639d

              Download Submit

            • C:\Windows\Installer\e57b1bc.msi
              Filesize

              6.6MB

              MD5

              42e8dd5f84f7d0384df0845312298110

              SHA1

              75f78634b56c2f87e8a85e23a2608b02971ae90a

              SHA256

              ca73ea0832176c89fa19a0361acf8e66f3d811d289ef4437f5a026a632c435d9

              SHA512

              bd6f4ae8c392cc585407704a6d40e10d7edd337084f6c060e6af94759ccffeaa57c7c7bc238862a0fc03c6d0764125801c5558c1acb16f6ae9c1c054dbc87a69

              Download Submit

            • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
              Filesize

              24.1MB

              MD5

              630f6eb7003bca6d411bb41c9c336684

              SHA1

              d92088d0841f4b4b2cf817ac1cc37ee19d192302

              SHA256

              34f4834b0d7e9a0e6cdb4a3d984f419d6b0584203139b106f55eb831b9264028

              SHA512

              7b8652bed638a197fbed57e95269b91d2c472e7e0c738e3d3e9ee88c719503df6bdb6d23b8936b390e6ad85cad180eecbfc56d430424c5e5159a45cc2d3600f4

              Download Submit

            • \??\Volume{bb0c4c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e92c71de-3b4a-49dc-9754-bf7e3a9a0a97}_OnDiskSnapshotProp
              Filesize

              6KB

              MD5

              af057a664506263d3aeee9f4ea933b2b

              SHA1

              0c7882d171f066fc8eb930998f7e9d4571bfe089

              SHA256

              a30710f7c5649651aeb6872aa04e84b31233481e47908b5fb2a67da0a56dc8c1

              SHA512

              08ff15d6cf0c7542c3e4ad2e354a94ca96840fe2f98d5ac4e75c4ed6822ba277c50370c484e9ecdf27ad04b362235cf01fc4337c2e466a9f901bace129ee29e9

              Download Submit